Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Google Redirect Virus


  • This topic is locked This topic is locked
8 replies to this topic

#1 tfue

tfue

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 22 April 2010 - 10:14 PM

I've been dealing with this virus for about two weeks. Initially, it presented itself as a "Windows Security Alert" or something close to that, but it has since only appeared in the form of the obnoxious redirect virus. I downloaded a new install of Malwarebytes to get rid of this virus, and it detected a number of rogues and other issues, removing them repeatedly.

I know you didn't ask for this information, but here is additional info about what the MWB scans found, the DDS log text follows this section:

4-17-10:
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Brooke\AppData\Local\ave.exe" /START "firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Brooke\AppData\Local\ave.exe" /START "iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Brooke\AppData\Local\ave.exe" /START "firefox.exe -safe-mode") Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Files Infected:
C:\Users\Brooke\AppData\Local\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
C:\Users\Brooke\Local Settings\Application Data\av.exe (ROGUE.Win7Antispyware2010) -> Quarantined and deleted successfully.
C:\Users\Brooke\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
C:\Users\Brooke\AppData\Local\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.


4-18-10:
Files Infected:
C:\Users\Brooke\AppData\Local\Temp\79A2.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

All scans since have detected nothing, even though the redirection problem persists.

I have run a DDS scan, but when I attempt to run GMER the scan always stops about 20 seconds in, and a dialogue box pops up stating, "gmer.exe has stopped working." This box always stops the scan from progressing, and if I try to re-execute the application I encounter a nasty blue screen. I'm sorry I can't supply more information about the exact I'm at my wits end, and I don't know how useful the DDS will be without the GMER, but here it is, along with the Attach.txt:


DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Brooke at 21:43:08.27 on Mon 04/19/2010
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3061.2224 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
SP: McAfee VirusScan *enabled* (Updated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Brooke\Desktop\Lap Recovery\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
BHO: MRI_DISABLED - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [TOSCDSPD] TOSCDSPD.EXE
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\pdfcre~1.lnk - c:\program files\pdfcreator\PDFCreator.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
TCP: {5D15BDA3-1850-4920-8EF2-1906FFCD7CB2} = 68.87.76.182,68.87.78.134
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\brooke\appdata\roaming\mozilla\firefox\profiles\uy26c3m8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\users\brooke\appdata\roaming\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\brooke\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-7 335240]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-8-7 27784]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-12 297752]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-4-12 38224]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-8-9 16896]

=============== Created Last 30 ================

2010-04-17 06:46:19 0 d-----w- c:\users\brooke\appdata\roaming\Malwarebytes
2010-04-16 01:20:42 0 d-----w- c:\programdata\avG
2010-04-15 05:58:35 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-04-15 05:58:27 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-15 05:58:27 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-15 05:58:27 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-15 05:58:17 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-15 05:58:13 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-15 05:58:09 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-04-15 05:58:04 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-04-15 05:57:56 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-15 05:57:55 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-15 05:57:55 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-15 05:33:09 0 d-----w- c:\program files\Trend Micro
2010-04-15 02:17:06 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-12 12:52:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-12 12:51:59 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-12 12:51:59 0 d-----w- c:\programdata\Malwarebytes
2010-04-12 12:51:59 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-12 04:05:07 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-12 04:04:54 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-10 17:28:27 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-04-06 03:12:40 0 d-----w- c:\users\brooke\appdata\roaming\Wizards of the Coast
2010-04-03 18:21:15 0 d-----w- c:\users\brooke\appdata\roaming\.purple
2010-03-30 23:57:05 833024 ----a-w- c:\windows\system32\wininet.dll
2010-03-30 23:56:58 389632 ----a-w- c:\windows\system32\html.iec
2010-03-30 23:56:58 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2010-03-30 23:56:57 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-30 23:56:55 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2010-03-29 04:31:19 0 d-----w- C:\Temp
2010-03-29 04:23:31 0 d-----w- c:\program files\Wizards of the Coast

==================== Find3M ====================

2010-04-14 09:16:49 184320 ----a-w- c:\windows\system32\drivers\netbt.sys
2010-02-24 17:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 23:39:35 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:37:20 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 21:18:40 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-01-25 12:48:34 472576 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:48:34 151040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:48:34 151040 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:48:06 472064 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 12:45:56 329216 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:35:01 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:35:00 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:34:56 511488 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:34:56 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:44:02 2048 ----a-w- c:\windows\system32\tzres.dll
2009-07-06 00:28:05 51200 ----a-w- c:\windows\inf\infpub.dat
2009-07-06 00:28:05 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-07-06 00:10:48 86016 ----a-w- c:\windows\inf\infstor.dat
2008-08-09 22:16:19 174 --sha-w- c:\program files\desktop.ini
2008-08-09 21:58:15 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2007-05-28 00:48:47 16384 --sha-w- c:\windows\temp\cookies\index.dat
2007-05-28 00:48:49 32768 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2007-05-28 00:48:47 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 21:48:15.23 ===============


Thank you so much for your help!

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:18 AM

Posted 28 April 2010 - 03:29 PM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 tfue

tfue
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 29 April 2010 - 02:11 AM

Hello, and thank you for your response!

I've been dealing with this virus for about two weeks. Initially, it presented itself as a "Windows Security Alert" or something close to that, but it has since only appeared in the form of the obnoxious redirect virus. I downloaded a new install of Malwarebytes to get rid of this virus, and it detected a number of rogues and other issues, removing them repeatedly.

Here is additional info about what the MWB scans found, the OTL logs follow this section:

4-17-10:
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Brooke\AppData\Local\ave.exe" /START "firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Brooke\AppData\Local\ave.exe" /START "iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Brooke\AppData\Local\ave.exe" /START "firefox.exe -safe-mode") Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Files Infected:
C:\Users\Brooke\AppData\Local\av.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
C:\Users\Brooke\Local Settings\Application Data\av.exe (ROGUE.Win7Antispyware2010) -> Quarantined and deleted successfully.
C:\Users\Brooke\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
C:\Users\Brooke\AppData\Local\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.


4-18-10:
Files Infected:
C:\Users\Brooke\AppData\Local\Temp\79A2.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

All scans since have detected nothing, even though the redirection problem persists.

------------------------------------------------------------------------------------------------------------

I originally ran a DDS scan and posted it above, but when I've attempted to run GMER since your last posting, the scan always stops about 20 seconds in, and a dialogue box pops up stating, "*.exe has stopped working." This box always stops the scan from progressing, and if I try to re-execute the application I encounter a nasty blue screen. I've tried redownloading the GMER executable several times, and there is always the same result. I have also tried running it in Safe mode to no avail.

------------------------------------------------------------------------------------------------------------

Here are the OTL.txt and Extras.txt

OTL.txt

OTL logfile created on: 4/28/2010 11:20:54 PM - Run 1
OTL by OldTimer - Version 3.2.3.0 Folder = C:\Users\Brooke\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 86.00% Memory free
6.00 Gb Paging File | 6.00 Gb Available in Paging File | 95.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 110.32 Gb Total Space | 31.07 Gb Free Space | 28.16% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FOZZIEMOBILE
Current User Name: Brooke
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/28 21:28:59 | 000,563,712 | ---- | M] (OldTimer Tools) -- C:\Users\Brooke\Desktop\OTL.exe
PRC - [2008/10/28 23:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/04/28 21:28:59 | 000,563,712 | ---- | M] (OldTimer Tools) -- C:\Users\Brooke\Desktop\OTL.exe
MOD - [2008/01/19 00:26:34 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/09/02 20:51:15 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2008/09/05 13:06:32 | 000,164,600 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2008/01/19 00:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/06/10 00:20:40 | 000,020,480 | ---- | M] (Intuit) [Auto | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2007/02/02 15:56:52 | 000,118,784 | ---- | M] (TOSHIBA CORPORATION) [Auto | Stopped] -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service)
SRV - [2006/11/09 16:30:14 | 000,065,536 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2006/10/05 13:10:12 | 000,009,216 | ---- | M] (Agere Systems) [Auto | Stopped] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)


========== Driver Services (SafeList) ==========

DRV - [2009/09/02 20:51:45 | 000,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Stopped] -- C:\Windows\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/09/02 20:51:45 | 000,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Stopped] -- C:\Windows\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2008/08/06 09:26:08 | 000,124,928 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2008/06/20 07:37:00 | 000,200,112 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)
DRV - [2008/02/11 19:36:10 | 002,302,976 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\igdkmd32.sys -- (igfx)
DRV - [2008/02/11 19:36:10 | 002,302,976 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\igdkmd32.sys -- (ialm)
DRV - [2008/01/18 23:14:59 | 000,016,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WSDPrint.sys -- (WSDPrintDevice)
DRV - [2007/11/09 05:00:52 | 000,023,640 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\TVALZ_O.SYS -- (TVALZ)
DRV - [2007/01/26 17:13:40 | 000,017,712 | ---- | M] (Chicony Electronics Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\UVCFTR_S.SYS -- (UVCFTR)
DRV - [2007/01/18 19:56:56 | 001,729,632 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/12/09 01:01:02 | 002,206,720 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw4v32.sys -- (NETw4v32) Intel®
DRV - [2006/11/28 16:11:00 | 001,161,888 | ---- | M] (Agere Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006/11/02 02:51:45 | 000,900,712 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2006/11/02 02:51:38 | 000,420,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2006/11/02 02:51:34 | 000,316,520 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2006/11/02 02:51:32 | 000,297,576 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2006/11/02 02:51:25 | 000,235,112 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2006/11/02 02:51:25 | 000,232,040 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2006/11/02 02:51:00 | 000,147,048 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2006/11/02 02:50:45 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2006/11/02 02:50:41 | 000,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2006/11/02 02:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 02:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 02:50:35 | 000,098,408 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2006/11/02 02:50:24 | 000,088,680 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2006/11/02 02:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 02:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 02:50:16 | 000,071,784 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2006/11/02 02:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2006/11/02 02:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 02:50:10 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2006/11/02 02:50:10 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2006/11/02 02:50:10 | 000,038,504 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2)
DRV - [2006/11/02 02:50:10 | 000,037,480 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2006/11/02 02:50:09 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2006/11/02 02:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 02:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 02:50:05 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2006/11/02 02:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 02:50:04 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2006/11/02 02:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 02:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 02:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 02:49:53 | 000,028,776 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2006/11/02 02:49:30 | 000,017,512 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2006/11/02 02:49:28 | 000,016,488 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2006/11/02 02:49:20 | 000,014,952 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2006/11/02 01:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 01:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 01:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 01:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 01:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 01:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 00:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 00:30:54 | 000,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2006/11/02 00:30:52 | 000,467,456 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2006/09/27 04:06:00 | 000,479,488 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr3npxp.sys -- (KR3NPXP)
DRV - [2006/07/28 17:25:26 | 000,019,456 | ---- | M] (COMPAL ELECTRONIC INC.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\LPCFilter.sys -- (LPCFilter)
DRV - [2006/07/06 14:44:00 | 000,168,448 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tifm21.sys -- (tifm21)
DRV - [2006/02/13 19:50:00 | 000,216,320 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr10i.sys -- (KR10I)
DRV - [2005/09/27 00:57:00 | 000,207,104 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr10n.sys -- (KR10N)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3993617172-3015776422-698419813-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-3993617172-3015776422-698419813-1003\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-3993617172-3015776422-698419813-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.5.0.429
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2010/01/08 13:47:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/03 11:14:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/03 11:14:28 | 000,000,000 | ---D | M]

[2008/08/20 19:42:52 | 000,000,000 | ---D | M] -- C:\Users\Brooke\AppData\Roaming\Mozilla\Extensions
[2010/04/28 22:39:39 | 000,000,000 | ---D | M] -- C:\Users\Brooke\AppData\Roaming\Mozilla\Firefox\Profiles\uy26c3m8.default\extensions
[2009/08/17 18:30:14 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Brooke\AppData\Roaming\Mozilla\Firefox\Profiles\uy26c3m8.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2008/08/07 21:19:01 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/08/16 18:42:02 | 000,070,456 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\CgpCore.dll
[2008/08/16 18:42:12 | 000,091,448 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\confmgr.dll
[2008/08/16 18:42:08 | 000,020,800 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\ctxlogging.dll
[2008/05/21 09:41:08 | 000,479,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcm80.dll
[2008/05/21 09:41:08 | 000,548,864 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcp80.dll
[2008/05/21 09:41:08 | 000,626,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcr80.dll
[2008/08/16 18:44:46 | 000,427,312 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npicaN.dll
[2008/08/16 18:42:04 | 000,023,864 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\TcpPServ.dll

O1 HOSTS File: ([2008/08/07 12:19:42 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (no name) - MRI_DISABLED - No CLSID value found.
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Camera Assistant Software] C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe (Chicony)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-3993617172-3015776422-698419813-1003..\Run: [TOSCDSPD] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\S-1-5-21-3993617172-3015776422-698419813-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.76.182 68.87.78.134 68.87.76.182
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (avgrsstx.dll) - C:\Windows\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Users\Brooke\Pictures\Ty & Brooke 2010\P4040034.JPG
O24 - Desktop BackupWallPaper: C:\Users\Brooke\Pictures\Ty & Brooke 2010\P4040034.JPG
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 14:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{321ee6ab-b173-11dd-be10-0016d4f89476}\Shell\autOplAy\Command - "" = E:\vmgfvn.pif -- File not found
O33 - MountPoints2\{321ee6ab-b173-11dd-be10-0016d4f89476}\Shell\AutoRun\command - "" = E:\vmgfvn.pif -- File not found
O33 - MountPoints2\{321ee6ab-b173-11dd-be10-0016d4f89476}\Shell\Explore\CoMMaNd - "" = E:\vmgfvn.pif -- File not found
O33 - MountPoints2\{321ee6ab-b173-11dd-be10-0016d4f89476}\Shell\opeN\CoMmaND - "" = E:\vmgfvn.pif -- File not found
O33 - MountPoints2\{321ee6b0-b173-11dd-be10-0016d4f89476}\Shell - "" = AutoRun
O33 - MountPoints2\{321ee6b0-b173-11dd-be10-0016d4f89476}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (SsiEfr.exe) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = secfile] -- Reg Error: Value error. File not found
O37 - HKU\.DEFAULT\...exe [@ = secfile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\ave.exe" /START "%1" %* File not found
O37 - HKU\S-1-5-18\...exe [@ = secfile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\ave.exe" /START "%1" %* File not found
O37 - HKU\S-1-5-21-3993617172-3015776422-698419813-1003\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/04/28 21:27:32 | 000,563,712 | ---- | C] (OldTimer Tools) -- C:\Users\Brooke\Desktop\OTL.exe
[2010/04/20 19:01:13 | 000,000,000 | ---D | C] -- C:\Program Files\Runtime Software
[2010/04/20 06:39:37 | 000,093,056 | ---- | C] (GMER) -- C:\pxlyapog.sys
[2010/04/19 21:41:10 | 000,000,000 | ---D | C] -- C:\Users\Brooke\Desktop\Lap Recovery
[2010/04/16 23:46:19 | 000,000,000 | ---D | C] -- C:\Users\Brooke\AppData\Roaming\Malwarebytes
[2010/04/15 18:20:42 | 000,000,000 | ---D | C] -- C:\ProgramData\avG
[2010/04/15 18:20:40 | 000,000,000 | ---D | C] -- C:\Users\Brooke\AppData\Local\avG
[2010/04/14 22:58:35 | 000,062,464 | ---- | C] (Fraunhofer Institut Integrierte Schaltungen IIS) -- C:\Windows\System32\l3codeca.acm
[2010/04/14 22:58:17 | 003,598,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2010/04/14 22:58:13 | 003,545,992 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2010/04/14 22:58:04 | 000,430,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll
[2010/04/14 22:33:09 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/04/14 18:05:16 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2010/04/12 05:52:02 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/04/12 05:51:59 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/12 05:51:59 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/12 05:51:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/04/11 21:05:07 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2010/04/11 21:04:54 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/04/10 10:28:27 | 000,157,712 | ---- | C] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmcomm.sys
[2010/04/05 20:12:40 | 000,000,000 | ---D | C] -- C:\Users\Brooke\AppData\Roaming\Wizards of the Coast
[2010/04/03 11:22:15 | 000,000,000 | ---D | C] -- C:\Users\Brooke\AppData\Roaming\gtk-2.0
[2010/04/03 11:21:15 | 000,000,000 | ---D | C] -- C:\Users\Brooke\AppData\Roaming\.purple
[2010/03/30 16:57:01 | 000,380,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dll
[2010/03/30 16:57:00 | 000,389,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2010/03/30 16:56:59 | 000,458,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2010/03/30 16:56:59 | 000,230,400 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieaksie.dll
[2010/03/30 16:56:59 | 000,193,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2010/03/30 16:56:58 | 000,389,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2010/03/30 16:56:58 | 000,026,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2010/03/30 16:56:57 | 000,671,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2010/03/30 16:56:57 | 000,078,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieencode.dll
[2010/03/30 16:56:57 | 000,028,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2010/03/30 16:56:55 | 001,383,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/28 23:19:04 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/04/28 23:17:50 | 001,835,008 | ---- | M] () -- C:\Users\Brooke\NTUSER.DAT
[2010/04/28 23:17:49 | 000,524,288 | -HS- | M] () -- C:\Users\Brooke\NTUSER.DAT{f23df3ac-64fc-11dd-bc98-0016d4f89476}.TMContainer00000000000000000001.regtrans-ms
[2010/04/28 23:17:49 | 000,065,536 | -HS- | M] () -- C:\Users\Brooke\NTUSER.DAT{f23df3ac-64fc-11dd-bc98-0016d4f89476}.TM.blf
[2010/04/28 21:28:59 | 000,563,712 | ---- | M] (OldTimer Tools) -- C:\Users\Brooke\Desktop\OTL.exe
[2010/04/24 10:35:01 | 000,000,680 | ---- | M] () -- C:\Users\Brooke\AppData\Local\d3d9caps.dat
[2010/04/22 19:04:30 | 000,605,930 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/04/22 19:04:30 | 000,105,300 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/04/22 19:04:29 | 000,707,452 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/04/22 18:58:40 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/04/22 18:58:40 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/04/22 18:58:39 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/04/22 17:16:51 | 271,695,099 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/04/20 19:01:27 | 000,000,923 | ---- | M] () -- C:\Users\Public\Desktop\DriveImage XML.lnk
[2010/04/20 16:55:36 | 000,017,408 | ---- | M] () -- C:\Users\Brooke\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/20 06:39:37 | 000,093,056 | ---- | M] (GMER) -- C:\pxlyapog.sys
[2010/04/19 17:53:37 | 059,060,287 | ---- | M] () -- C:\Windows\System32\drivers\Avg\incavi.avm
[2010/04/16 17:59:29 | 000,009,690 | -HS- | M] () -- C:\Users\Brooke\AppData\Local\P4s1N5
[2010/04/16 17:59:29 | 000,009,690 | -HS- | M] () -- C:\ProgramData\P4s1N5
[2010/04/14 22:33:12 | 000,001,885 | ---- | M] () -- C:\Users\Brooke\Desktop\HijackThis.lnk
[2010/04/14 22:16:41 | 000,011,278 | -HS- | M] () -- C:\ProgramData\TcP0eIPn2W
[2010/04/12 05:52:06 | 000,000,829 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/12 05:32:46 | 000,010,834 | -HS- | M] () -- C:\ProgramData\N8NHc
[2010/04/11 20:53:09 | 000,010,816 | -HS- | M] () -- C:\ProgramData\284374023
[2010/04/05 18:42:51 | 001,514,135 | ---- | M] () -- C:\Users\Brooke\Desktop\P4040034.JPG
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/20 19:01:27 | 000,000,923 | ---- | C] () -- C:\Users\Public\Desktop\DriveImage XML.lnk
[2010/04/18 16:07:57 | 000,000,680 | ---- | C] () -- C:\Users\Brooke\AppData\Local\d3d9caps.dat
[2010/04/15 18:20:42 | 000,009,690 | -HS- | C] () -- C:\Users\Brooke\AppData\Local\P4s1N5
[2010/04/15 01:29:39 | 000,009,690 | -HS- | C] () -- C:\ProgramData\P4s1N5
[2010/04/14 22:33:12 | 000,001,885 | ---- | C] () -- C:\Users\Brooke\Desktop\HijackThis.lnk
[2010/04/14 22:13:43 | 000,011,278 | -HS- | C] () -- C:\ProgramData\TcP0eIPn2W
[2010/04/12 05:52:06 | 000,000,829 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/11 20:31:30 | 000,010,816 | -HS- | C] () -- C:\ProgramData\284374023
[2010/04/11 15:27:33 | 000,010,834 | -HS- | C] () -- C:\ProgramData\N8NHc
[2010/04/05 18:42:46 | 001,514,135 | ---- | C] () -- C:\Users\Brooke\Desktop\P4040034.JPG
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2008/02/11 19:55:18 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1437.dll
[2007/03/08 03:38:28 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2007/03/01 23:56:11 | 000,000,000 | ---- | C] () -- C:\Windows\NDSTray.INI
[2007/03/01 23:11:48 | 000,128,113 | ---- | C] () -- C:\Windows\System32\csellang.ini
[2007/03/01 23:11:48 | 000,045,056 | ---- | C] () -- C:\Windows\System32\csellang.dll
[2007/03/01 23:11:48 | 000,010,150 | ---- | C] () -- C:\Windows\System32\tosmreg.ini
[2007/03/01 23:11:48 | 000,007,671 | ---- | C] () -- C:\Windows\System32\cseltbl.ini
[2007/01/31 17:03:26 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1187.dll
[2006/12/05 14:05:06 | 000,114,688 | ---- | C] () -- C:\Windows\System32\TosBtAcc.dll
[2006/11/02 05:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 00:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2005/07/22 22:30:20 | 000,065,536 | ---- | C] () -- C:\Windows\System32\TosCommAPI.dll
< End of report >



Extras.txt:

OTL Extras logfile created on: 4/28/2010 11:20:56 PM - Run 1
OTL by OldTimer - Version 3.2.3.0 Folder = C:\Users\Brooke\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 86.00% Memory free
6.00 Gb Paging File | 6.00 Gb Available in Paging File | 95.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 110.32 Gb Total Space | 31.07 Gb Free Space | 28.16% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FOZZIEMOBILE
Current User Name: Brooke
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.exe [@ = secfile] -- Reg Error: Value error. File not found
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Classes\<extension>]
.exe [@ = secfile] -- C:\Windows\System32\config\systemprofile\AppData\Local\ave.exe File not found

[HKEY_USERS\S-1-5-18\SOFTWARE\Classes\<extension>]
.exe [@ = secfile] -- C:\Windows\System32\config\systemprofile\AppData\Local\ave.exe File not found

[HKEY_USERS\S-1-5-21-3993617172-3015776422-698419813-1003\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3993617172-3015776422-698419813-1000]
"EnableNotifications" = 0
"EnableNotificationsRef" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3993617172-3015776422-698419813-1003]
"EnableNotifications" = 0
"EnableNotificationsRef" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{382096AE-F0B3-4C30-AD5C-8590F7353972}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |
"{AE8270AF-2DCA-46C3-B31E-58BB80089205}" = lport=3724 | protocol=6 | dir=in | name=blizzard downloader |
"{B0D9B158-57B0-4E54-A90F-149D009BF6D6}" = lport=6112 | protocol=6 | dir=in | name=blizzard downloader 2 |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{1F428462-B278-4845-B342-E1F25F723B1F}" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{26BE80E7-623E-46D0-ACAB-39F8426288BF}" = dir=in | app=c:\program files\avg\avg8\avgupd.exe |
"{2A503358-7E95-4D16-8376-73789C859BEA}" = protocol=6 | dir=in | app=c:\program files\world of warcraft\wow-2.3.0-enus-downloader.exe |
"{33754B97-1B1A-4DBB-BA45-AEFDF7A2F5E0}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{40D93AFE-87F6-4FA1-AC4F-177D77C93E10}" = protocol=6 | dir=in | app=c:\program files\warcraft iii\frozen throne.exe |
"{4769FE4F-5722-4E64-983A-995E606F7D11}" = protocol=17 | dir=in | app=c:\program files\world of warcraft\launcher.exe |
"{5D63048A-D561-479C-9EC1-75D39DD28E5C}" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{654FBDC1-0083-4EBB-936F-D7868E9E4F2B}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{70A23B66-6ED7-42DE-8A0A-BAA5636B0D0B}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{78157A47-9672-494C-83C3-4F115F97CA9D}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{81291646-1C19-4059-AE84-24FE99225225}" = protocol=6 | dir=in | app=c:\program files\world of warcraft\launcher.exe |
"{828D9B8B-F73D-4195-9EDB-D030D61CA627}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{84AA67AC-CFE4-4A7F-9E48-BAF0A4605722}" = protocol=17 | dir=in | app=c:\program files\warcraft iii\frozen throne.exe |
"{9A0FC966-FD95-44C1-B869-DAC3BCC917F5}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{C70C89FF-6A0B-4218-B119-684486D4A9EE}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{E437C01F-F686-4070-9401-215FB3C12EB5}" = protocol=17 | dir=in | app=c:\program files\world of warcraft\wow-2.3.0-enus-downloader.exe |
"{EC0DF32F-EA73-4F39-A7DB-29EC2D3D0C72}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"TCP Query User{025E6FAF-A14A-482F-9CEF-D62AFCA3BF6E}C:\program files\utorrent\utorrent.exe" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"TCP Query User{63C1EBF1-5D9F-4FD5-8D25-B17F7B22101C}C:\program files\utorrent\utorrent.exe" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"TCP Query User{7E0A81F5-293C-4821-8E27-E3D90364150F}C:\program files\world of warcraft\wow-2.3.0-enus-downloader.exe" = protocol=6 | dir=in | app=c:\program files\world of warcraft\wow-2.3.0-enus-downloader.exe |
"UDP Query User{0F06D669-C95A-45EF-B516-9007DE9AF738}C:\program files\utorrent\utorrent.exe" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"UDP Query User{81E572EF-C10F-4EB9-BC15-CB202EF3BB95}C:\program files\world of warcraft\wow-2.3.0-enus-downloader.exe" = protocol=17 | dir=in | app=c:\program files\world of warcraft\wow-2.3.0-enus-downloader.exe |
"UDP Query User{85EEDEAE-196A-42B4-8DF8-0A20314349C9}C:\program files\utorrent\utorrent.exe" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{0020FEE2-7CDB-4250-B04B-81D68D3CA18B}" =
"{0409969E-BEFB-44D3-90B9-63BE50FBAE5E}" = TIPCI
"{12688FD7-CB92-4A5B-BEE4-5C8E0574434F}" = Utility Common Driver
"{20471B27-D702-4FE8-8DEC-0702CC8C0A85}" = WinDVD for TOSHIBA
"{2604C0F9-BFD3-4BA0-9EB5-22537C648F03}" = MobileMe Control Panel
"{37C866E4-AA67-4725-9E95-A39968DD7960}" = Camera Assistant Software for Toshiba
"{55584E16-4D70-44EE-93DD-F144E8B7D4B7}" = QuickBooks Product Listing Service
"{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service
"{5F00DF7E-418B-4CD9-8EC5-781156BCC49E}" = Microsoft Money Shared Libraries
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7E545666-F422-45FD-B3DF-C0B99A1A579F}" = QuickBooks Pro 2007
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8DC42D05-680B-41B0-8878-6C14D24602DB}" = QuickTime
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_STANDARDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_STANDARDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_STANDARDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_STANDARDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_STANDARDR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_STANDARDR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_STANDARDR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_STANDARDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_STANDARDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0012-0000-0000-0000000FF1CE}" = Microsoft Office Standard 2007
"{91120000-0012-0000-0000-0000000FF1CE}_STANDARDR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0012-0000-0000-0000000FF1CE}_STANDARDR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{976C2B2A-CE59-4AB3-83FB-BF895E28F2E6}" = Apple Mobile Device Support
"{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}" = CD/DVD Drive Acoustic Silencer
"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0
"{AF7733C1-FB0B-4FED-9730-E0433AF7A2EF}" = Magic Online
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
"{C53D16CC-E56F-47B8-906E-70AAF8EABB4F}" = Toshiba Registration
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba
"{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}" = iTunes
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{EBFEEB3F-3E3B-4725-A4E0-376144CE4F76}" = Citrix XenApp Web Plugin
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F7E1CA14-B39D-452A-960B-39423DDDD933}" = DriveImage XML (Private Edition)
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"AVG8Uninstall" = AVG Free 8.5
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2008-01-24
"DVD Shrink_is1" = DVD Shrink 3.2
"ExamView Pro" = ExamView Pro
"GTK 2.0" = GTK+ Runtime 2.12.8 rev a (remove only)
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"InfraRecorder" = InfraRecorder
"InstallShield_{0409969E-BEFB-44D3-90B9-63BE50FBAE5E}" = Texas Instruments PCIxx21/x515/xx12 drivers.
"InstallShield_{20471B27-D702-4FE8-8DEC-0702CC8C0A85}" = WinDVD for TOSHIBA
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Money2007b" = Microsoft Money Essentials
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"Picasa 3" = Picasa 3
"Pidgin" = Pidgin
"STANDARDR" = Microsoft Office Standard 2007
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TOSHIBA Game Console" = TOSHIBA Game Console
"TOSHIBA Media Center Game Console" = TOSHIBA Media Center Game Console
"TOSHIBA Software Modem" = TOSHIBA Software Modem
"uTorrent" = µTorrent
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"WinGimp-2.0_is1" = GIMP 2.4.6
"WT017700" = Bejeweled 2 Deluxe
"WT017710" = Blackhawk Striker 2
"WT017720" = Blasterball 3
"WT017760" = Chuzzle Deluxe
"WT017800" = FATE
"WT017840" = JEOPARDY
"WT017910" = Penguins!
"WT017930" = Polar Bowler
"WT017940" = Polar Golfer
"WT017980" = SCRABBLE

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3993617172-3015776422-698419813-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/13/2010 4:14:39 AM | Computer Name = FozzieMobile | Source = SPP | ID = 16387
Description =

Error - 4/13/2010 4:14:39 AM | Computer Name = FozzieMobile | Source = System Restore | ID = 8193
Description =

Error - 4/13/2010 4:14:39 AM | Computer Name = FozzieMobile | Source = System Restore | ID = 8210
Description =

Error - 4/13/2010 7:19:17 AM | Computer Name = FozzieMobile | Source = Microsoft-Windows-CAPI2 | ID = 131077
Description =

Error - 4/13/2010 7:19:17 AM | Computer Name = FozzieMobile | Source = Microsoft-Windows-CAPI2 | ID = 131077
Description =

Error - 4/13/2010 9:33:51 AM | Computer Name = FozzieMobile | Source = SPP | ID = 16387
Description =

Error - 4/13/2010 9:33:52 AM | Computer Name = FozzieMobile | Source = System Restore | ID = 8193
Description =

Error - 4/13/2010 9:34:11 AM | Computer Name = FozzieMobile | Source = SPP | ID = 16387
Description =

Error - 4/13/2010 9:34:11 AM | Computer Name = FozzieMobile | Source = System Restore | ID = 8193
Description =

Error - 4/13/2010 10:38:21 AM | Computer Name = FozzieMobile | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 6.0.6001.18000, time stamp
0x47918b89, faulting module Flash9f.ocx, version 9.0.124.0, time stamp 0x47e8643e,
exception code 0xc00000fd, fault offset 0x002389d5, process id 0x1600, application
start time 0x01cadad05a683115.

[ OSession Events ]
Error - 8/7/2008 8:37:43 PM | Computer Name = Owner-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6308.5000, Microsoft Office Version: 12.0.4518.1014. This session lasted 1209
seconds with 420 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 4/28/2010 10:03:17 PM | Computer Name = FozzieMobile | Source = DCOM | ID = 10005
Description =

Error - 4/29/2010 1:41:13 AM | Computer Name = FozzieMobile | Source = DCOM | ID = 10005
Description =

Error - 4/29/2010 2:17:07 AM | Computer Name = FozzieMobile | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.101 for the Network Card with network
address 0016D4F89476 has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 4/29/2010 2:19:34 AM | Computer Name = FozzieMobile | Source = DCOM | ID = 10005
Description =

Error - 4/29/2010 2:19:41 AM | Computer Name = FozzieMobile | Source = DCOM | ID = 10005
Description =

Error - 4/29/2010 2:19:42 AM | Computer Name = FozzieMobile | Source = DCOM | ID = 10005
Description =

Error - 4/29/2010 2:19:46 AM | Computer Name = FozzieMobile | Source = DCOM | ID = 10005
Description =

Error - 4/29/2010 2:19:59 AM | Computer Name = FozzieMobile | Source = Service Control Manager | ID = 7001
Description =

Error - 4/29/2010 2:19:59 AM | Computer Name = FozzieMobile | Source = Service Control Manager | ID = 7026
Description =

Error - 4/29/2010 2:21:20 AM | Computer Name = FozzieMobile | Source = Service Control Manager | ID = 7001
Description =


< End of report >


-----------------------------------------------------------------------------------------------------

Again, I can't get GMER to run properly, and so I can't include the log file.


Thank you again for your time and effort!

Edited by tfue, 29 April 2010 - 02:13 AM.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:18 AM

Posted 29 April 2010 - 07:55 AM

Hi, could you please try to run GMER with only the Sections option checked?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 tfue

tfue
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 29 April 2010 - 08:31 AM

Hello Elise,

Here's the GMER log with only the Sections option scanned:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-29 06:29:07
Windows 6.0.6001 Service Pack 1
Running: xolqbtv8.exe; Driver: C:\Users\Brooke\AppData\Local\Temp\pxlyapog.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\Windows\System32\DRIVERS\netbt.sys entry point in ".rsrc" section [0x8EAA9014]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[904] ntdll.dll!NtProtectVirtualMemory 77618968 5 Bytes JMP 0070000A
.text C:\Windows\system32\svchost.exe[904] ntdll.dll!NtWriteVirtualMemory 776192A8 5 Bytes JMP 0072000A
.text C:\Windows\system32\svchost.exe[904] ntdll.dll!KiUserExceptionDispatcher 776199E8 5 Bytes JMP 006F000A
.text C:\Windows\system32\svchost.exe[904] ole32.dll!CoCreateInstance 75E7E188 5 Bytes JMP 011A000A
.text C:\Windows\system32\svchost.exe[904] USER32.dll!GetCursorPos 77540F5E 5 Bytes JMP 011B000A
.text C:\Windows\Explorer.EXE[1556] ntdll.dll!NtProtectVirtualMemory 77618968 5 Bytes JMP 007D000A
.text C:\Windows\Explorer.EXE[1556] ntdll.dll!NtWriteVirtualMemory 776192A8 5 Bytes JMP 007E000A
.text C:\Windows\Explorer.EXE[1556] ntdll.dll!KiUserExceptionDispatcher 776199E8 5 Bytes JMP 007C000A

---- Files - GMER 1.0.15 ----

File C:\Windows\System32\DRIVERS\netbt.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:18 AM

Posted 29 April 2010 - 09:07 AM

Hi, unfortunately you have a nasty rootkit there. Please consider the following first.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:18 AM

Posted 04 May 2010 - 10:55 AM

Hello, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 tfue

tfue
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 04 May 2010 - 11:43 AM

I'm sorry I haven't responded sooner.

Thank you very much for your time and effort so far. I've discussed this with my wife, and we've decided that we'd prefer to be safe, so I am proceeding with a complete reformatting of the infected drive.

Thank you once again for your help!

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:18 AM

Posted 04 May 2010 - 11:51 AM

Hi, that is indeed the safest course of action. Please find below some general information that might be of use. I will now close this topic. In case you need it reopened, please send me a PM.

Please read these advices, in order to prevent reinfecting your PC:
  1. Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  2. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  3. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  4. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing sad.gif.
Some more links you might find of interest:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users