Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit found with AVG 11


  • This topic is locked This topic is locked
7 replies to this topic

#1 whatisavailable

whatisavailable

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:11:46 AM

Posted 06 July 2011 - 11:21 PM

Hi
I ran AVG 11 on my sister's computer using the rootkit scan. It found the following:

c:\windows\system32\dla\tfsnifs.sys IRP hook, \Filesystem\cdfs irp_mj_file_system_control -> tfsnifs.sys getsystemtype+0xC526
c:\windows\system32\dla\tfsnifs.sys IRP hook, \filesystem\fs_rec IRP_MJ_FILE_SYSTEM_CONTROL -> tfsnifs.sys GetSystemType +0xC38a

Machine is a Windows XP SP3.
Malwarebytes did not local this item. Spybot was clean.

RKU found the following stealth

0xEEE377D0 unknown thread object [ ethread 0xff5c6630 ] , 600 bytes
0xEEEA2EE0 Unknown thread object [ ETHREAD 0xFF5C76A8 ] , 600 bytes

I'm typing in the data from another computer since I don't want to risk infecting or having other data compromised.

I would appreciate anyone giving me some instructions to follow to get rid of this junk.

Thanks!!!!
Jim

BTW, I did run defogger. Apologies in advanced if I did some things out of order that will drive you nutso :-)

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,656 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:46 AM

Posted 06 July 2011 - 11:30 PM

Download TDSSKiller and save it to your desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 whatisavailable

whatisavailable
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:11:46 AM

Posted 06 July 2011 - 11:44 PM

Hi
Thanks for the quick reply.
I ran the file as requested but it advised there were no infctions found after 13 seconds and 225 objects.
Jim

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,656 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:46 AM

Posted 06 July 2011 - 11:46 PM

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 whatisavailable

whatisavailable
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:11:46 AM

Posted 07 July 2011 - 12:33 AM

Thanks. Per your instructions (it took a LONG time to run)

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-07-07 00:19:59
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD1600JB-75GVA0 rev.08.02D08
Running: 8s5iip64.exe; Driver: C:\DOCUME~1\LINDAH~1\LOCALS~1\Temp\fwliraoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xEF89E6C0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xEF89E770]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xEF89E810]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xEF89E8B0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 4A0 804E2B0C 4 Bytes CALL 8F051A9A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\.dcr@Content Type application/x-director
Reg HKLM\SOFTWARE\Classes\.dir@Content Type application/x-director
Reg HKLM\SOFTWARE\Classes\.disabled@ SpybotSD.DisabledFile
Reg HKLM\SOFTWARE\Classes\.dxr@Content Type application/x-director
Reg HKLM\SOFTWARE\Classes\.sbe@ SpybotSD.SBEFile
Reg HKLM\SOFTWARE\Classes\.sbi@ SpybotSD.SBIFile
Reg HKLM\SOFTWARE\Classes\.sbs@ SpybotSD.SBSFile
Reg HKLM\SOFTWARE\Classes\.tnfo@ SpybotSD.TInfoFile
Reg HKLM\SOFTWARE\Classes\.uti@ SpybotSD.UTIFile
Reg HKLM\SOFTWARE\Classes\.uts@ SpybotSD.UTSFile
Reg HKLM\SOFTWARE\Classes\.xht@ xhtfile
Reg HKLM\SOFTWARE\Classes\.xht@Content Type application/xhtml+xml
Reg HKLM\SOFTWARE\Classes\.xhtml@ xhtmlfile
Reg HKLM\SOFTWARE\Classes\.xhtml@Content Type application/xhtml+xml
Reg HKLM\SOFTWARE\Classes\ArmHelper.ArmClass@ ArmHelper Control
Reg HKLM\SOFTWARE\Classes\ArmHelper.ArmClass\CLSID
Reg HKLM\SOFTWARE\Classes\ArmHelper.ArmClass\CLSID@ {CC450D71-CC90-424C-8638-1F2DBAC87A54}
Reg HKLM\SOFTWARE\Classes\ArmHelper.ArmClass\CurVer
Reg HKLM\SOFTWARE\Classes\ArmHelper.ArmClass\CurVer@ ArmHelper.ArmClass.1
Reg HKLM\SOFTWARE\Classes\ArmHelper.ArmClass.1@ ArmHelper Control
Reg HKLM\SOFTWARE\Classes\ArmHelper.ArmClass.1\CLSID
Reg HKLM\SOFTWARE\Classes\ArmHelper.ArmClass.1\CLSID@ {CC450D71-CC90-424C-8638-1F2DBAC87A54}
Reg HKLM\SOFTWARE\Classes\AuthenticationController.Authenticati.1@ AuthenticationController Class
Reg HKLM\SOFTWARE\Classes\AuthenticationController.Authenticati.1\CLSID
Reg HKLM\SOFTWARE\Classes\AuthenticationController.Authenticati.1\CLSID@ {22982917-8748-4715-BCD4-22F00A749054}
Reg HKLM\SOFTWARE\Classes\AuthenticationController.Authentication@ AuthenticationController Class
Reg HKLM\SOFTWARE\Classes\AuthenticationController.Authentication\CLSID
Reg HKLM\SOFTWARE\Classes\AuthenticationController.Authentication\CLSID@ {22982917-8748-4715-BCD4-22F00A749054}
Reg HKLM\SOFTWARE\Classes\AuthenticationController.Authentication\CurVer
Reg HKLM\SOFTWARE\Classes\AuthenticationController.Authentication\CurVer@ AuthenticationController.Authenticati.1
Reg HKLM\SOFTWARE\Classes\ClientEventManager.ClientEventControl.1@ ClientEventController Class
Reg HKLM\SOFTWARE\Classes\ClientEventManager.ClientEventControl.1\CLSID
Reg HKLM\SOFTWARE\Classes\ClientEventManager.ClientEventControl.1\CLSID@ {D1F7C48A-C1F3-4BB5-A31E-1FA7FB5C7ED7}
Reg HKLM\SOFTWARE\Classes\ClientEventManager.ClientEventControlle@ ClientEventController Class
Reg HKLM\SOFTWARE\Classes\ClientEventManager.ClientEventControlle\CLSID
Reg HKLM\SOFTWARE\Classes\ClientEventManager.ClientEventControlle\CLSID@ {D1F7C48A-C1F3-4BB5-A31E-1FA7FB5C7ED7}
Reg HKLM\SOFTWARE\Classes\ClientEventManager.ClientEventControlle\CurVer
Reg HKLM\SOFTWARE\Classes\ClientEventManager.ClientEventControlle\CurVer@ ClientEventManager.ClientEventControl.1
Reg HKLM\SOFTWARE\Classes\CmdLineExt.CmdLineContextMenu@ CmdLineContextMenu Class
Reg HKLM\SOFTWARE\Classes\CmdLineExt.CmdLineContextMenu\CLSID
Reg HKLM\SOFTWARE\Classes\CmdLineExt.CmdLineContextMenu\CLSID@ {F0407C3D-349C-42b9-B83E-821E31623DF9}
Reg HKLM\SOFTWARE\Classes\CmdLineExt.CmdLineContextMenu\CurVer
Reg HKLM\SOFTWARE\Classes\CmdLineExt.CmdLineContextMenu\CurVer@ CmdLineExt.CmdLineContextMenu.1
Reg HKLM\SOFTWARE\Classes\CmdLineExt.CmdLineContextMenu.1@ CmdLineContextMenu Class
Reg HKLM\SOFTWARE\Classes\CmdLineExt.CmdLineContextMenu.1\CLSID
Reg HKLM\SOFTWARE\Classes\CmdLineExt.CmdLineContextMenu.1\CLSID@ {F0407C3D-349C-42b9-B83E-821E31623DF9}
Reg HKLM\SOFTWARE\Classes\DialerController.DialerController@ DialerController Class
Reg HKLM\SOFTWARE\Classes\DialerController.DialerController\CLSID
Reg HKLM\SOFTWARE\Classes\DialerController.DialerController\CLSID@ {3C2E9BC0-DF7A-432F-9952-4222C9778AF6}
Reg HKLM\SOFTWARE\Classes\DialerController.DialerController\CurVer
Reg HKLM\SOFTWARE\Classes\DialerController.DialerController\CurVer@ DialerController.DialerController.1
Reg HKLM\SOFTWARE\Classes\DialerController.DialerController.1@ DialerController Class
Reg HKLM\SOFTWARE\Classes\DialerController.DialerController.1\CLSID
Reg HKLM\SOFTWARE\Classes\DialerController.DialerController.1\CLSID@ {3C2E9BC0-DF7A-432F-9952-4222C9778AF6}
Reg HKLM\SOFTWARE\Classes\DialerUserInterface.DialerUserInterfa.1@ DialerUserInterface Class
Reg HKLM\SOFTWARE\Classes\DialerUserInterface.DialerUserInterfa.1\CLSID
Reg HKLM\SOFTWARE\Classes\DialerUserInterface.DialerUserInterfa.1\CLSID@ {F47FF0B6-74FE-4E34-8846-7E639F4F058D}
Reg HKLM\SOFTWARE\Classes\DialerUserInterface.DialerUserInterface@ DialerUserInterface Class
Reg HKLM\SOFTWARE\Classes\DialerUserInterface.DialerUserInterface\CLSID
Reg HKLM\SOFTWARE\Classes\DialerUserInterface.DialerUserInterface\CLSID@ {F47FF0B6-74FE-4E34-8846-7E639F4F058D}
Reg HKLM\SOFTWARE\Classes\DialerUserInterface.DialerUserInterface\CurVer
Reg HKLM\SOFTWARE\Classes\DialerUserInterface.DialerUserInterface\CurVer@ DialerUserInterface.DialerUserInterfa.1
Reg HKLM\SOFTWARE\Classes\FirefoxHTML@ Firefox Document
Reg HKLM\SOFTWARE\Classes\FirefoxHTML@FriendlyTypeName Firefox Document
Reg HKLM\SOFTWARE\Classes\FirefoxHTML\DefaultIcon
Reg HKLM\SOFTWARE\Classes\FirefoxHTML\DefaultIcon@ C:\Program Files\Mozilla Firefox\firefox.exe,1
Reg HKLM\SOFTWARE\Classes\FirefoxHTML\shell
Reg HKLM\SOFTWARE\Classes\FirefoxHTML\shell@ open
Reg HKLM\SOFTWARE\Classes\FirefoxHTML\shell\open
Reg HKLM\SOFTWARE\Classes\FirefoxHTML\shell\open\command
Reg HKLM\SOFTWARE\Classes\FirefoxHTML\shell\open\command@ "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1"
Reg HKLM\SOFTWARE\Classes\FirefoxHTML\shell\open\ddeexec
Reg HKLM\SOFTWARE\Classes\FirefoxHTML\shell\open\ddeexec@ "%1",,0,0,,,,
Reg HKLM\SOFTWARE\Classes\FirefoxHTML\shell\open\ddeexec@NoActivateHandler
Reg HKLM\SOFTWARE\Classes\FirefoxHTML\shell\open\ddeexec\Application
Reg HKLM\SOFTWARE\Classes\FirefoxHTML\shell\open\ddeexec\Application@ Firefox
Reg HKLM\SOFTWARE\Classes\FirefoxHTML\shell\open\ddeexec\Topic
Reg HKLM\SOFTWARE\Classes\FirefoxHTML\shell\open\ddeexec\Topic@ WWW_OpenURL
Reg HKLM\SOFTWARE\Classes\FirefoxURL@ Firefox URL
Reg HKLM\SOFTWARE\Classes\FirefoxURL@FriendlyTypeName Firefox URL
Reg HKLM\SOFTWARE\Classes\FirefoxURL@URL Protocol
Reg HKLM\SOFTWARE\Classes\FirefoxURL@EditFlags 2
Reg HKLM\SOFTWARE\Classes\FirefoxURL\DefaultIcon
Reg HKLM\SOFTWARE\Classes\FirefoxURL\DefaultIcon@ C:\Program Files\Mozilla Firefox\firefox.exe,1
Reg HKLM\SOFTWARE\Classes\FirefoxURL\shell
Reg HKLM\SOFTWARE\Classes\FirefoxURL\shell@ open
Reg HKLM\SOFTWARE\Classes\FirefoxURL\shell\open
Reg HKLM\SOFTWARE\Classes\FirefoxURL\shell\open\command
Reg HKLM\SOFTWARE\Classes\FirefoxURL\shell\open\command@ "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1"
Reg HKLM\SOFTWARE\Classes\FirefoxURL\shell\open\ddeexec
Reg HKLM\SOFTWARE\Classes\FirefoxURL\shell\open\ddeexec@ "%1",,0,0,,,,
Reg HKLM\SOFTWARE\Classes\FirefoxURL\shell\open\ddeexec@NoActivateHandler
Reg HKLM\SOFTWARE\Classes\FirefoxURL\shell\open\ddeexec\Application
Reg HKLM\SOFTWARE\Classes\FirefoxURL\shell\open\ddeexec\Application@ Firefox
Reg HKLM\SOFTWARE\Classes\FirefoxURL\shell\open\ddeexec\Topic
Reg HKLM\SOFTWARE\Classes\FirefoxURL\shell\open\ddeexec\Topic@ WWW_OpenURL
Reg HKLM\SOFTWARE\Classes\GUICtrl.ClientToolBar@ ClientToolBar Class
Reg HKLM\SOFTWARE\Classes\GUICtrl.ClientToolBar\CLSID
Reg HKLM\SOFTWARE\Classes\GUICtrl.ClientToolBar\CLSID@ {D64EF2CA-C7D2-486E-837A-CBDC79C441A4}
Reg HKLM\SOFTWARE\Classes\GUICtrl.ClientToolBar\CurVer
Reg HKLM\SOFTWARE\Classes\GUICtrl.ClientToolBar\CurVer@ GUICtrl.ClientToolBar.1
Reg HKLM\SOFTWARE\Classes\GUICtrl.ClientToolBar.1@ ClientToolBar Class
Reg HKLM\SOFTWARE\Classes\GUICtrl.ClientToolBar.1\CLSID
Reg HKLM\SOFTWARE\Classes\GUICtrl.ClientToolBar.1\CLSID@ {D64EF2CA-C7D2-486E-837A-CBDC79C441A4}
Reg HKLM\SOFTWARE\Classes\GUICtrl.GenericHtmlControl@ GenericHtmlControl Class
Reg HKLM\SOFTWARE\Classes\GUICtrl.GenericHtmlControl\CLSID
Reg HKLM\SOFTWARE\Classes\GUICtrl.GenericHtmlControl\CLSID@ {B0DD09BF-55F3-43BB-9557-11716B66E668}
Reg HKLM\SOFTWARE\Classes\GUICtrl.GenericHtmlControl\CurVer
Reg HKLM\SOFTWARE\Classes\GUICtrl.GenericHtmlControl\CurVer@ GUICtrl.GenericHtmlControl.1
Reg HKLM\SOFTWARE\Classes\GUICtrl.GenericHtmlControl.1@ GenericHtmlControl Class
Reg HKLM\SOFTWARE\Classes\GUICtrl.GenericHtmlControl.1\CLSID
Reg HKLM\SOFTWARE\Classes\GUICtrl.GenericHtmlControl.1\CLSID@ {B0DD09BF-55F3-43BB-9557-11716B66E668}
Reg HKLM\SOFTWARE\Classes\GUSchedulerCtl.UpdaterScheduler@ Google Updater Scheduler class
Reg HKLM\SOFTWARE\Classes\GUSchedulerCtl.UpdaterScheduler\CLSID
Reg HKLM\SOFTWARE\Classes\GUSchedulerCtl.UpdaterScheduler\CLSID@ {B53B7061-6584-46AA-A033-D610EB10BD9B}
Reg HKLM\SOFTWARE\Classes\GUSchedulerCtl.UpdaterScheduler\CurVer
Reg HKLM\SOFTWARE\Classes\GUSchedulerCtl.UpdaterScheduler\CurVer@ GUSchedulerCtl.UpdaterScheduler.1
Reg HKLM\SOFTWARE\Classes\GUSchedulerCtl.UpdaterScheduler.1@ Google Updater Scheduler class
Reg HKLM\SOFTWARE\Classes\GUSchedulerCtl.UpdaterScheduler.1\CLSID
Reg HKLM\SOFTWARE\Classes\GUSchedulerCtl.UpdaterScheduler.1\CLSID@ {B53B7061-6584-46AA-A033-D610EB10BD9B}
Reg HKLM\SOFTWARE\Classes\GUServiceCtl.SilentUpdater@ Google Silent Updater class
Reg HKLM\SOFTWARE\Classes\GUServiceCtl.SilentUpdater\CLSID
Reg HKLM\SOFTWARE\Classes\GUServiceCtl.SilentUpdater\CLSID@ {89DAE4CD-9F17-4980-902A-99BA84A8F5C8}
Reg HKLM\SOFTWARE\Classes\GUServiceCtl.SilentUpdater\CurVer
Reg HKLM\SOFTWARE\Classes\GUServiceCtl.SilentUpdater\CurVer@ GUServiceCtl.SilentUpdater.1
Reg HKLM\SOFTWARE\Classes\GUServiceCtl.SilentUpdater.1@ Google Silent Updater class
Reg HKLM\SOFTWARE\Classes\GUServiceCtl.SilentUpdater.1\CLSID
Reg HKLM\SOFTWARE\Classes\GUServiceCtl.SilentUpdater.1\CLSID@ {89DAE4CD-9F17-4980-902A-99BA84A8F5C8}
Reg HKLM\SOFTWARE\Classes\InstallService.Install@ Install Class
Reg HKLM\SOFTWARE\Classes\InstallService.Install\CLSID
Reg HKLM\SOFTWARE\Classes\InstallService.Install\CLSID@ {C24722DD-9D98-4CBB-9618-8C31483E12AB}
Reg HKLM\SOFTWARE\Classes\InstallService.Install\CurVer
Reg HKLM\SOFTWARE\Classes\InstallService.Install\CurVer@ InstallService.Install.1
Reg HKLM\SOFTWARE\Classes\InstallService.Install.1@ Install Class
Reg HKLM\SOFTWARE\Classes\InstallService.Install.1\CLSID
Reg HKLM\SOFTWARE\Classes\InstallService.Install.1\CLSID@ {C24722DD-9D98-4CBB-9618-8C31483E12AB}
Reg HKLM\SOFTWARE\Classes\MBAMExt.MBAMShlExt@ MBAMShlExt Class
Reg HKLM\SOFTWARE\Classes\MBAMExt.MBAMShlExt\CLSID
Reg HKLM\SOFTWARE\Classes\MBAMExt.MBAMShlExt\CLSID@ {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
Reg HKLM\SOFTWARE\Classes\MBAMExt.MBAMShlExt\CurVer
Reg HKLM\SOFTWARE\Classes\MBAMExt.MBAMShlExt\CurVer@ MBAMExt.MBAMShlExt.1
Reg HKLM\SOFTWARE\Classes\MBAMExt.MBAMShlExt.1@ MBAMShlExt Class
Reg HKLM\SOFTWARE\Classes\MBAMExt.MBAMShlExt.1\CLSID
Reg HKLM\SOFTWARE\Classes\MBAMExt.MBAMShlExt.1\CLSID@ {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
Reg HKLM\SOFTWARE\Classes\NSClient.NSClient@ NSClient Class
Reg HKLM\SOFTWARE\Classes\NSClient.NSClient\CLSID
Reg HKLM\SOFTWARE\Classes\NSClient.NSClient\CLSID@ {A2D14901-4781-4698-89F0-7D0E60BA2B76}
Reg HKLM\SOFTWARE\Classes\NSClient.NSClient\CurVer
Reg HKLM\SOFTWARE\Classes\NSClient.NSClient\CurVer@ NSClient.NSClient.1
Reg HKLM\SOFTWARE\Classes\NSClient.NSClient.1@ NSClient Class
Reg HKLM\SOFTWARE\Classes\NSClient.NSClient.1\CLSID
Reg HKLM\SOFTWARE\Classes\NSClient.NSClient.1\CLSID@ {A2D14901-4781-4698-89F0-7D0E60BA2B76}
Reg HKLM\SOFTWARE\Classes\NSWatchman.NSWatchman@ NSWatchman Class
Reg HKLM\SOFTWARE\Classes\NSWatchman.NSWatchman\CLSID
Reg HKLM\SOFTWARE\Classes\NSWatchman.NSWatchman\CLSID@ {852ECE63-B535-42C7-903E-8338D95E912A}
Reg HKLM\SOFTWARE\Classes\NSWatchman.NSWatchman\CurVer
Reg HKLM\SOFTWARE\Classes\NSWatchman.NSWatchman\CurVer@ NSWatchman.NSWatchman.1
Reg HKLM\SOFTWARE\Classes\NSWatchman.NSWatchman.1@ NSWatchman Class
Reg HKLM\SOFTWARE\Classes\NSWatchman.NSWatchman.1\CLSID
Reg HKLM\SOFTWARE\Classes\NSWatchman.NSWatchman.1\CLSID@ {852ECE63-B535-42C7-903E-8338D95E912A}
Reg HKLM\SOFTWARE\Classes\PBHelper.PBlockHelper@ PBlockHelper Class
Reg HKLM\SOFTWARE\Classes\PBHelper.PBlockHelper\CLSID
Reg HKLM\SOFTWARE\Classes\PBHelper.PBlockHelper\CLSID@ {4115122B-85FF-4DD3-9515-F075BEDE5EB5}
Reg HKLM\SOFTWARE\Classes\PBHelper.PBlockHelper\CurVer
Reg HKLM\SOFTWARE\Classes\PBHelper.PBlockHelper\CurVer@ PBHelper.PBlockHelper.1
Reg HKLM\SOFTWARE\Classes\PBHelper.PBlockHelper.1@ PBlockHelper Class
Reg HKLM\SOFTWARE\Classes\PBHelper.PBlockHelper.1\CLSID
Reg HKLM\SOFTWARE\Classes\PBHelper.PBlockHelper.1\CLSID@ {4115122B-85FF-4DD3-9515-F075BEDE5EB5}
Reg HKLM\SOFTWARE\Classes\ReportController.ReportController@ ReportController Class
Reg HKLM\SOFTWARE\Classes\ReportController.ReportController\CLSID
Reg HKLM\SOFTWARE\Classes\ReportController.ReportController\CLSID@ {1DE7B5AB-25CE-4620-8923-CC8A7ED80E70}
Reg HKLM\SOFTWARE\Classes\ReportController.ReportController\CurVer
Reg HKLM\SOFTWARE\Classes\ReportController.ReportController\CurVer@ ReportController.ReportController.1
Reg HKLM\SOFTWARE\Classes\ReportController.ReportController.1@ ReportController Class
Reg HKLM\SOFTWARE\Classes\ReportController.ReportController.1\CLSID
Reg HKLM\SOFTWARE\Classes\ReportController.ReportController.1\CLSID@ {1DE7B5AB-25CE-4620-8923-CC8A7ED80E70}
Reg HKLM\SOFTWARE\Classes\SpinTopDRM.SpinTopDRMClass@ SpinTop DRM Control
Reg HKLM\SOFTWARE\Classes\SpinTopDRM.SpinTopDRMClass\CLSID
Reg HKLM\SOFTWARE\Classes\SpinTopDRM.SpinTopDRMClass\CLSID@ {149E45D8-163E-4189-86FC-45022AB2B6C9}
Reg HKLM\SOFTWARE\Classes\SpinTopDRM.SpinTopDRMClass\CurVer
Reg HKLM\SOFTWARE\Classes\SpinTopDRM.SpinTopDRMClass\CurVer@ SpinTopDRM.SpinTopDRMClass.1
Reg HKLM\SOFTWARE\Classes\SpinTopDRM.SpinTopDRMClass.1@ SpinTop DRM Control
Reg HKLM\SOFTWARE\Classes\SpinTopDRM.SpinTopDRMClass.1\CLSID
Reg HKLM\SOFTWARE\Classes\SpinTopDRM.SpinTopDRMClass.1\CLSID@ {149E45D8-163E-4189-86FC-45022AB2B6C9}
Reg HKLM\SOFTWARE\Classes\SpybotSD.DisabledFile@ Disabled startup file
Reg HKLM\SOFTWARE\Classes\SpybotSD.DisabledFile\DefaultIcon
Reg HKLM\SOFTWARE\Classes\SpybotSD.DisabledFile\DefaultIcon@ "C:\Program Files\Spybot - Search & Destroy\blindman.exe",0
Reg HKLM\SOFTWARE\Classes\SpybotSD.DisabledFile\shell
Reg HKLM\SOFTWARE\Classes\SpybotSD.DisabledFile\shell\open
Reg HKLM\SOFTWARE\Classes\SpybotSD.DisabledFile\shell\open\command
Reg HKLM\SOFTWARE\Classes\SpybotSD.DisabledFile\shell\open\command@ "C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBEFile@ Spyware exclude file
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBEFile\DefaultIcon
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBEFile\DefaultIcon@ "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe",0
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBEFile\shell
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBEFile\shell\open
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBEFile\shell\open\command
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBEFile\shell\open\command@ "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" "%1"
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBIFile@ Spyware include file
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBIFile\DefaultIcon
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBIFile\DefaultIcon@ "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe",0
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBIFile\shell
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBIFile\shell\open
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBIFile\shell\open\command
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBIFile\shell\open\command@ "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" "%1"
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBSFile@ Spyware supplemental file
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBSFile\DefaultIcon
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBSFile\DefaultIcon@ "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe",0
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBSFile\shell
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBSFile\shell\open
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBSFile\shell\open\command
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBSFile\shell\open\command@ "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" "%1"
Reg HKLM\SOFTWARE\Classes\SpybotSD.TInfoFile@ Internal informations
Reg HKLM\SOFTWARE\Classes\SpybotSD.TInfoFile\DefaultIcon
Reg HKLM\SOFTWARE\Classes\SpybotSD.TInfoFile\DefaultIcon@ "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe",0
Reg HKLM\SOFTWARE\Classes\SpybotSD.TInfoFile\shell
Reg HKLM\SOFTWARE\Classes\SpybotSD.TInfoFile\shell\open
Reg HKLM\SOFTWARE\Classes\SpybotSD.TInfoFile\shell\open\command
Reg HKLM\SOFTWARE\Classes\SpybotSD.TInfoFile\shell\open\command@ "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" "%1"
Reg HKLM\SOFTWARE\Classes\SpybotSD.UTIFile@ Usage tracks include file
Reg HKLM\SOFTWARE\Classes\SpybotSD.UTIFile\DefaultIcon
Reg HKLM\SOFTWARE\Classes\SpybotSD.UTIFile\DefaultIcon@ "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe",0
Reg HKLM\SOFTWARE\Classes\SpybotSD.UTIFile\shell
Reg HKLM\SOFTWARE\Classes\SpybotSD.UTIFile\shell\open
Reg HKLM\SOFTWARE\Classes\SpybotSD.UTIFile\shell\open\command
Reg HKLM\SOFTWARE\Classes\SpybotSD.UTIFile\shell\open\command@ "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" "%1"
Reg HKLM\SOFTWARE\Classes\SpybotSD.UTSFile@ Usage tracks supplemental file
Reg HKLM\SOFTWARE\Classes\SpybotSD.UTSFile\DefaultIcon
Reg HKLM\SOFTWARE\Classes\SpybotSD.UTSFile\DefaultIcon@ "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe",0
Reg HKLM\SOFTWARE\Classes\SpybotSD.UTSFile\shell
Reg HKLM\SOFTWARE\Classes\SpybotSD.UTSFile\shell\open
Reg HKLM\SOFTWARE\Classes\SpybotSD.UTSFile\shell\open\command
Reg HKLM\SOFTWARE\Classes\SpybotSD.UTSFile\shell\open\command@ "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" "%1"
Reg HKLM\SOFTWARE\Classes\STATERep.ClientStateManager@ ClientStateManager Class
Reg HKLM\SOFTWARE\Classes\STATERep.ClientStateManager\CLSID
Reg HKLM\SOFTWARE\Classes\STATERep.ClientStateManager\CLSID@ {CDF3C1FC-B72A-4415-8F7D-F38DC81E4AA3}
Reg HKLM\SOFTWARE\Classes\STATERep.ClientStateManager\CurVer
Reg HKLM\SOFTWARE\Classes\STATERep.ClientStateManager\CurVer@ STATERep.ClientStateManager.1
Reg HKLM\SOFTWARE\Classes\STATERep.ClientStateManager.1@ ClientStateManager Class
Reg HKLM\SOFTWARE\Classes\STATERep.ClientStateManager.1\CLSID
Reg HKLM\SOFTWARE\Classes\STATERep.ClientStateManager.1\CLSID@ {CDF3C1FC-B72A-4415-8F7D-F38DC81E4AA3}
Reg HKLM\SOFTWARE\Classes\STATERep.EncryptionUtility@ EncryptionUtility Class
Reg HKLM\SOFTWARE\Classes\STATERep.EncryptionUtility\CLSID
Reg HKLM\SOFTWARE\Classes\STATERep.EncryptionUtility\CLSID@ {07094CFB-78DC-4981-B11E-C0D01AEB331E}
Reg HKLM\SOFTWARE\Classes\STATERep.EncryptionUtility\CurVer
Reg HKLM\SOFTWARE\Classes\STATERep.EncryptionUtility\CurVer@ STATERep.EncryptionUtility.1
Reg HKLM\SOFTWARE\Classes\STATERep.EncryptionUtility.1@ EncryptionUtility Class
Reg HKLM\SOFTWARE\Classes\STATERep.EncryptionUtility.1\CLSID
Reg HKLM\SOFTWARE\Classes\STATERep.EncryptionUtility.1\CLSID@ {07094CFB-78DC-4981-B11E-C0D01AEB331E}
Reg HKLM\SOFTWARE\Classes\SWCtl.SWCtl@ Shockwave ActiveX Control
Reg HKLM\SOFTWARE\Classes\SWCtl.SWCtl\CLSID
Reg HKLM\SOFTWARE\Classes\SWCtl.SWCtl\CLSID@ {233C1507-6A77-46A4-9443-F871F945D258}
Reg HKLM\SOFTWARE\Classes\SWCtl.SWCtl\CurVer
Reg HKLM\SOFTWARE\Classes\SWCtl.SWCtl\CurVer@ SWCtl.SWCtl.10.1.1
Reg HKLM\SOFTWARE\Classes\SWCtl.SWCtl.1@ Shockwave ActiveX Control
Reg HKLM\SOFTWARE\Classes\SWCtl.SWCtl.1\CLSID
Reg HKLM\SOFTWARE\Classes\SWCtl.SWCtl.1\CLSID@ {166B1BCA-3F9C-11CF-8075-444553540000}
Reg HKLM\SOFTWARE\Classes\SWCtl.SWCtl.10.1.1@ Shockwave ActiveX Control
Reg HKLM\SOFTWARE\Classes\SWCtl.SWCtl.10.1.1\CLSID
Reg HKLM\SOFTWARE\Classes\SWCtl.SWCtl.10.1.1\CLSID@ {233C1507-6A77-46A4-9443-F871F945D258}
Reg HKLM\SOFTWARE\Classes\SWCtl.SWCtl.7@ Shockwave ActiveX Control
Reg HKLM\SOFTWARE\Classes\SWCtl.SWCtl.7\CLSID
Reg HKLM\SOFTWARE\Classes\SWCtl.SWCtl.7\CLSID@ {166B1BCA-3F9C-11CF-8075-444553540000}
Reg HKLM\SOFTWARE\Classes\SWCtl.SWCtl.8@ Shockwave ActiveX Control
Reg HKLM\SOFTWARE\Classes\SWCtl.SWCtl.8\CLSID
Reg HKLM\SOFTWARE\Classes\SWCtl.SWCtl.8\CLSID@ {166B1BCA-3F9C-11CF-8075-444553540000}
Reg HKLM\SOFTWARE\Classes\SWCtl.SWCtl.8.5@ Shockwave ActiveX Control
Reg HKLM\SOFTWARE\Classes\SWCtl.SWCtl.8.5\CLSID
Reg HKLM\SOFTWARE\Classes\SWCtl.SWCtl.8.5\CLSID@ {166B1BCA-3F9C-11CF-8075-444553540000}
Reg HKLM\SOFTWARE\Classes\SWCtl.SWCtl.8.5.1@ Shockwave ActiveX Control
Reg HKLM\SOFTWARE\Classes\SWCtl.SWCtl.8.5.1\CLSID
Reg HKLM\SOFTWARE\Classes\SWCtl.SWCtl.8.5.1\CLSID@ {166B1BCA-3F9C-11CF-8075-444553540000}
Reg HKLM\SOFTWARE\Classes\UOL.URLSearchHook@ URLSearchHook Class
Reg HKLM\SOFTWARE\Classes\UOL.URLSearchHook\CLSID
Reg HKLM\SOFTWARE\Classes\UOL.URLSearchHook\CLSID@ {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8}
Reg HKLM\SOFTWARE\Classes\UOL.URLSearchHook\CurVer
Reg HKLM\SOFTWARE\Classes\UOL.URLSearchHook\CurVer@ SearchHook.URLSearchHook.1
Reg HKLM\SOFTWARE\Classes\UOL.URLSearchHook.1@ URLSearchHook Class
Reg HKLM\SOFTWARE\Classes\UOL.URLSearchHook.1\CLSID
Reg HKLM\SOFTWARE\Classes\UOL.URLSearchHook.1\CLSID@ {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8}
Reg HKLM\SOFTWARE\Classes\UpdateController.UpdateController@ UpdateController Class
Reg HKLM\SOFTWARE\Classes\UpdateController.UpdateController\CLSID
Reg HKLM\SOFTWARE\Classes\UpdateController.UpdateController\CLSID@ {629BC423-871E-4F05-AC12-5867F8421C91}
Reg HKLM\SOFTWARE\Classes\UpdateController.UpdateController\CurVer
Reg HKLM\SOFTWARE\Classes\UpdateController.UpdateController\CurVer@ UpdateController.UpdateController.1
Reg HKLM\SOFTWARE\Classes\UpdateController.UpdateController.1@ UpdateController Class
Reg HKLM\SOFTWARE\Classes\UpdateController.UpdateController.1\CLSID
Reg HKLM\SOFTWARE\Classes\UpdateController.UpdateController.1\CLSID@ {629BC423-871E-4F05-AC12-5867F8421C91}
Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.cGridCell@ vbAcceleratorSGrid6.cGridCell
Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.cGridCell\Clsid
Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.cGridCell\Clsid@ {9BD3A001-42A2-491E-AACA-9512F6CF4CDB}
Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.cGridSortObject@ vbAcceleratorSGrid6.cGridSortObject
Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.cGridSortObject\Clsid
Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.cGridSortObject\Clsid@ {D2129738-6A78-4BCB-915A-412982CAA23D}
Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.IGridCellOwnerDraw@ vbAcceleratorSGrid6.IGridCellOwnerDraw
Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.IGridCellOwnerDraw\Clsid
Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.IGridCellOwnerDraw\Clsid@ {DC90EAA6-69B8-4DE4-9A7B-5B2C5B3FEACD}
Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.vbalGrid@ vbAccelerator Grid Control
Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.vbalGrid\Clsid
Reg HKLM\SOFTWARE\Classes\vbAcceleratorSGrid6.vbalGrid\Clsid@ {C5DA1F2B-B2BF-4DFC-BC9A-439133543A67}

---- EOF - GMER 1.0.15 ----

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,656 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:46 AM

Posted 07 July 2011 - 07:08 PM

With the information you have provided I believe you will need help from the malware removal team. I would like you to start a new thread and post a DDS log HERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. Help is on the way!

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 whatisavailable

whatisavailable
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:11:46 AM

Posted 07 July 2011 - 09:47 PM

Thank you! I must say that it sounds a bit scary needing to be sent to "a team" :-)

Placed a new post here: http://www.bleepingcomputer.com/forums/topic408343.html

Jim

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,656 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:46 AM

Posted 07 July 2011 - 09:49 PM

Thank you :)
They'll take care of you....

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users