Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Browser Redirect


  • Please log in to reply
14 replies to this topic

#1 Fhallest

Fhallest

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 17 May 2012 - 12:02 PM

I am currently having the same issue as a few others on this site. I have tried numerous attempts to clean my machine with little or no success. I know my computer is sick but I do not know what to do to it at this point. I have run Mal, Avast, and other numerous removal software program with no success. I have tried it in Safe Mode with and with out networking. I can usually fix the isssue but this time it has me up against the ropes. What my computer was doing at first was playing commercial adds audio only. I looked on this forum for a solution and followed the directions. The audio has stopped but am now getting Internet Explorer error messages and redirects when using a search enginge or in the middle of doing something on the net. The redirect issue has happened on all internet Browsers I have installed and removed. What has me confused is everytime I run Mal Bytes I find a issues but only in Normal Scan Mode (this take forever) and am asked to reboot. I follow instructions and alas it reappears everytime. I was hoping you could help me with this issue. I have read the posts here about reports or using software before told to when receiving assistance. I have run alot of software to try to remove on my own. I still do not know what the issue is and was hoping for some help. Thanks in advance for your help and assistance.

Randy

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 62,904 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:31 AM

Posted 17 May 2012 - 02:07 PM

Hello and welcome,please run these next..

Please click Start > Run, type inetcpl.cpl in the runbox and press enter.
Click the Connections tab and click the LAN settings option.
Verify if "Use a proxy..." is checked, if so, UNcheck it and click OK/OK to exit.


Run RKill....


Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.



Please download TDSSKiller.zip and and extract it.
  • Run TDSSKiller.exe.
  • Click on Change Parameters
  • Put a check in the box of Detect TDLFS file system
  • Click Start scan.
  • When it is finished the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
  • Let reboot if needed and tell me if the tool needed a reboot.
  • Click on Report and post the contents of the text file that will open.

    Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log have a name like: TDSSKiller.Version_Date_Time_log.txt.




Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Now reboot to Normal and run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware Posted Image and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

-- Some types of malware will target Malwarebytes and other security tools to keep them from running properly. If that's the case, go to Start > All Programs > Malwarebytes Anti-Malware folder > Tools > click on Malwarebytes Chameleon and follow the onscreen instructions. The Chameleon folder can be accessed by opening the program folder for Malwarebytes Anti-Malware (normally C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware).




Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#3 Fhallest

Fhallest
  • Topic Starter

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 18 May 2012 - 12:16 PM

Ok here is a brief story as to what happened.

I started with the list of steps I was to take in the reply I received. Everything was going smoothly until I rebooted after superantispyware. The program found numerous infections and a few trojans. I noticed that most of my desktop Icons were missing and assumed it was part of the processes. It asked me to reboot and I did as it recommended. Following this reboot all hell broke loose on my computer. It opened hundreds of error messages and just went crazy. I tried to run rkill but could not get to it on my computer as all Icons were missing. I tried my flash drive and was blocked by fantom Icons keeping me from accessing my backups. I erased all in the flash drive and went to another computer to retrieve my backups backup. I noticed that all applications were still on my flash drive but reloaded just to be safe. I then rebooted into safe mode expecting to be able to unhide my computer and alas my flash drive was attacked again even in safe mode. I am at a loss what to do next and hope you have some suggestions as it stands I am really stuck.


Randy

#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:31 AM

Posted 18 May 2012 - 05:08 PM

It opened hundreds of error messages and just went crazy.


Hi Randy.

Do you recall what the text of these error messages were?

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 Fhallest

Fhallest
  • Topic Starter

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 18 May 2012 - 06:59 PM

To answer your question I do not remember what the message was but it spawned hundreds of messages. I shut them all down but alas all my files had been hidden and was being blocked from using any form of internet browser. My screen was black and my start button was the only thing working. I could not access my I drive as it to was held captive and kept saying all programs were .exe and related to porn. I could not do anything but remembered that I still had access to a command prompt and went to work with a sledge hammer to get my files back. A friend of mine is the ex director of the University of Texas computer labs and fellow geek. A few years ago he mentions solving a issue like this with out using the point and click solution. I used wifes computer to contact and came up with a command to restore my files to a point I could get to rkill. It was
attrib -s -h -r c:/*.* /s /d from the cmd command prompt and it takes a while but was told it would take a while to run. I still do not understad all it did but having friends and another computer connected to the internet is a necessary tool when dealing with distruptive software. I know have my computer back to a point where I can continue with Mal Bytes but I can tell it is still infected. I happens everytime I reboot the machine. I will include all the reports I have when I am completed running all the recommended software.

Randy

#6 Fhallest

Fhallest
  • Topic Starter

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 18 May 2012 - 10:22 PM

Here are some of the reports I finally got to run. I hope this helps as my puter is still infected and every time it restarts it happens again. I also know you are very busy and anything you can do is greatly appreciated.

Randy

Minitoolbox

MiniToolBox by Farbar Version: 18-01-2012
Ran by Randy (administrator) on 18-05-2012 at 21:13:05
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Could not flush the DNS Resolver Cache: Function failed during execution.




========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================

"network.proxy.no_proxies_on", "*.local"
"network.proxy.type", 0

"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================


93.113.196.124 www.google.com
93.113.196.125 www.bing.com


========================= IP Configuration: ================================

1394 Net Adapter = 1394 Connection (Disconnected)
NVIDIA nForce 10/100/1000 Mbps Ethernet = Local Area Connection 2 (Connected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection 2"

set address name="Local Area Connection 2" source=dhcp
set dns name="Local Area Connection 2" source=dhcp register=PRIMARY
set wins name="Local Area Connection 2" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : cheese-imttnbn4

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection 2:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : NVIDIA nForce 10/100/1000 Mbps Ethernet #2

Physical Address. . . . . . . . . : 00-15-F2-0F-10-48

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.5

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.1

Lease Obtained. . . . . . . . . . : Friday, May 18, 2012 9:09:11 PM

Lease Expires . . . . . . . . . . : Saturday, May 19, 2012 9:09:11 PM

Server: UnKnown
Address: 192.168.1.1

Name: google.com
Addresses: 74.125.227.104, 74.125.227.105, 74.125.227.102, 74.125.227.98
74.125.227.101, 74.125.227.97, 74.125.227.110, 74.125.227.100, 74.125.227.99
74.125.227.103, 74.125.227.96



Pinging google.com [74.125.227.130] with 32 bytes of data:



Reply from 74.125.227.130: bytes=32 time=61ms TTL=48

Reply from 74.125.227.130: bytes=32 time=62ms TTL=48



Ping statistics for 74.125.227.130:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 61ms, Maximum = 62ms, Average = 61ms

Server: UnKnown
Address: 192.168.1.1

Name: yahoo.com
Addresses: 209.191.122.70, 72.30.38.140, 98.139.183.24



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:



Reply from 209.191.122.70: bytes=32 time=25ms TTL=51

Reply from 209.191.122.70: bytes=32 time=29ms TTL=51



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 25ms, Maximum = 29ms, Average = 27ms

Server: UnKnown
Address: 192.168.1.1

Name: bleepingcomputer.com
Address: 208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:



Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 15 f2 0f 10 48 ...... NVIDIA nForce 10/100/1000 Mbps Ethernet #2
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.5 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.1.5 192.168.1.5 20
192.168.1.0 255.255.255.0 192.168.1.5 192.168.1.5 10
192.168.1.5 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.1.255 255.255.255.255 192.168.1.5 192.168.1.5 10
224.0.0.0 240.0.0.0 192.168.1.5 192.168.1.5 10
255.255.255.255 255.255.255.255 192.168.1.5 192.168.1.5 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\nwprovau.dll [142336] (Microsoft Corporation)
Catalog5 02 mswsock.dll [File Not found] ()
Catalog5 03 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 04 mswsock.dll [File Not found] ()
Catalog5 05 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 mswsock.dll [File Not found] ()
Catalog9 02 mswsock.dll [File Not found] ()
Catalog9 03 mswsock.dll [File Not found] ()
Catalog9 04 mswsock.dll [File Not found] ()
Catalog9 05 mswsock.dll [File Not found] ()
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 mswsock.dll [File Not found] ()
Catalog9 12 mswsock.dll [File Not found] ()
Catalog9 13 mswsock.dll [File Not found] ()
Catalog9 14 mswsock.dll [File Not found] ()
Catalog9 15 mswsock.dll [File Not found] ()
Catalog9 16 mswsock.dll [File Not found] ()
Catalog9 17 mswsock.dll [File Not found] ()
Catalog9 18 mswsock.dll [File Not found] ()
Catalog9 19 mswsock.dll [File Not found] ()
Catalog9 20 mswsock.dll [File Not found] ()

========================= Event log errors: ===============================

Application errors:
==================
Error: (05/18/2012 09:09:40 PM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module ws2_32.dll, version 5.1.2600.5512, fault address 0x00006a55.
Error in creating result PEAP-TLV in response to received PEAP-TLV (iexplore.exe!ld!)

Error: (05/18/2012 06:47:26 PM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module ws2_32.dll, version 5.1.2600.5512, fault address 0x00006a55.
Processing media-specific event for [iexplore.exe!ws!]

Error: (05/18/2012 10:27:11 AM) (Source: Application Error) (User: )
Description: Faulting application zwlh.exe, version 0.0.0.0, faulting module zwlh.exe, version 0.0.0.0, fault address 0x0001333a.
Processing media-specific event for [zwlh.exe!ws!]

Error: (05/18/2012 10:17:48 AM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module ws2_32.dll, version 5.1.2600.5512, fault address 0x00006afc.
Error in creating result PEAP-TLV in response to received PEAP-TLV (iexplore.exe!ld!)

Error: (05/18/2012 07:22:14 AM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module ws2_32.dll, version 5.1.2600.5512, fault address 0x00006afc.
Processing media-specific event for [iexplore.exe!ws!]

Error: (05/18/2012 06:03:21 AM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module ws2_32.dll, version 5.1.2600.5512, fault address 0x00006aa8.
Error in creating result PEAP-TLV in response to received PEAP-TLV (iexplore.exe!ld!)

Error: (05/18/2012 06:03:17 AM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module ws2_32.dll, version 5.1.2600.5512, fault address 0x00006a55.
Error in creating result PEAP-TLV in response to received PEAP-TLV (iexplore.exe!ld!)

Error: (05/18/2012 06:02:22 AM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module ws2_32.dll, version 5.1.2600.5512, fault address 0x00006a55.
Error in creating result PEAP-TLV in response to received PEAP-TLV (iexplore.exe!ld!)

Error: (05/18/2012 06:00:12 AM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module ws2_32.dll, version 5.1.2600.5512, fault address 0x00006aa8.
Processing media-specific event for [iexplore.exe!ws!]

Error: (05/18/2012 04:38:59 AM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module unknown, version 0.0.0.0, fault address 0x7ff91df8.
Processing media-specific event for [iexplore.exe!ws!]


System errors:
=============
Error: (05/17/2012 10:38:49 PM) (Source: Service Control Manager) (User: )
Description: The SSDP Discovery Service service depends on the following nonexistent service: HTTP

Error: (05/17/2012 04:56:26 AM) (Source: Service Control Manager) (User: )
Description: The SAS Core Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.

Error: (05/17/2012 04:56:25 AM) (Source: Service Control Manager) (User: )
Description: The SAS Core Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.

Error: (05/17/2012 04:56:24 AM) (Source: Service Control Manager) (User: )
Description: The SAS Core Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.

Error: (05/17/2012 04:56:23 AM) (Source: Service Control Manager) (User: )
Description: The SAS Core Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.

Error: (05/17/2012 04:56:21 AM) (Source: Service Control Manager) (User: )
Description: The SAS Core Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.

Error: (05/17/2012 04:56:20 AM) (Source: Service Control Manager) (User: )
Description: The SAS Core Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.

Error: (05/17/2012 04:56:19 AM) (Source: Service Control Manager) (User: )
Description: The SAS Core Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.

Error: (05/17/2012 04:56:18 AM) (Source: Service Control Manager) (User: )
Description: The SAS Core Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.

Error: (05/17/2012 04:56:16 AM) (Source: Service Control Manager) (User: )
Description: The SAS Core Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.


Microsoft Office Sessions:
=========================
Error: (05/18/2012 09:09:40 PM) (Source: Application Error)(User: )
Description: iexplore.exe8.0.6001.18702ws2_32.dll5.1.2600.551200006a55

Error: (05/18/2012 06:47:26 PM) (Source: Application Error)(User: )
Description: iexplore.exe8.0.6001.18702ws2_32.dll5.1.2600.551200006a55

Error: (05/18/2012 10:27:11 AM) (Source: Application Error)(User: )
Description: zwlh.exe0.0.0.0zwlh.exe0.0.0.00001333a

Error: (05/18/2012 10:17:48 AM) (Source: Application Error)(User: )
Description: iexplore.exe8.0.6001.18702ws2_32.dll5.1.2600.551200006afc

Error: (05/18/2012 07:22:14 AM) (Source: Application Error)(User: )
Description: iexplore.exe8.0.6001.18702ws2_32.dll5.1.2600.551200006afc

Error: (05/18/2012 06:03:21 AM) (Source: Application Error)(User: )
Description: iexplore.exe8.0.6001.18702ws2_32.dll5.1.2600.551200006aa8

Error: (05/18/2012 06:03:17 AM) (Source: Application Error)(User: )
Description: iexplore.exe8.0.6001.18702ws2_32.dll5.1.2600.551200006a55

Error: (05/18/2012 06:02:22 AM) (Source: Application Error)(User: )
Description: iexplore.exe8.0.6001.18702ws2_32.dll5.1.2600.551200006a55

Error: (05/18/2012 06:00:12 AM) (Source: Application Error)(User: )
Description: iexplore.exe8.0.6001.18702ws2_32.dll5.1.2600.551200006aa8

Error: (05/18/2012 04:38:59 AM) (Source: Application Error)(User: )
Description: iexplore.exe8.0.6001.18702unknown0.0.0.07ff91df8


=========================== Installed Programs ============================

µTorrent (Version: 3.1.2)
Adobe AIR (Version: 2.5.0.16600)
Adobe Flash Player 10 ActiveX (Version: 10.0.42.34)
Adobe Flash Player 11 Plugin (Version: 11.2.202.228)
Adobe Help Center 2.0 (Version: 2.0.0)
Adobe Photoshop Elements 4.0 (Version: 4.0)
Adobe Reader 9.4.7 (Version: 9.4.7)
Amazon Games & Software Downloader (Version: 2.0.2.0)
Amazon MP3 Downloader 1.0.12 (Version: 1.0.12)
Apple Application Support (Version: 1.5.2)
Apple Mobile Device Support (Version: 3.4.1.2)
Apple Software Update (Version: 2.1.3.127)
AsusUpdate
Barbarian Invasion (Version: 1.4)
Bonjour (Version: 3.0.0.2)
Cataclysm
CCleaner (Version: 3.12)
CDDRV_Installer (Version: 1.00.0000)
Cheat Engine 6.1
Clan 'Mech Pak
Company of Heroes - FAKEMSI (Version: 2.0.0.0)
Company of Heroes (Version: 2.602.0)
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
Crysis® (Version: 1.10.0000)
Dangerous Waters
Dawn of War - Soulstorm (Version: 1.00.0000)
Distant Worlds (Version: 1.00)
DoWar2R (Version: RePack)
Dragon Age II (Version: 1.01)
Dragon Age: Origins (Version: 1.00)
EA Installer (Version: 2.2.0.62)
EA Shared Game Component: Activation (Version: 2.2.0)
EA Shared Game Component: Activation (Version: 2.2.0.62)
Earth 2160 (Version: 1.37 En)
Eastern Front (Version: 1.5.2.0)
Easy CD-DA Extractor 2010 (Version: 2010.1)
EasyBoost (Version: 1.0.8.1)
EPSON TWAIN 5
FX MOD 1.86
Galactic Civilizations II - Ultimate Edition
Google Toolbar for Internet Explorer (Version: 1.0.0)
GPGNet (Version: 1.0.0)
Homeworld2
Imperial Civil War
Impulse
Impulse (Version: 1.0)
Inner Sphere 'Mech Pak
iTunes (Version: 10.4.0.80)
Java Auto Updater (Version: 2.0.6.1)
Java™ 6 Update 29 (Version: 6.0.290)
KhalInstallWrapper (Version: 4.00.121)
Kukuxumusu Digital Clock Screensaver
Kukuxumusu Dinner Screensaver
Logitech Registration (Version: 0.70.206)
Logitech SetPoint (Version: 4.00)
Malwarebytes Anti-Malware version 1.61.0.1400 (Version: 1.61.0.1400)
MapCreate USA (Version: 7.0)
Mass Effect 2 (Version: 1.02)
MechWarrior Black Knight
MechWarrior Vengeance
Microsoft .NET Framework 2.0
Microsoft .NET Framework 2.0 (Version: 2.0.50727)
Microsoft .NET Framework 3.0 (Version: 3.0.04506.30)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Games for Windows - LIVE (Version: 2.0.675.0)
Microsoft Games for Windows - LIVE Redistributable (Version: 2.0.673.0)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage (Version: 10.0.6626.0)
Microsoft Silverlight (Version: 4.1.10329.0)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual J# 2.0 Redistributable Package (Version: 2.0.50727)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 6 Service Pack 2 (KB973686) (Version: 6.20.2003.0)
NVIDIA Control Panel 275.33 (Version: 275.33)
NVIDIA Drivers (Version: 1.10.62.40)
NVIDIA Graphics Driver 275.33 (Version: 275.33)
NVIDIA HD Audio Driver 1.1.13.1 (Version: 1.1.13.1)
NVIDIA Install Application (Version: 2.275.78.0)
NVIDIA nView 135.85 (Version: 135.85)
NVIDIA nView Desktop Manager (Version: 6.14.10.13585)
NVIDIA PhysX (Version: 9.10.0514)
NVIDIA PhysX System Software 9.10.0514 (Version: 9.10.0514)
NVIDIA Update 1.3.5 (Version: 1.3.5)
NVIDIA Update Components (Version: 1.3.5)
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0)
Pacific Storm - Allies (Version: 1.0)
Peggle Deluxe
Plants vs. Zombies
QuickTime (Version: 7.69.80.9)
Registry Mechanic 10.0 (Version: 10.0)
Rome - Total War (Version: 1.5)
Rome - Total War™ (Version: 1.2)
Rome Total War - patch 1.3 (Version: 1.3)
Samsung ML-2510 Series
Sorian AI Mod 1.9.7
SpeedFan (remove only)
Star Trek Starfleet Command III
Star Wars Empire at War (Version: 1.0)
Star Wars Empire at War Forces of Corruption (Version: 1.0)
StarCraft II (Version: 1.0.0.16117)
Steam (Version: 1.0.0.0)
SUPERAntiSpyware (Version: 5.0.1150)
Supreme Commander - Forged Alliance (Version: 1.00.0000)
Supreme Commander (Version: 1.00.0000)
Sword of the Stars ANY (Version: 1.8.0)
Update for Windows Internet Explorer 8 (KB2447568) (Version: 1)
Update for Windows Internet Explorer 8 (KB2598845) (Version: 1)
Update for Windows XP (KB2141007) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2492386) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2616676-v2) (Version: 2)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB980182) (Version: 1)
USB 2.0 MMC/SD Card Reader
VLC media player 1.1.11 (Version: 1.1.11)
Warcraft III Reign of Chaos & The Frozen Throne
WebFldrs XP (Version: 9.50.6513)
Windows 7 Upgrade Advisor (Version: 2.0.5000.0)
Windows Communication Foundation (Version: 3.0.04506.30)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Installer Clean Up (Version: 3.00.00.0000)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin (Version: 1.0.0.8)
Windows PowerShell™ 1.0 (Version: 1)
Windows Presentation Foundation (Version: 3.0.6920.0)
Windows Workflow Foundation (Version: 3.0.4203.2)
Windows XP Service Pack 3 (Version: 20080414.031525)
WinRAR archiver
World in Conflict: Soviet Assault (Version: 1.0.1.1)
XML Paper Specification Shared Components Pack 1.0
Xvid 1.2.1 final uninstall (Version: 1.2)
Zuma's Revenge!

========================= Memory info: ===================================

Percentage of memory in use: 32%
Total physical RAM: 2047.48 MB
Available physical RAM: 1374.26 MB
Total Pagefile: 3940.38 MB
Available Pagefile: 3372.68 MB
Total Virtual: 2047.88 MB
Available Virtual: 1972.88 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:116.44 GB) (Free:12.88 GB) NTFS
3 Drive d: () (Fixed) (Total:116.44 GB) (Free:53.56 GB) NTFS
5 Drive h: (Cracking) (Fixed) (Total:465.76 GB) (Free:129.7 GB) NTFS
6 Drive i: () (Removable) (Total:15.1 GB) (Free:15.03 GB) FAT32

========================= Users: ========================================

User accounts for \\CHEESE-IMTTNBN4

Administrator ASPNET Guest
HelpAssistant Married Randy
SUPPORT_388945a0 UpdatusUser


**** End of log ****

mALWAREBYTES

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.18.09

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Randy :: CHEESE-IMTTNBN4 [administrator]

5/18/2012 6:14:30 PM
mbam-log-2012-05-18 (18-14-30).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 370124
Time elapsed: 41 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 3
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|irMSTkFdIRNGS.exe (Trojan.FakeHDD) -> Data: C:\Documents and Settings\All Users\Application Data\irMSTkFdIRNGS.exe -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|CompositeLayer (Trojan.FakeMs) -> Data: "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\CompositeLayer\CompositeLayer.exe" /s -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|dplaysvr (Trojan.QHost.BG) -> Data: %APPDATA%\dplaysvr.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 6
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 10
C:\Documents and Settings\All Users\Application Data\irMSTkFdIRNGS.exe (Trojan.FakeHDD) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\CompositeLayer\CompositeLayer.exe (Trojan.FakeMs) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ksLpPoaSyjYkvb.exe (Trojan.FakeHDD) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\1luy.exe (Trojan.FakeMs) -> Quarantined and deleted successfully.
C:\Documents and Settings\Randy\fieniz.com (Trojan.Lvbp) -> Quarantined and deleted successfully.
C:\Documents and Settings\Randy\voalon.com (Trojan.Lvbp) -> Quarantined and deleted successfully.
C:\Documents and Settings\Randy\zwlh.exe (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\949X6UCD\z[1] (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\Documents and Settings\Randy\start1.exe (Trojan.ZADrop1) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\start1.exe (Trojan.ZADrop1) -> Quarantined and deleted successfully.

(end)


Superantispyware

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/18/2012 at 07:13 AM

Application Version : 5.0.1150

Core Rules Database Version : 8616
Trace Rules Database Version: 6428

Scan type : Complete Scan
Total Scan Time : 01:06:23

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned : 352
Memory threats detected : 0
Registry items scanned : 36591
Registry threats detected : 4
File items scanned : 68322
File threats detected : 104

Adware.Tracking Cookie
C:\Documents and Settings\Randy\Cookies\MO2DM41W.txt [ /ads.bleepingcomputer.com ]
C:\Documents and Settings\Randy\Cookies\PS5CVPZZ.txt [ /collective-media.net ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\NCSLKZH9.txt [ Cookie:system@ru4.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\8J4LQKJW.txt [ Cookie:system@ads.gamersmedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\4IFZZSP2.txt [ Cookie:system@dc.tremormedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\H3E5XANY.txt [ Cookie:system@tacoda.at.atwola.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\BVZMLZH6.txt [ Cookie:system@fromtofind.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\6KZC99T2.txt [ Cookie:system@ox-d.enveromedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\OMHHFSW7.txt [ Cookie:system@pointroll.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\8XTIL2CB.txt [ Cookie:system@myroitracking.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\T1IA9LYA.txt [ Cookie:system@media6degrees.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\135E3RB6.txt [ Cookie:system@dmfind.net/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\ZKOTJS1O.txt [ Cookie:system@revsci.net/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\MVP2I8B4.txt [ Cookie:system@a1.interclick.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\54ESXJXJ.txt [ Cookie:system@gamersmedia.com/servlet/ajrotator/track/pt1220551 ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\U53KBSZ2.txt [ Cookie:system@klpfind.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\XLP18WHA.txt [ Cookie:system@surveystoptraffic.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\DNFNOFKJ.txt [ Cookie:system@lucidmedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\5UDHWYSU.txt [ Cookie:system@keepufind.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\17FTPEXO.txt [ Cookie:system@vogfind.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\NNO01MKI.txt [ Cookie:system@trafficmp.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\SAWA9DFC.txt [ Cookie:system@collective-media.net/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\EQEP7JL5.txt [ Cookie:system@ads.pointroll.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\I35MHHSF.txt [ Cookie:system@realmedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\WODFCBGN.txt [ Cookie:system@insightexpressai.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\VTQ2NY7N.txt [ Cookie:system@s4.trafficno.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\OS28235X.txt [ Cookie:system@realyfinded.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\POQYI7R0.txt [ Cookie:system@gamersmedia.com/servlet/ajrotator/track/pt1193884 ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\3FSBU6L2.txt [ Cookie:system@seek-home.com/click/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\KSEI2S81.txt [ Cookie:system@ad2.adfarm1.adition.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\IUD5X1PG.txt [ Cookie:system@ox-d.adservermedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\6KCVDIUR.txt [ Cookie:system@pro-market.net/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\Q7XO6LLO.txt [ Cookie:system@openx.overadmedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\CRH6F46F.txt [ Cookie:system@boom-find.com/click/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\LTNB22HI.txt [ Cookie:system@questionmarket.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\5OV12VTX.txt [ Cookie:system@network.realmedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\GMZF71FB.txt [ Cookie:system@findstops.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\EWQBHRID.txt [ Cookie:system@tribalfusion.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\AA7MB3N7.txt [ Cookie:system@247realmedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\XEGZLD1Y.txt [ Cookie:system@lokyfind.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\LAR0GRDQ.txt [ Cookie:system@clicksor.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\A69VNNDZ.txt [ Cookie:system@cdn.jemamedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\O8AEPISD.txt [ Cookie:system@ruffind.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\5YTC9D09.txt [ Cookie:system@server.iad.liveperson.net/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\90MNOO6G.txt [ Cookie:system@findology.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\7QPD8RR4.txt [ Cookie:system@ads.trafficjunky.net/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\O8EHOBIK.txt [ Cookie:system@liveperson.net/hc/43389543 ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\SZAV631W.txt [ Cookie:system@adsonar.com/adserving ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\5UJTBLNX.txt [ Cookie:system@adinterax.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\7EM11O6S.txt [ Cookie:system@tricklefind.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\9CKX533Y.txt [ Cookie:system@clkads.com/adServe ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\BY2MIUYS.txt [ Cookie:system@drivingaroundthetrack.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\RPSID9R0.txt [ Cookie:system@tag.2bluemedia.hiro.tv/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\SPMRMVNX.txt [ Cookie:system@filter.plusfind.net/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\FQ4ZHVTM.txt [ Cookie:system@xml.trafficengine.net/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\TH1EYPW8.txt [ Cookie:system@mediaservices-d.openxenterprise.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\6GECGTGX.txt [ Cookie:system@histats.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\8K3MG4TW.txt [ Cookie:system@click.search-fast-results.com/ads-clicktrack/click/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\PGEGXUUG.txt [ Cookie:system@stats.sexpillguru.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\JLPDSNX5.txt [ Cookie:system@media-d.optimalfusion.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\5Z1GGLE8.txt [ Cookie:system@2o7.net/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\GII0IKAO.txt [ Cookie:system@clicks.coolsearchnow.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\7OBDK4U5.txt [ Cookie:system@youporn.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\1M64GJ9W.txt [ Cookie:system@www.pornhub.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\H29FBW9G.txt [ Cookie:system@media.sensis.com.au/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\FWJE25BA.txt [ Cookie:system@d.mediaforge.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\0CBE3KBJ.txt [ Cookie:system@micklemedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\DJYFDIXW.txt [ Cookie:system@sexpillguru.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\LYFP2BXD.txt [ Cookie:system@great-deal-find.com/click/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\0HZRXPQW.txt [ Cookie:system@best-neighborhood-search.com/click/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\6KU4LWA3.txt [ Cookie:system@stats.sexpillguru.com/scripts/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\M32UTON6.txt [ Cookie:system@sysufind.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\SQ0UQX5J.txt [ Cookie:system@redseekmedia.com/click/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\DE4OM6EI.txt [ Cookie:system@citygridmedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\18YZU5EB.txt [ Cookie:system@gofindlink.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\ZJCCU2X3.txt [ Cookie:system@filter.dropcitymedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\YC02VVBV.txt [ Cookie:system@sexad.net/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\ESFUZHC7.txt [ Cookie:system@hosting.lockhosts.com/tubes/youporn/300x250/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\7P75DVBS.txt [ Cookie:system@imglb.yobihost.com/tubes/youporn/768x245/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\TG8ABTJ8.txt [ Cookie:system@www.sexpillguru.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\PUBO7I0D.txt [ Cookie:system@www.youporn.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\GFZIC6X6.txt [ Cookie:system@ppc.zenamedia.com/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\OW4MP8HX.txt [ Cookie:system@histats.com/stats/ ]
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\I32Y035X.txt [ Cookie:system@amazonlocal.122.2o7.net/ ]
cdn.tremormedia.com [ C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\2TE8CRZV ]
click.searchnation.net [ C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\2TE8CRZV ]
convoad.technoratimedia.net [ C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\2TE8CRZV ]
core.insightexpressai.com [ C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\2TE8CRZV ]
media1.break.com [ C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\2TE8CRZV ]
media4.onsugar.com [ C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\2TE8CRZV ]
objects.tremormedia.com [ C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\2TE8CRZV ]
secure-us.imrworldwide.com [ C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\2TE8CRZV ]
sftrack.searchforce.net [ C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\2TE8CRZV ]
tag.2bluemedia.hiro.tv [ C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\2TE8CRZV ]

Trojan.Agent/Gen-FakeAlert
[~!#3C] C:\WINDOWS\TEMP\~!#3C.TMP
C:\WINDOWS\TEMP\~!#3C.TMP
[~!#41] C:\WINDOWS\TEMP\~!#41.TMP
C:\WINDOWS\TEMP\~!#41.TMP
[~!#3C] C:\WINDOWS\TEMP\~!#3C.TMP
[~!#41] C:\WINDOWS\TEMP\~!#41.TMP
C:\WINDOWS\Prefetch\~!#3C.TMP-197D9ED1.pf
C:\WINDOWS\Prefetch\~!#41.TMP-3A0375D9.pf

Trojan.Agent/Gen-MultiC
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR.CHEESE-IMTTNBN4.001\START MENU\PROGRAMS\STARTUP\OSYZ.EXE
C:\DOCUMENTS AND SETTINGS\DEFAULT USER\START MENU\PROGRAMS\STARTUP\HEYZEB.EXE
C:\DOCUMENTS AND SETTINGS\MARRIED\START MENU\PROGRAMS\STARTUP\EFILTI.EXE
C:\DOCUMENTS AND SETTINGS\RANDY\APPLICATION DATA\CYZA\IWUPY.EXE
C:\DOCUMENTS AND SETTINGS\UPDATUSUSER\START MENU\PROGRAMS\STARTUP\IWKE.EXE
C:\WINDOWS\Prefetch\IWUPY.EXE-381CB64A.pf

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 62,904 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:31 AM

Posted 19 May 2012 - 08:21 PM

Hello, looked pretty infected.. Most likely these are all from torrent downloads,it's like a guarantee. You need to stop that proceedure or this will get worse.
In exchange for free apps some of those infections have stolen your personal info.

I do not see an antivirus,what is yours??

We still need to do more. Is it improving?

Go to Start ... Run and type in cmd
A dos Window will appear.
Type in the dos window: netsh winsock reset
Click on the enter key.

Reboot your system to complete the process.



Please download TDSSKiller.zip and and extract it.
  • Run TDSSKiller.exe.
  • Click on Change Parameters
  • Put a check in the box of Detect TDLFS file system
  • Click Start scan.
  • When it is finished the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
  • Let reboot if needed and tell me if the tool needed a reboot.
  • Click on Report and post the contents of the text file that will open.

    Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log have a name like: TDSSKiller.Version_Date_Time_log.txt.




Please download CKScanner and save it to your Desktop. <-Important!!!
  • Double-click on CKScanner.exe and click Search For Files.
  • If using Vista, right-click on it and Run As Administrator.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A text file will be created on your desktop named ckfiles.txt.
  • Click OK at the file saved message box.
  • Double-click the ckfiles.txt icon on your desktop to open the log and copy/paste the contents in your next reply.



Now you should run MBAM and SAS from the other User account
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#8 Fhallest

Fhallest
  • Topic Starter

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 20 May 2012 - 10:44 AM

I understand what happened to my computer. I did not have any anti virus software. Since my last post I have installed Avast. I am pretty sure that is how I became infected. I have since stopped playing with fire and will avoid torrents. Again thanks for the help. If you need me to remove avast let me know and I have disabled it before running any scans. Would you recommend avast for something else and what level should I upgrade to as I do not want to continue to use the freeware.






CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\randy\application data\utorrent\malwarebytes anti-malware v1.60.0.1800 final incl. keygen.torrent
scanner sequence 3.AP.11.GICPNQ
----- EOF -----


Thanks

Randy

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 62,904 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:31 AM

Posted 20 May 2012 - 07:48 PM

Ok... Did you reset winsock and run TDSS as i donot see a TDSS log.
And yes Avast is good.

Also did you greate this drive? #5
========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:116.44 GB) (Free:12.88 GB) NTFS
3 Drive d: () (Fixed) (Total:116.44 GB) (Free:53.56 GB) NTFS
5 Drive h: (Cracking) (Fixed) (Total:465.76 GB) (Free:129.7 GB) NTFS.
6 Drive i: () (Removable) (Total:15.1 GB) (Free:15.03 GB) FAT32



We still need to see the TDSS log and do another scan maybe two as these malwares usually have bad friends..


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.



Just so I drive home thos point///

IMPORTANT NOTE: The practice of using cracking tools, keygens, warez or any pirated software is not only considered illegal activity but it is a serious security risk.

Cracking applications are used for illegally breaking (cracking) various copy-protection and registration techniques used in commercial software. These programs may be distributed via Web sites, Usenet, and P2P networks.

trendmicro.com/vinfo

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

...warez/piracy sites ranked the highest in downloading spyware...just opening the web page usually sets off an exploit, never mind actually downloading anything. And by the time the malware is finished downloading, often the machine is trashed and rendered useless.

University of Washington spyware study

...One of the most aggressive and intrusive of all bad websites on the Internet are serial, warez, software cracking type sites...they sneak malware onto your system...Where do trojan viruses originate? One of the biggest malware distributors on the Internet are serial/warez/code cracking sites.

Bad Web Sites: Malware

When you use these kind of programs, be forewarned that some of the worst types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. In many cases, those sites are infested with a smörgåsbord of malware and an increasing source of system infection. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

Before we can continue, I need you to remove all cracks and keygens immediately to reduce the risk of infection/reinfection. If not, then we are just wasting time trying to clean your system. Further, other tools used during the disinfection process may detect crack and keygens so we need to ensure they have been removed.

Using these types of programs or the websites you visited to get them is almost a guaranteed way to get yourself infected!!
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#10 Fhallest

Fhallest
  • Topic Starter

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 20 May 2012 - 08:58 PM

tdsskiller report was empty so I could of posted a empty space but thought this was easier. It did not find anything. I also did everything you asked me to do in the last reply. If I am missing a report please let me know. I know what H drive, it is my second hard drive and my main drive has two partitions. It's named after a Wallace and Gromet movie cracking contraptions. Ok what do we do next and did I miss a a step? I would say I have egg on my face but that would be a understatement. First I did not have virus protection up and running and secondly I used a key-logger and should of known better. Ok how do I keep these little critters from getting back on every time they are removed? It like saying "honey were is my super suit" and you get the reply "it at the cleaners" and just insert anti virus with super suit. So if you wanna know if this is a teachable moment in my life, I would have to say yes. So again let me know what I need to know and "no capes"


Randy

Edited by Fhallest, 20 May 2012 - 09:07 PM.


#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 62,904 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:31 AM

Posted 20 May 2012 - 09:32 PM

The Avast will help with the repaeters..
I'm glad TDSS was clean.
Please post the ESET log/



Your HOSTS file may be infected.
Reset the HOSTS file
As this infection also changes your Windows HOSTS file, we want to replace this file with the default version for your operating system.
Some types of malware will alter the HOSTS file as part of its infection. Please follow the instructions provided in How do I reset the hosts file back to the default?

To reset the hosts file automatically,go HERE click the Posted Image button. Then just follow the prompts in the Fix it wizard.


OR
Click Run in the File Download dialog box or save MicrosoftFixit50267.msi to your Desktop and double-click on it to run. Then just follow the prompts in the Fix it wizard.




Rerun Mini like this.

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List Installed Programs
  • List Users, Partitions and Memory size.
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

Edited by boopme, 20 May 2012 - 09:33 PM.

How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#12 Fhallest

Fhallest
  • Topic Starter

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 21 May 2012 - 12:18 PM

This is the text report ESET has generated and you were right it took a long time. Should I restore the files or close the windows for ESET? Mini Toolbar has been added.


C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8CQ8267A\sweet-tired-cat-ooh[1].txt HTML/ScrInject.B.Gen virus deleted - quarantined
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\C71OS1FT\cat-and-dolphin-playing-together[1].txt HTML/ScrInject.B.Gen virus deleted - quarantined
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CTAGT1I0\mx_nan_a[1].txt HTML/Iframe.B.Gen virus deleted - quarantined
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\Y0DVXOPF\cat-and-dolphin-playing-together[1].txt HTML/ScrInject.B.Gen virus deleted - quarantined
C:\Documents and Settings\Randy\nuomeap.exe Win32/AutoRun.VB.AWC worm cleaned by deleting - quarantined
C:\Documents and Settings\Randy\Application Data\Mozilla\Firefox\Profiles\viopv5ur.default\extensions\fuogzhqrib@fuogzhqrib.org.xpi JS/Redirector.NBX trojan deleted - quarantined
C:\Documents and Settings\Randy\My Documents\Downloads\Mechwarrior 4_ Mercenaries Trainer - Bie\mw3n4_all_bie.exe probably a variant of Win32/Agent.JNVSKVX trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\41\1a86bfa9-10f3c6da Win32/TrojanDownloader.Vespula.AY trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Z6XSGYY7\hotelsaleprices_biz[1].htm HTML/Iframe.B.Gen virus deleted - quarantined
C:\WINDOWS\system32\drivers\etc\hosts Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\~!#1.tmp a variant of Win32/Injector.RPJ trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\~!#1F.tmp a variant of Win32/Injector.RPJ trojan cleaned by deleting - quarantined
H:\Downloads\Mech 3\mech3_NosTraDomus.iso Win32/Keylogger.HotKeysHook.A virus deleted - quarantined
H:\Downloads\Mech 3\mech3_NosTraDomus\extras\Trainers\Mw3Trainer1.2.exe Win32/Keylogger.HotKeysHook.A virus deleted - quarantined
H:\Torrents\Phoenix.exe probably a variant of Win32/TrojanDownloader.Agent.HMUFFBC trojan deleted - quarantined





MiniToolBox by Farbar Version: 18-01-2012
Ran by Randy (administrator) on 21-05-2012 at 11:55:08
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************
Hosts file not detected in the default directory
========================= IP Configuration: ================================


WARNING: Could not obtain host information from machine: [CHEESE-IMTTNBN4]. Some commands may not be available.
The specified module could not be found.



# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection 2"

set address name="Local Area Connection 2" source=dhcp
set dns name="Local Area Connection 2" source=dhcp register=PRIMARY
set wins name="Local Area Connection 2" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : cheese-imttnbn4

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection 2:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : NVIDIA nForce 10/100/1000 Mbps Ethernet #2

Physical Address. . . . . . . . . : 00-15-F2-0F-10-48

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.5

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.1

Lease Obtained. . . . . . . . . . : Monday, May 21, 2012 11:35:32 AM

Lease Expires . . . . . . . . . . : Tuesday, May 22, 2012 11:35:32 AM

Server: UnKnown
Address: 192.168.1.1

Name: google.com
Addresses: 74.125.224.134, 74.125.224.131, 74.125.224.128, 74.125.224.133
74.125.224.130, 74.125.224.129, 74.125.224.142, 74.125.224.137, 74.125.224.135
74.125.224.136, 74.125.224.132



Pinging google.com [74.125.224.128] with 32 bytes of data:



Reply from 74.125.224.128: bytes=32 time=58ms TTL=52

Reply from 74.125.224.128: bytes=32 time=65ms TTL=52



Ping statistics for 74.125.224.128:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 58ms, Maximum = 65ms, Average = 61ms

Server: UnKnown
Address: 192.168.1.1

Name: yahoo.com
Addresses: 209.191.122.70, 72.30.38.140, 98.139.183.24



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:



Reply from 209.191.122.70: bytes=32 time=28ms TTL=51

Reply from 209.191.122.70: bytes=32 time=27ms TTL=51



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 27ms, Maximum = 28ms, Average = 27ms

Server: UnKnown
Address: 192.168.1.1

Name: bleepingcomputer.com
Address: 208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:



Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 15 f2 0f 10 48 ...... NVIDIA nForce 10/100/1000 Mbps Ethernet #2
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.5 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.1.5 192.168.1.5 20
192.168.1.0 255.255.255.0 192.168.1.5 192.168.1.5 10
192.168.1.5 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.1.255 255.255.255.255 192.168.1.5 192.168.1.5 10
224.0.0.0 240.0.0.0 192.168.1.5 192.168.1.5 10
255.255.255.255 255.255.255.255 192.168.1.5 192.168.1.5 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\nwprovau.dll [142336] (Microsoft Corporation)
Catalog5 02 mswsock.dll [File Not found] ()
Catalog5 03 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 04 mswsock.dll [File Not found] ()
Catalog5 05 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)

=========================== Installed Programs ============================

µTorrent (Version: 3.1.2)
Adobe AIR (Version: 2.5.0.16600)
Adobe Flash Player 11 ActiveX (Version: 11.2.202.235)
Adobe Flash Player 11 Plugin (Version: 11.2.202.228)
Adobe Help Center 2.0 (Version: 2.0.0)
Adobe Photoshop Elements 4.0 (Version: 4.0)
Adobe Reader 9.4.7 (Version: 9.4.7)
Amazon Games & Software Downloader (Version: 2.0.2.0)
Amazon MP3 Downloader 1.0.12 (Version: 1.0.12)
Apple Application Support (Version: 1.5.2)
Apple Mobile Device Support (Version: 3.4.1.2)
Apple Software Update (Version: 2.1.3.127)
AsusUpdate
avast! Free Antivirus (Version: 7.0.1426.0)
Barbarian Invasion (Version: 1.4)
Bonjour (Version: 3.0.0.2)
Cataclysm
CCleaner (Version: 3.12)
CDDRV_Installer (Version: 1.00.0000)
Cheat Engine 6.1
Clan 'Mech Pak
Company of Heroes - FAKEMSI (Version: 2.0.0.0)
Company of Heroes (Version: 2.602.0)
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
Crysis® (Version: 1.10.0000)
Dangerous Waters
Dawn of War - Soulstorm (Version: 1.00.0000)
Distant Worlds (Version: 1.00)
DoWar2R (Version: RePack)
Dragon Age II (Version: 1.01)
Dragon Age: Origins (Version: 1.00)
EA Installer (Version: 2.2.0.62)
EA Shared Game Component: Activation (Version: 2.2.0)
EA Shared Game Component: Activation (Version: 2.2.0.62)
Earth 2160 (Version: 1.37 En)
Eastern Front (Version: 1.5.2.0)
Easy CD-DA Extractor 2010 (Version: 2010.1)
EasyBoost (Version: 1.0.8.1)
EPSON TWAIN 5
ESET Online Scanner v3
FX MOD 1.86
Galactic Civilizations II - Ultimate Edition
Google Chrome (Version: 19.0.1084.46)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Update Helper (Version: 1.3.21.111)
GPGNet (Version: 1.0.0)
Homeworld2
Imperial Civil War
Impulse
Impulse (Version: 1.0)
Inner Sphere 'Mech Pak
iTunes (Version: 10.4.0.80)
Java Auto Updater (Version: 2.0.6.1)
Java™ 6 Update 29 (Version: 6.0.290)
KhalInstallWrapper (Version: 4.00.121)
Kukuxumusu Digital Clock Screensaver
Kukuxumusu Dinner Screensaver
Logitech Registration (Version: 0.70.206)
Logitech SetPoint (Version: 4.00)
Malwarebytes Anti-Malware version 1.61.0.1400 (Version: 1.61.0.1400)
MapCreate USA (Version: 7.0)
Mass Effect 2 (Version: 1.02)
MechWarrior Black Knight
MechWarrior Vengeance
Microsoft .NET Framework 2.0
Microsoft .NET Framework 2.0 (Version: 2.0.50727)
Microsoft .NET Framework 3.0 (Version: 3.0.04506.30)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Games for Windows - LIVE (Version: 2.0.675.0)
Microsoft Games for Windows - LIVE Redistributable (Version: 2.0.673.0)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage (Version: 10.0.6626.0)
Microsoft Silverlight (Version: 4.1.10329.0)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual J# 2.0 Redistributable Package (Version: 2.0.50727)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 6 Service Pack 2 (KB973686) (Version: 6.20.2003.0)
NVIDIA Control Panel 275.33 (Version: 275.33)
NVIDIA Drivers (Version: 1.10.62.40)
NVIDIA Graphics Driver 275.33 (Version: 275.33)
NVIDIA HD Audio Driver 1.1.13.1 (Version: 1.1.13.1)
NVIDIA Install Application (Version: 2.275.78.0)
NVIDIA nView 135.85 (Version: 135.85)
NVIDIA nView Desktop Manager (Version: 6.14.10.13585)
NVIDIA PhysX (Version: 9.10.0514)
NVIDIA PhysX System Software 9.10.0514 (Version: 9.10.0514)
NVIDIA Update 1.3.5 (Version: 1.3.5)
NVIDIA Update Components (Version: 1.3.5)
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0)
Pacific Storm - Allies (Version: 1.0)
Peggle Deluxe
Plants vs. Zombies
QuickTime (Version: 7.69.80.9)
Registry Mechanic 10.0 (Version: 10.0)
Revo 7.1 Drivers (Version: 5.10.00.5063v2)
Rome - Total War (Version: 1.5)
Rome - Total War™ (Version: 1.2)
Rome Total War - patch 1.3 (Version: 1.3)
Samsung ML-2510 Series
Sorian AI Mod 1.9.7
SpeedFan (remove only)
Star Trek Starfleet Command III
Star Wars Empire at War (Version: 1.0)
Star Wars Empire at War Forces of Corruption (Version: 1.0)
StarCraft II (Version: 1.0.0.16117)
Steam (Version: 1.0.0.0)
SUPERAntiSpyware (Version: 5.0.1150)
Supreme Commander - Forged Alliance (Version: 1.00.0000)
Supreme Commander (Version: 1.00.0000)
Sword of the Stars ANY (Version: 1.8.0)
Update for Windows Internet Explorer 8 (KB2598845) (Version: 1)
Update for Windows XP (KB2141007) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2492386) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2616676-v2) (Version: 2)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB980182) (Version: 1)
USB 2.0 MMC/SD Card Reader
VLC media player 1.1.11 (Version: 1.1.11)
Warcraft III Reign of Chaos & The Frozen Throne
WebFldrs XP (Version: 9.50.6513)
Windows 7 Upgrade Advisor (Version: 2.0.5000.0)
Windows Communication Foundation (Version: 3.0.04506.30)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Installer Clean Up (Version: 3.00.00.0000)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin (Version: 1.0.0.8)
Windows PowerShell™ 1.0 (Version: 1)
Windows Presentation Foundation (Version: 3.0.6920.0)
Windows Workflow Foundation (Version: 3.0.4203.2)
Windows XP Service Pack 3 (Version: 20080414.031525)
WinRAR archiver
World in Conflict: Soviet Assault (Version: 1.0.1.1)
XML Paper Specification Shared Components Pack 1.0
Xvid 1.2.1 final uninstall (Version: 1.2)
Zuma's Revenge!

========================= Memory info: ===================================

Percentage of memory in use: 34%
Total physical RAM: 2047.48 MB
Available physical RAM: 1331.34 MB
Total Pagefile: 3940.44 MB
Available Pagefile: 3367.53 MB
Total Virtual: 2047.88 MB
Available Virtual: 1978.76 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:116.44 GB) (Free:10 GB) NTFS
3 Drive d: () (Fixed) (Total:116.44 GB) (Free:53.56 GB) NTFS
5 Drive h: (Cracking) (Fixed) (Total:465.76 GB) (Free:130.27 GB) NTFS

========================= Users: ========================================

User accounts for \\CHEESE-IMTTNBN4

Administrator ASPNET Guest
HelpAssistant Married Randy
SUPPORT_388945a0 UpdatusUser


**** End of log ****

Edited by Fhallest, 21 May 2012 - 01:00 PM.


#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 62,904 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:31 AM

Posted 21 May 2012 - 01:19 PM

Hi ,do not restore those quarantined files.
The infections found have stolen all the personal info on this PC.. Do you do banking or financials on here?




>>>Did you reset winsock and run TDSS as i donot see a TDSS log.

>>>>Also did you greate this drive? #5
========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:116.44 GB) (Free:12.88 GB) NTFS
3 Drive d: () (Fixed) (Total:116.44 GB) (Free:53.56 GB) NTFS
5 Drive h: (Cracking) (Fixed) (Total:465.76 GB) (Free:129.7 GB) NTFS.
6 Drive i: () (Removable) (Total:15.1 GB) (Free:15.03 GB) FAT32
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#14 Fhallest

Fhallest
  • Topic Starter

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 21 May 2012 - 08:36 PM

I have done everything that has been asked of me. If you look in my previous replies I have answered all questions to include the newest ones. I have reset windsock and run tdss with nothing found. The second hard drive as mentioned previously on my computer is the H: Drive and the Name of my drive is Cracking after a movie called cracking contraption. If there is somthing wrong with this name please let me know. Again, I have two hard drives with the main one with two partitions and the second one named H:

I hope this answers all the necessary questions. In addition I am still getting redirected to alternate websites but I think my computer fix is headed in the right direction.


Thanks,

Randy

Edited by Fhallest, 21 May 2012 - 08:39 PM.


#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 62,904 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:31 AM

Posted 21 May 2012 - 09:06 PM

Hi, I need to ask,malware is very sneaky today. It's not personal,Randy,just want it cleaned. These infections can get to 100's of machines in no time.
The 2nd mini showed unfixed winsock... possible rootkit

Catalog5 02 mswsock.dll [File Not found]


Drive and the Name of my drive is Cracking


I needed to know if the malware had created a drive or partition and that name sounded plausible.

I believe then we have a possible Zaccess rootkit. This has to go..

If you do banking or financials these institutions need to be contacted to protect your assets.


I think it best we post a DDS log a be certain if and what is left,



We need a deeper look. Please go here....Preparation Guide ,do steps 6-9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If GMER won't run (it may not on a 64 bit system) skip it and move on.

Let me know if that went well.

Edited by boopme, 21 May 2012 - 09:06 PM.

How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users