Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Infection

Started by 13kylek , Jul 09 2012 03:08 PM

This topic is locked

9 replies to this topic

#1 13kylek

New Member

Members
14 posts

Posted 09 July 2012 - 03:08 PM

My avast security system keeps telling me there is an infection. i does not give me the option to remove it. I ran malwarebytes;
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.07.09.11

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Kyle :: KYLE-PC [administrator]

7/9/2012 3:28:10 PM
mbam-log-2012-07-09 (15-28-10).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 208359
Time elapsed: 4 minute(s), 1 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 17
HKCU\SOFTWARE\INSTALLEDBROWSEREXTENSIONS\215 APPS (PUP.CrossFire.SA) -> No action taken.
HKCR\CLSID\{11111111-1111-1111-1111-110011461139} (PUP.CrossFire.SA) -> Quarantined and deleted successfully.
HKCR\TypeLib\{44444444-4444-4444-4444-440044464439} (PUP.CrossFire.SA) -> Quarantined and deleted successfully.
HKCR\Interface\{55555555-5555-5555-5555-550055465539} (PUP.CrossFire.SA) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0004639.BHO.1 (PUP.CrossFire.SA) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011461139} (PUP.CrossFire.SA) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011461139} (PUP.CrossFire.SA) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011461139} (PUP.CrossFire.SA) -> Quarantined and deleted successfully.
HKCR\CLSID\{22222222-2222-2222-2222-220022462239} (PUP.CrossFire.SA) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0004639.Sandbox.1 (PUP.CrossFire.SA) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0004639.Sandbox (PUP.CrossFire.SA) -> Quarantined and deleted successfully.
HKCR\CLSID\{33333333-3333-3333-3333-330033463339} (PUP.CrossFire.SA) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0004639.FBApi.1 (PUP.CrossFire.SA) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0004639.FBApi (PUP.CrossFire.SA) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0004639.BHO (PUP.CrossFire.SA) -> Quarantined and deleted successfully.
HKCU\Software\DC3_FEXEC (Malware.Trace) -> Quarantined and deleted successfully.
HKCU\Software\Cr_Installer\4639 (Adware.GamePlayLab) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\Software\InstalledBrowserExtensions\215 Apps|4639 (PUP.CrossFire.SA) -> Data: SavingsApp -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Users\Kyle\AppData\Roaming\dclogs (Stolen.Data) -> Quarantined and deleted successfully.

Then i ran SAS in safe mode;
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/09/2012 at 03:52 PM

Application Version : 5.5.1006

Core Rules Database Version : 8866
Trace Rules Database Version: 6678

Scan type : Quick Scan
Total Scan Time : 00:02:31

Operating System Information
Windows 7 Home Premium 64-bit (Build 6.01.7600)
UAC Off - Administrator

Memory items scanned : 312
Memory threats detected : 0
Registry items scanned : 54224
Registry threats detected : 0
File items scanned : 11289
File threats detected : 89

Adware.Tracking Cookie
C:\USERS\KYLE\AppData\Roaming\Microsoft\Windows\Cookies\Low\kyle@www.google[3].txt [ Cookie:kyle@www.google.com/accounts ]
C:\USERS\KYLE\AppData\Roaming\Microsoft\Windows\Cookies\Low\kyle@CA89LMSU.txt [ Cookie:kyle@google.com/accounts/ ]
.invitemedia.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
.legolas-media.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
.legolas-media.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
.legolas-media.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
.yadro.ru [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
.yadro.ru [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
.bravoteens.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
.bravoteens.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
.bravoteens.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
www.bravoteens.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
www.bravoteens.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
www.bravoteens.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
.bravoteens.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
.avgtechnologies.112.2o7.net [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
bridge.ame.admarketplace.net [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
.admarketplace.net [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
accounts.youtube.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
click.findsearchengineresults.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
.imrworldwide.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
.imrworldwide.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
accounts.youtube.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
accounts.google.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
accounts.google.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
accounts.google.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
click.get-answers-fast.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
.mediatraffic.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
.adknowledge.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
.adknowledge.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
.adknowledge.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
.adknowledge.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
.teenport.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
.teenport.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
.teenport.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
.teenport.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
.nakedonthestreets.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
.nakedonthestreets.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
.nakedonthestreets.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
www.nakedonthestreets.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
www.nakedonthestreets.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
www.nakedonthestreets.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
www.pornhub.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
.pornhub.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
.pornhub.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
.pornhub.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
.pornhub.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
.pornhub.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
www.pornhub.com [ C:\USERS\KYLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\KDLGPL9E.DEFAULT\COOKIES.SQLITE ]
.doubleclick.net [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.specificclick.net [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.imrworldwide.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.imrworldwide.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.invitemedia.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
ad.yieldmanager.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.atdmt.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.atdmt.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.invitemedia.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.invitemedia.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.invitemedia.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.invitemedia.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.invitemedia.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
ad.yieldmanager.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
ad.yieldmanager.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
ad.doubleclick.net [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.adbrite.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.adbrite.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.casalemedia.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.casalemedia.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.casalemedia.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.casalemedia.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.casalemedia.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.casalemedia.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.invitemedia.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.invitemedia.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.invitemedia.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
ad.yieldmanager.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.apmebf.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.apmebf.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.fastclick.net [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.media6degrees.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.advertising.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.advertising.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
ad.yieldmanager.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
ad.yieldmanager.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
www.googleadservices.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
click.get-answers-fast.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
www.googleadservices.com [ C:\USERS\KYLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]

Any suggestions?
Thanks, Kyle

Back to top

BC Ads
BleepingComputer.com

#2 boopme

To Insanity and Beyond

Global Moderator
55,329 posts

Gender:Male
Location:NJ USA

Posted 09 July 2012 - 03:14 PM

Hello, I've moved this to the Am I Infected forum.

Lets do a few more scans and tell me how it is after.

Please download TDSSKiller.zip and and extract it.

Run TDSSKiller.exe.
Click on Change Parameters
Put a check in the box of Detect TDLFS file system
Click Start scan.
When it is finished the utility outputs a list of detected objects with description.
The utility automatically selects an action (Cure or Delete) for malicious objects.
The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
Let reboot if needed and tell me if the tool needed a reboot.
Click on Report and post the contents of the text file that will open.

Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log has a name like: TDSSKiller.Version_Date_Time_log.txt.

>>>>Next
Please download aswMBR ( 511KB ) to your desktop.

Double click the aswMBR.exe icon to run it
Click the Scan button to start the scan
On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Lastly and this can be long...

I'd like us to scan your machine with ESET OnlineScan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on to download the ESET Smart Installer. Save it to your desktop.
- Double click on the icon on your desktop.
Check
Click the button.
Accept any security warnings from your browser.
Under scan settings, check and check Remove found threats
Click Advanced settings and select the following:
- Scan potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth technology
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the button.
Push

NOTE: In some instances if no malware is found there will be no log produced.

How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

Back to top

#3 13kylek

New Member

Members
14 posts

Posted 10 July 2012 - 10:22 AM

The first program didnt need to reboot and here is the report it gave me;

01:23:39.0655 3424 TDSS rootkit removing tool 2.7.45.0 Jul 9 2012 12:46:35
01:23:40.0002 3424 ============================================================
01:23:40.0002 3424 Current date / time: 2012/07/10 01:23:40.0002
01:23:40.0002 3424 SystemInfo:
01:23:40.0002 3424
01:23:40.0002 3424 OS Version: 6.1.7600 ServicePack: 0.0
01:23:40.0002 3424 Product type: Workstation
01:23:40.0002 3424 ComputerName: KYLE-PC
01:23:40.0003 3424 UserName: Kyle
01:23:40.0003 3424 Windows directory: C:\Windows
01:23:40.0003 3424 System windows directory: C:\Windows
01:23:40.0003 3424 Running under WOW64
01:23:40.0003 3424 Processor architecture: Intel x64
01:23:40.0003 3424 Number of processors: 2
01:23:40.0003 3424 Page size: 0x1000
01:23:40.0003 3424 Boot type: Normal boot
01:23:40.0003 3424 ============================================================
01:23:40.0494 3424 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
01:23:40.0500 3424 ============================================================
01:23:40.0500 3424 \Device\Harddisk0\DR0:
01:23:40.0500 3424 MBR partitions:
01:23:40.0500 3424 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x14000, BlocksNum 0x1D4C000
01:23:40.0500 3424 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x1D60000, BlocksNum 0x236CE2B0
01:23:40.0500 3424 ============================================================
01:23:40.0527 3424 C: <-> \Device\Harddisk0\DR0\Partition1
01:23:40.0527 3424 ============================================================
01:23:40.0527 3424 Initialize success
01:23:40.0527 3424 ============================================================
01:23:43.0135 5888 ============================================================
01:23:43.0135 5888 Scan started
01:23:43.0135 5888 Mode: Manual;
01:23:43.0135 5888 ============================================================
01:23:43.0405 5888 !SASCORE (7d9d615201a483d6fa99491c2e655a5a) C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
01:23:43.0407 5888 !SASCORE - ok
01:23:43.0621 5888 1394ohci (69aa89a20dee08bfa650aab6ce37bd10) C:\Windows\system32\DRIVERS\1394ohci.sys
01:23:43.0624 5888 1394ohci - ok
01:23:43.0708 5888 ACPI (6f11e88748cdefd2f76aa215f97ddfe5) C:\Windows\system32\DRIVERS\ACPI.sys
01:23:43.0712 5888 ACPI - ok
01:23:43.0767 5888 AcpiPmi (63b05a0420ce4bf0e4af6dcc7cada254) C:\Windows\system32\DRIVERS\acpipmi.sys
01:23:43.0768 5888 AcpiPmi - ok
01:23:43.0915 5888 AdobeFlashPlayerUpdateSvc (990dc6edc9f933194d7cd4e65146bc94) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
01:23:43.0917 5888 AdobeFlashPlayerUpdateSvc - ok
01:23:43.0979 5888 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys
01:23:43.0983 5888 adp94xx - ok
01:23:44.0058 5888 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys
01:23:44.0068 5888 adpahci - ok
01:23:44.0115 5888 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys
01:23:44.0117 5888 adpu320 - ok
01:23:44.0177 5888 AeLookupSvc (4b78b431f225fd8624c5655cb1de7b61) C:\Windows\System32\aelupsvc.dll
01:23:44.0180 5888 AeLookupSvc - ok
01:23:44.0347 5888 AESTFilters (a6fb9db8f1a86861d955fd6975977ae0) C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_7f58c91b65c73836\AESTSr64.exe
01:23:44.0349 5888 AESTFilters - ok
01:23:44.0439 5888 AFD (db9d6c6b2cd95a9ca414d045b627422e) C:\Windows\system32\drivers\afd.sys
01:23:44.0444 5888 AFD - ok
01:23:44.0515 5888 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\DRIVERS\agp440.sys
01:23:44.0517 5888 agp440 - ok
01:23:44.0878 5888 Akamai (c775d704feb2b600a5bf7b0b088546af) c:\program files (x86)\common files\akamai/netsession_win_80c2ffa.dll
01:23:44.0878 5888 Suspicious file (Hidden): c:\program files (x86)\common files\akamai/netsession_win_80c2ffa.dll. md5: c775d704feb2b600a5bf7b0b088546af
01:23:44.0888 5888 Akamai ( HiddenFile.Multi.Generic ) - warning
01:23:44.0888 5888 Akamai - detected HiddenFile.Multi.Generic (1)
01:23:44.0902 5888 Scan interrupted by user!
01:23:44.0902 5888 Scan interrupted by user!
01:23:44.0902 5888 Scan interrupted by user!
01:23:44.0902 5888 ============================================================
01:23:44.0902 5888 Scan finished
01:23:44.0902 5888 ============================================================
01:23:44.0917 7040 Detected object count: 1
01:23:44.0917 7040 Actual detected object count: 1
01:23:46.0665 7040 Akamai ( HiddenFile.Multi.Generic ) - skipped by user
01:23:46.0665 7040 Akamai ( HiddenFile.Multi.Generic ) - User select action: Skip
01:23:54.0059 6316 ============================================================
01:23:54.0059 6316 Scan started
01:23:54.0059 6316 Mode: Manual; TDLFS;
01:23:54.0060 6316 ============================================================
01:23:54.0326 6316 !SASCORE (7d9d615201a483d6fa99491c2e655a5a) C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
01:23:54.0329 6316 !SASCORE - ok
01:23:54.0544 6316 1394ohci (69aa89a20dee08bfa650aab6ce37bd10) C:\Windows\system32\DRIVERS\1394ohci.sys
01:23:54.0547 6316 1394ohci - ok
01:23:54.0631 6316 ACPI (6f11e88748cdefd2f76aa215f97ddfe5) C:\Windows\system32\DRIVERS\ACPI.sys
01:23:54.0635 6316 ACPI - ok
01:23:54.0666 6316 AcpiPmi (63b05a0420ce4bf0e4af6dcc7cada254) C:\Windows\system32\DRIVERS\acpipmi.sys
01:23:54.0667 6316 AcpiPmi - ok
01:23:54.0817 6316 AdobeFlashPlayerUpdateSvc (990dc6edc9f933194d7cd4e65146bc94) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
01:23:54.0820 6316 AdobeFlashPlayerUpdateSvc - ok
01:23:54.0883 6316 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys
01:23:54.0888 6316 adp94xx - ok
01:23:54.0920 6316 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys
01:23:54.0924 6316 adpahci - ok
01:23:54.0968 6316 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys
01:23:54.0970 6316 adpu320 - ok
01:23:55.0032 6316 AeLookupSvc (4b78b431f225fd8624c5655cb1de7b61) C:\Windows\System32\aelupsvc.dll
01:23:55.0034 6316 AeLookupSvc - ok
01:23:55.0190 6316 AESTFilters (a6fb9db8f1a86861d955fd6975977ae0) C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_7f58c91b65c73836\AESTSr64.exe
01:23:55.0192 6316 AESTFilters - ok
01:23:55.0270 6316 AFD (db9d6c6b2cd95a9ca414d045b627422e) C:\Windows\system32\drivers\afd.sys
01:23:55.0276 6316 AFD - ok
01:23:55.0337 6316 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\DRIVERS\agp440.sys
01:23:55.0338 6316 agp440 - ok
01:23:55.0667 6316 Akamai (c775d704feb2b600a5bf7b0b088546af) c:\program files (x86)\common files\akamai/netsession_win_80c2ffa.dll
01:23:55.0668 6316 Suspicious file (Hidden): c:\program files (x86)\common files\akamai/netsession_win_80c2ffa.dll. md5: c775d704feb2b600a5bf7b0b088546af
01:23:55.0677 6316 Akamai ( HiddenFile.Multi.Generic ) - warning
01:23:55.0678 6316 Akamai - detected HiddenFile.Multi.Generic (1)
01:23:55.0829 6316 ALG (3290d6946b5e30e70414990574883ddb) C:\Windows\System32\alg.exe
01:23:55.0831 6316 ALG - ok
01:23:55.0915 6316 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\DRIVERS\aliide.sys
01:23:55.0916 6316 aliide - ok
01:23:55.0950 6316 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\DRIVERS\amdide.sys
01:23:55.0952 6316 amdide - ok
01:23:56.0011 6316 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\DRIVERS\amdk8.sys
01:23:56.0012 6316 AmdK8 - ok
01:23:56.0037 6316 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys
01:23:56.0039 6316 AmdPPM - ok
01:23:56.0095 6316 amdsata (ec7ebab00a4d8448bab68d1e49b4beb9) C:\Windows\system32\drivers\amdsata.sys
01:23:56.0097 6316 amdsata - ok
01:23:56.0141 6316 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\DRIVERS\amdsbs.sys
01:23:56.0144 6316 amdsbs - ok
01:23:56.0191 6316 amdxata (db27766102c7bf7e95140a2aa81d042e) C:\Windows\system32\drivers\amdxata.sys
01:23:56.0192 6316 amdxata - ok
01:23:56.0278 6316 ApfiltrService (98449a2957778a6f025c418438a380f4) C:\Windows\system32\DRIVERS\Apfiltr.sys
01:23:56.0282 6316 ApfiltrService - ok
01:23:56.0343 6316 AppID (42fd751b27fa0e9c69bb39f39e409594) C:\Windows\system32\drivers\appid.sys
01:23:56.0345 6316 AppID - ok
01:23:56.0389 6316 AppIDSvc (0bc381a15355a3982216f7172f545de1) C:\Windows\System32\appidsvc.dll
01:23:56.0391 6316 AppIDSvc - ok
01:23:56.0430 6316 Appinfo (d065be66822847b7f127d1f90158376e) C:\Windows\System32\appinfo.dll
01:23:56.0432 6316 Appinfo - ok
01:23:56.0587 6316 Apple Mobile Device (7ef47644b74ebe721cc32211d3c35e76) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
01:23:56.0589 6316 Apple Mobile Device - ok
01:23:56.0651 6316 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\DRIVERS\arc.sys
01:23:56.0653 6316 arc - ok
01:23:56.0677 6316 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\DRIVERS\arcsas.sys
01:23:56.0679 6316 arcsas - ok
01:23:56.0739 6316 aswFsBlk (e8184039d57365bee3eaa750375c44ad) C:\Windows\system32\drivers\aswFsBlk.sys
01:23:56.0740 6316 aswFsBlk - ok
01:23:56.0833 6316 aswMonFlt (c671e9548d3d1b4cd15d0b164d9d01c7) C:\Windows\system32\drivers\aswMonFlt.sys
01:23:56.0845 6316 aswMonFlt - ok
01:23:56.0896 6316 aswRdr (dee012d532c3f62ca099961505f41cf6) C:\Windows\system32\drivers\aswRdr.sys
01:23:56.0898 6316 aswRdr - ok
01:23:56.0928 6316 aswSP (56bbd39753b9f7461c4de03c3217249d) C:\Windows\system32\drivers\aswSP.sys
01:23:56.0930 6316 aswSP - ok
01:23:56.0970 6316 aswTdi (193691b35598642a328d880483dc0ed9) C:\Windows\system32\drivers\aswTdi.sys
01:23:56.0972 6316 aswTdi - ok
01:23:57.0001 6316 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
01:23:57.0003 6316 AsyncMac - ok
01:23:57.0054 6316 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\DRIVERS\atapi.sys
01:23:57.0056 6316 atapi - ok
01:23:57.0157 6316 AudioEndpointBuilder (07721a77180edd4d39ccb865bf63c7fd) C:\Windows\System32\Audiosrv.dll
01:23:57.0165 6316 AudioEndpointBuilder - ok
01:23:57.0178 6316 AudioSrv (07721a77180edd4d39ccb865bf63c7fd) C:\Windows\System32\Audiosrv.dll
01:23:57.0186 6316 AudioSrv - ok
01:23:57.0299 6316 avast! Antivirus (b2386a8e66891f7cfec9f5a03f0f1210) C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
01:23:57.0301 6316 avast! Antivirus - ok
01:23:57.0304 6316 Scan interrupted by user!
01:23:57.0304 6316 Scan interrupted by user!
01:23:57.0304 6316 Scan interrupted by user!
01:23:57.0304 6316 ============================================================
01:23:57.0304 6316 Scan finished
01:23:57.0304 6316 ============================================================
01:23:57.0319 4924 Detected object count: 1
01:23:57.0319 4924 Actual detected object count: 1
01:24:05.0730 4924 c:\program files (x86)\common files\akamai/netsession_win_80c2ffa.dll - copied to quarantine
01:24:05.0732 4924 Akamai ( HiddenFile.Multi.Generic ) - User select action: Quarantine

Heres the other log from aswmbr

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-10 01:26:49
-----------------------------
01:26:49.134 OS Version: Windows x64 6.1.7600
01:26:49.135 Number of processors: 2 586 0x170A
01:26:49.136 ComputerName: KYLE-PC UserName: Kyle
01:26:50.433 Initialize success
01:26:51.444 AVAST engine defs: 12070901
01:26:59.535 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
01:26:59.539 Disk 0 Vendor: WDC_WD32 01.0 Size: 305245MB BusType: 3
01:26:59.554 Disk 0 MBR read successfully
01:26:59.559 Disk 0 MBR scan
01:26:59.565 Disk 0 Windows VISTA default MBR code
01:26:59.570 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
01:26:59.581 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 15000 MB offset 81920
01:26:59.596 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 290204 MB offset 30801920
01:26:59.621 Disk 0 scanning C:\Windows\system32\drivers
01:27:13.675 Service scanning
01:27:44.374 Modules scanning
01:27:44.388 Disk 0 trace - called modules:
01:27:44.417 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
01:27:44.758 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004562060]
01:27:44.767 3 CLASSPNP.SYS[fffff880013cf43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80040f3050]
01:27:45.549 AVAST engine scan C:\Windows
01:27:48.272 AVAST engine scan C:\Windows\system32
01:29:25.738 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
01:29:28.130 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
01:30:23.381 AVAST engine scan C:\Windows\system32\drivers
01:30:34.624 AVAST engine scan C:\Users\Kyle
01:31:14.491 Disk 0 MBR has been saved successfully to "C:\Users\Kyle\Desktop\MBR.dat"
01:31:14.504 The log file has been saved successfully to "C:\Users\Kyle\Desktop\aswMBR.txt"

Here is the last log;

C:\$Recycle.Bin\S-1-5-21-787825875-780258353-603877844-1001\$R4E4FEA.exe a variant of Win32/InstallIQ application cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-787825875-780258353-603877844-1001\$R6IWRY2.exe a variant of Win32/InstallIQ application cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-787825875-780258353-603877844-1001\$R7KNG9S.exe Win32/OpenCandy application cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-787825875-780258353-603877844-1001\$R8C60AC.exe Win32/OpenCandy application cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-787825875-780258353-603877844-1001\$RJNXGGO.rar Win32/OpenCandy application deleted - quarantined
C:\$Recycle.Bin\S-1-5-21-787825875-780258353-603877844-1001\$RWGFFJ2\flstudio_9.0.exe Win32/OpenCandy application cleaned by deleting - quarantined
C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe a variant of Win32/HiddenStart.A application cleaned by deleting - quarantined
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A application cleaned by deleting - quarantined
C:\Users\Kyle\AppData\Roaming\AVG\Rescue\PC Tuneup 2011\120703233417953.rsc multiple threats deleted - quarantined
C:\Users\Kyle\Documents\Vuze Downloads\epicbot_520.exe a variant of Win32/InstallIQ application cleaned by deleting - quarantined
C:\Users\Kyle\Downloads\jZipV1.exe Win32/Toolbar.SearchSuite application cleaned by deleting - quarantined
C:\Users\Kyle\Downloads\SoftonicDownloader_for_skype.exe a variant of Win32/SoftonicDownloader.A application cleaned by deleting - quarantined
C:\Windows\Installer\{05811e29-9f43-9f3b-5e4d-cf283e0dd938}\U\00000008.@ Win64/Agent.BA trojan cleaned by deleting - quarantined
C:\Windows\Installer\{05811e29-9f43-9f3b-5e4d-cf283e0dd938}\U\trz1D2F.tmp a variant of Win32/Sirefef.FD trojan cleaned by deleting - quarantined
C:\Windows\Installer\{05811e29-9f43-9f3b-5e4d-cf283e0dd938}\U\trz4D33.tmp a variant of Win32/Sirefef.FD trojan cleaned by deleting - quarantined
C:\Windows\Installer\{05811e29-9f43-9f3b-5e4d-cf283e0dd938}\U\trz8AD5.tmp Win64/Sirefef.AE trojan cleaned by deleting - quarantined
Operating memory a variant of Win32/Sirefef.EZ trojan

Back to top

#4 boopme

To Insanity and Beyond

Global Moderator
55,329 posts

Gender:Male
Location:NJ USA

Posted 10 July 2012 - 02:56 PM

Good , now re run aswMBR
Download latest virus definitions at startup

Click [Scan]

On completion of the scan click [Fix]

Click [Save log], save it to your desktop and post in your next reply

Reboot

How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

Back to top

#5 13kylek

New Member

Members
14 posts

Posted 10 July 2012 - 06:22 PM

i ran the scan and when i hit fix it gave me a warning saying it could make my partitions to become ineccesable, should i continue or no?

Back to top

#6 boopme

To Insanity and Beyond

Global Moderator
55,329 posts

Gender:Male
Location:NJ USA

Posted 10 July 2012 - 08:35 PM

OK, in that case we need you to repost so that you will have assistance in the worst case scenario.

Include this link back here in the new post. Title it Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]

http://www.bleepingcomputer.com/forums/topic459962.html/page__pid__2759156#top

Please go here....Preparation Guide ,do steps 6-9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If GMER won't run (it may not on a 64 bit system) skip it and move on.

Let me know if that went well.

How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

Back to top

#7 13kylek

New Member

Members
14 posts

Posted 11 July 2012 - 12:27 AM

That all went good thanks, should i run the aswMBR fix now?

Back to top

#8 boopme

To Insanity and Beyond

Global Moderator
55,329 posts

Gender:Male
Location:NJ USA

Posted 11 July 2012 - 07:04 PM

No, I need you to post the DDS log from the Prep Guide in the other topic.

How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

Back to top

#9 13kylek

New Member

Members
14 posts

Posted 12 July 2012 - 08:25 PM

I posted the dds log in the other topic, heres the link:

http://www.bleepingcomputer.com/forums/topic460178.html/page__p__2759611__fromsearch__1#entry2759611

Back to top

#10 boopme

To Insanity and Beyond

Global Moderator
55,329 posts

Gender:Male
Location:NJ USA

Posted 12 July 2012 - 10:09 PM

Thank you,looks proper now.
Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.

The current wait time is 1 - 5 days and ALL logs are answered.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic.

How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security