TDL4@MBR..the day I upgraded to Avast pro 5

Good evening, I ran GMER and found the TDL4@MBR rootkit under value, and under name it was found was “\Device/harddisk0\DR0”. My laptop uses win xp pro, bought in 2009, iNSPIRON 1545 core duo 2 processor, 260 GB. I am posting on my emergency laptop.

The bad part was that there was NO option to Kill OR DELETE FILE which I found strange. Ran MBYTES, AVAST in safe mode, quick search, nothing found. TDSSkiller under both safe and windows mode, nothing was found. On the day I upgrade from version 4.8 to pro for avast, this happens…thanks for reading. Any help would be greatly appreciated.

I forgot to add, I cant even update. It reads "fail to connect to server’ when avast pops up that window on the bottom right telling me to update…

Hi…

Please download MBRCheck.exe to your desktop.

[*] Be sure to disable your security programs
[*] Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
[*] A small window should open on your desktop
[*] if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
[*] If nothing unusual is found just press Enter
[*] A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.

bump

aswMBR would be a simpler solution

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrscan.gif

Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrsavelog.gif

to magna and essexboy, I used essexboy’s answmbx.exe and this was found:

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-26 16:16:43

16:16:43.484 OS Version: Windows 5.1.2600 Service Pack 3
16:16:43.484 Number of processors: 2 586 0x170A
16:16:43.484 ComputerName: UserName: lov
16:16:44.390 Initialize success
16:16:57.531 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\iaStor0
16:16:57.531 Disk 0 Vendor: WDC_WD25 11.0 Size: 238475MB BusType: 3
16:16:57.531 Device \Device\Ide\IAAStorageDevice-1 → ??\IDE#DiskWDC_WD2500BEVT-75ZCT2___________________11.01A11#4&3c2934d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
16:16:57.562 Disk 0 MBR read successfully
16:16:57.562 Disk 0 MBR scan
16:16:57.578 Disk 0 TDL4@MBR code has been found
16:16:57.578 Disk 0 MBR hidden
16:16:57.578 Disk 0 MBR [TDL4] ROOTKIT
16:16:57.578 Disk 0 trace - called modules:
16:16:57.578 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8ae1f439]<<
16:16:57.578 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8adb0ab8]
16:16:57.578 3 CLASSPNP.SYS[ba0e8fd7] → nt!IofCallDriver → [0x8adff4b8]
16:16:57.578 \Driver\iaStor[0x8adae458] → IRP_MJ_CREATE → 0x8ae1f439
16:16:57.578 Scan finished successfully

As instructed, i shut down my avast 5 temporarily…

Am I supposed to press FIX? or just hand you the log details when I got the results?


UPDATE: I have 2 laptops, I used the old TDSSKILLER version 2.4.0, and downloaded the 2.4.7 version and apparently (I think) it worked…it found the TLD4 rootkit, fast forward to reboot, and it’s “not there”

Here is the ANSMBR.EXE results AFTER THE TLD4 was rid by TDSSKILLER (i dont have any Google mis-directions so far)…

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-26 16:33:21

16:33:21.031 OS Version: Windows 5.1.2600 Service Pack 3
16:33:21.031 Number of processors: 2 586 0x170A
16:33:21.031 ComputerName: ******** UserName: lov
16:33:21.734 Initialize success
16:33:24.687 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
16:33:24.687 Disk 0 Vendor: WDC_WD25 11.0 Size: 238475MB BusType: 3
16:33:24.750 Disk 0 MBR read successfully
16:33:24.750 Disk 0 MBR scan
16:33:24.796 Disk 0 scanning sectors +488392065
16:33:24.828 Disk 0 scanning C:\WINDOWS\system32\drivers
16:33:29.312 Service scanning
16:33:30.468 Disk 0 trace - called modules:
16:33:30.515 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
16:33:30.515 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8ae75ab8]
16:33:30.515 3 CLASSPNP.SYS[ba0e8fd7] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0x8a851028]
16:33:30.515 Scan finished successfully

NOW HERE’S THE GMER RESULTS as well…

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit quick scan 2011-03-26 16:41:56
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.11.0
Running: bfjz7yhz.exe; Driver: C:\DOCUME~1\lov\LOCALS~1\Temp\uwdyapod.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0x99FCFED6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0x99FCFD41]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x9A00FBAE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----

…what am I looking at? Thanks

16:16:57.578 Disk 0 TDL4@MBR code has been found 16:16:57.578 Disk 0 MBR hidden 16:16:57.578 Disk 0 MBR [TDL4] **ROOTKIT**
Scan click "FIX" and reboot, then do a new scan, click "save log" and post it

Pondus…thank you, the results I updated on the post before yours…what am I looking at? Thank you. I dont know what this techie stuff is that;s why I’m here.

I tried updating my virus definitions but "cannot connect to server’ is still the same, but one probloem at a time I guess

the new aswMBR log you posted looks clean

now do this

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
(post the logs here in this topic and not in the guide)

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log )

Essexboy will look at the log`s when he is back tomorrow

@dellsux
If you wish…
Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr

Double click dds.scr to run the tool.

* When done, DDS will open two (2) logs:
     1. DDS.txt
     2. Attach.txt

Save both reports to your desktop. Attach DDS.txt back to topic.

Ok I did the MBAM thing and the OTS thing as per your instructions…

MBAM:

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6179

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/26/2011 5:05:24 PM
mbam-log-2011-03-26 (17-05-24).txt

Scan type: Quick scan
Objects scanned: 152826
Time elapsed: 3 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Pondus…the OTS results is more than 10,000 characters so I cant post the results…is there a way to post them?

To MAGNA86, here are the results for the DDS thingy…


DDS (Ver_11-03-05.01) - NTFSx86
Run by lov at 17:25:17.48 on Sat 03/26/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3032.2401 [GMT -7:00]
.
AV: avast! Antivirus Enabled/Outdated {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r215959\STacSV.exe
svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\lov\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10l_Plugin.exe -update plugin
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Dell DataSafe Online] “c:\program files\dell datasafe online\DataSafeOnline.exe” /m
mRun: [dellsupportcenter] “c:\program files\dell support center\bin\sprtcmd.exe” /P dellsupportcenter
mRun: [Adobe Reader Speed Launcher] “c:\program files\adobe\reader 9.0\reader\Reader_sl.exe”
mRun: [Adobe ARM] “c:\program files\common files\adobe\arm\1.0\AdobeARM.exe”
mRun: [Malwarebytes’ Anti-Malware] “c:\program files\malwarebytes’ anti-malware\mbamgui.exe” /starttray
mRun: [avast5] “c:\program files\alwil software\avast5\avastUI.exe” /nogui
mRun: [SunJavaUpdateSched] “c:\program files\common files\java\java update\jusched.exe”
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

…1ST HALF OF THE DDS RESULTS…

Use the attach function. :wink:

…2ND HALF OF THE DDS REPORT…

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\lov\applic~1\mozilla\firefox\profiles\0naa42n2.default
FF - component: c:\documents and settings\lov\application data\mozilla\firefox\profiles\0naa42n2.default\extensions{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\lov\application data\mozilla\firefox\profiles\0naa42n2.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: uTorrentBar Community Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - %profile%\extensions{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-25 340048]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-26 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-26 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-3-25 40384]
R2 MBAMService;MBAMService;c:\program files\malwarebytes’ anti-malware\mbamservice.exe [2010-11-11 363344]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc → RUNDLL32.EXE ykx32coinst,serviceStartProc [?]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-8-1 113024]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2011-3-25 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2011-3-25 40384]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-11-11 20952]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-8-1 160256]
S3 AMBFilt;Creative AMB Service;c:\windows\system32\drivers\AMBFilt.sys [2009-8-1 1656960]
.
=============== Created Last 30 ================
.
2011-03-26 02:31:20 -------- d-sha-r- C:\cmdcons
2011-03-26 02:28:52 98816 ----a-w- c:\windows\sed.exe
2011-03-26 02:28:52 89088 ----a-w- c:\windows\MBR.exe
2011-03-26 02:28:52 256512 ----a-w- c:\windows\PEV.exe
2011-03-26 02:28:52 161792 ----a-w- c:\windows\SWREG.exe
2011-03-26 00:18:53 340048 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-03-26 00:18:39 38848 ----a-w- c:\windows\avastSS.scr
2011-03-26 00:18:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2011-03-25 15:04:51 0 ----a-w- c:\windows\Ofifowohone.bin
2011-03-20 20:48:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\oDmIfDmImHe05200
2011-03-12 19:28:40 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-03-09 23:40:38 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-03-09 23:40:38 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-03 07:05:03 -------- d-----w- c:\docume~1\lov\applic~1\PCDr
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 04:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-03 02:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:14:45 1864064 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 17:31:13.76 ===============

Please use: Attach…!!!

OK, I found the attach link…hope it works…here is the OTS results

The proxy settings were also changed

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> 
YN -> HKEY_USERS\.DEFAULT\: "ProxyEnable" -> 1
YN -> HKEY_USERS\.DEFAULT\: "ProxyServer" -> http=127.0.0.1:5577
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> 
YN -> HKEY_USERS\S-1-5-18\: "ProxyEnable" -> 1
YN -> HKEY_USERS\S-1-5-18\: "ProxyServer" -> http=127.0.0.1:5577
< Internet Explorer ToolBars [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{3041D03E-FD4B-44E0-B742-2D9B88305F98}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{3041D03E-FD4B-44E0-B742-2D9B88305F98}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Modified Within 30 Days]
NY ->  USERNAME123.EXE.exe -> C:\Documents and Settings\lov\Desktop\USERNAME123.EXE.exe
NY ->  bfjz7yhz.exe -> C:\Documents and Settings\lov\Desktop\bfjz7yhz.exe
NY ->  Bkaduyokuyepe.dat -> C:\WINDOWS\Bkaduyokuyepe.dat
[Files - No Company Name]
NY ->  Bkaduyokuyepe.dat -> C:\WINDOWS\Bkaduyokuyepe.dat
NY ->  Ofifowohone.bin -> C:\WINDOWS\Ofifowohone.bin
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

essexboy, here are the results…thanks

All Processes Killed
[Registry - Safe List]
Registry value HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable deleted successfully.
Registry value HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer deleted successfully.
Unable to delete registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable .
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer not found.
Registry value HKEY_USERS.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{3041D03E-FD4B-44E0-B742-2D9B88305F98} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{3041D03E-FD4B-44E0-B742-2D9B88305F98}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{3041D03E-FD4B-44E0-B742-2D9B88305F98} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{3041D03E-FD4B-44E0-B742-2D9B88305F98}\ not found.
[Files/Folders - Modified Within 30 Days]
C:\Documents and Settings\lov\Desktop\USERNAME123.EXE.exe moved successfully.
C:\Documents and Settings\lov\Desktop\bfjz7yhz.exe moved successfully.
C:\WINDOWS\Bkaduyokuyepe.dat moved successfully.
[Files - No Company Name]
File C:\WINDOWS\Bkaduyokuyepe.dat not found!
C:\WINDOWS\Ofifowohone.bin moved successfully.
[Empty Temp Folders]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 321 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 321 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 524422 bytes

User: lov
->Temp folder emptied: 14580123 bytes
->Temporary Internet Files folder emptied: 156481 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 144641984 bytes
->Flash cache emptied: 18273 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 5341318 bytes
->Java cache emptied: 2020 bytes
->Flash cache emptied: 53460 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 88 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 1015869 bytes

Total Files Cleaned = 159.00 mb

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: lov
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTS Restore Point (0)
< End of fix log >
OTS by OldTimer - Version 3.1.42.0 fix logfile created on 03272011_103728

Files\Folders moved on Reboot…
File move failed. C:\WINDOWS\temp_avast5_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot…

OK any problems now ?