Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nasty Redirect and Proxy Server Infection-not sure if I got rid of it


  • Please log in to reply
9 replies to this topic

#1 help my computer

help my computer

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 14 July 2011 - 09:23 PM

Hi,

I am sorry if this looks like a repost. I am new to the forums and did not realize I should not post logs unless asked and that my posts would be ignored if I do. So here goes my second try without the logs this time!

I am new to the forums and hope you can help. I am having some issues with my computer (XP). At first I was being redirected today where if I clicked on some sites, it did not take me there at first, but instead I would go to some random site. However, after a second try to get back on that same site, I could get on. I ran a scan and some things were found and quarantined (and eventually deleted). However, that is when everything got worse. I tried to do a system restore and couldn't (still can't). I couldn't get back online. It would say that a proxy server was not letting me access the internet, so I had to go to my advanced settings and uncheck the proxy server. Now I am back online. I ran another scan in safe mode and nothing was found. However, I am not convinced that my computer is safe. Especially since I can't do a system restore. Please let me know what to do to make sure whatever was on here is really off. Thank you.

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:06:06 AM

Posted 14 July 2011 - 09:32 PM

Hello,

And welcome to BleepingComputer.com, before we can assist you with your question of: Am I infected? You will need to perform the following tasks and post the logs of each if you can.

Malwarebytes Anti-Malware

NOTEMalwarebytes is now offering a free trial of their program, if you want to accept it you will need to enter some billing information, so that at the end of the trial you would be charged the cost of the product. Please decline this offer, if you are unable to provide billing information. If you want to try it out, then provide the billing information.

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


SUPERAntiSpyware:

Please download and scan with SUPERAntiSpyware Free

  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.

      Scan with SUPERAntiSpyware as follows:[list]
    • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    • On the left, make sure you check C:\Fixed Drive.
    • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
    • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    • Make sure everything has a checkmark next to it and click "Next".
    • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    • If asked if you want to reboot, click "Yes" and reboot normally.
    • To retrieve the removal information after reboot, launch SUPERAntispyware again.[list]
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

Instructions:

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Now GMER

GMER does not work in 64bit Mode!!!!!!

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.


All scans above should be performed in regular boot mode, and if that is not possible then I will post instructions in a follow up reply on how to get into Safe Mode to perform the scans. Also all scans should be COMPLETE and not quick unless specifically instructed to do so.

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

#3 help my computer

help my computer
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 15 July 2011 - 09:59 AM

Thank you for your help. I have finally completed all of the steps you gave me. I actually ran the malware bytes yesterday when I first knew something was wrong, so I will give you that log plus the newer log in case you need to see what caused this mess:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7139

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/14/2011 3:27:07 PM
mbam-log-2011-07-14 (15-27-07).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 260602
Time elapsed: 2 hour(s), 20 minute(s), 50 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
c:\documents and settings\Kevin\application data\dwm.exe (Backdoor.Cycbot) -> 136 -> Unloaded process successfully.
c:\documents and settings\Kevin\application data\microsoft\conhost.exe (Trojan.Agent) -> 732 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Trojan.Agent) -> Value: conhost -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Value: Load -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen) -> Value: Shell -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Bad: (C:\DOCUME~1\Kevin\LOCALS~1\Temp\csrss.exe) Good: () -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Kevin\application data\dwm.exe (Backdoor.Cycbot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0c8b5e16-8518-4b3e-8444-236a6a7c904e}\RP197\A0019695.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0c8b5e16-8518-4b3e-8444-236a6a7c904e}\RP218\A0022091.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\documents and settings\Kevin\application data\microsoft\conhost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Kevin\local settings\Temp\csrss.exe (Trojan.Agent) -> Delete on reboot.


Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7139

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/14/2011 6:12:11 PM
mbam-log-2011-07-14 (18-12-11).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 261670
Time elapsed: 2 hour(s), 41 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Next is the SuperAntiSpyware Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/15/2011 at 00:31 AM

Application Version : 4.55.1000

Core Rules Database Version : 7411
Trace Rules Database Version: 5223

Scan type : Complete Scan
Total Scan Time : 02:40:05

Memory items scanned : 504
Memory threats detected : 0
Registry items scanned : 5118
Registry threats detected : 0
File items scanned : 105487
File threats detected : 81

Adware.Tracking Cookie
C:\Documents and Settings\Kevin\Cookies\kevin@ads.pointroll[1].txt
C:\Documents and Settings\Kevin\Cookies\kevin@ad.wsod[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@www.windowsmedia[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@pointroll[2].txt
C:\Documents and Settings\Kevin\Cookies\kevin@doubleclick[2].txt
.doubleclick.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gok0hel4.default\cookies.sqlite ]
.tribalfusion.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gok0hel4.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gok0hel4.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gok0hel4.default\cookies.sqlite ]
.imrworldwide.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gok0hel4.default\cookies.sqlite ]
.imrworldwide.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gok0hel4.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gok0hel4.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gok0hel4.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gok0hel4.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gok0hel4.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gok0hel4.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gok0hel4.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gok0hel4.default\cookies.sqlite ]
.apmebf.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gok0hel4.default\cookies.sqlite ]
.fastclick.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gok0hel4.default\cookies.sqlite ]
.fastclick.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gok0hel4.default\cookies.sqlite ]
.fastclick.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gok0hel4.default\cookies.sqlite ]
.fastclick.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gok0hel4.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gok0hel4.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gok0hel4.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gok0hel4.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gok0hel4.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gok0hel4.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gok0hel4.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gok0hel4.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gok0hel4.default\cookies.sqlite ]
.questionmarket.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gok0hel4.default\cookies.sqlite ]
.kontera.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gok0hel4.default\cookies.sqlite ]
.questionmarket.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gok0hel4.default\cookies.sqlite ]
.kontera.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gok0hel4.default\cookies.sqlite ]
.kontera.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gok0hel4.default\cookies.sqlite ]
.questionmarket.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gok0hel4.default\cookies.sqlite ]
8tracks.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
a.ads2.msads.net [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
a.media.abcfamily.go.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
a.media.global.go.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
ads2.msads.net [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
adsatt.espn.go.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
b.ads2.msads.net [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
bbca.channelfinder.net [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
cdn.eyewonder.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
cloud.video.unrulymedia.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
cloudfront.mediamatters.org [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
core.insightexpressai.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
ds.serving-sys.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
i.adultswim.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
ia.media-imdb.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
media.foxillinois.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
media.heavy.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
media.ign.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
media.kohls.com.edgesuite.net [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
media.kyte.tv [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
media.lintvnews.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
media.loc.gov [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
media.movieweb.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
media.mtvnservices.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
media.mtvu.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
media.npr.org [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
media.onsugar.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
media.oprah.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
media.theonion.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
media.wfaa.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
media1.break.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
media1.clubpenguin.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
mediacast.realgravity.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
mediaserver.vrxstudios.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
msnbcmedia.msn.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
objects.tremormedia.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
s0.2mdn.net [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
secure-uk.imrworldwide.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
secure-us.imrworldwide.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
spe.atdmt.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
speed.pointroll.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
vhss-d.oddcast.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]
www.newmediamanager2.net [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\3VJXNDAG ]

Trojan.Agent/Gen-FakeAV
C:\DOCUMENTS AND SETTINGS\KEVIN\LOCAL SETTINGS\TEMP\JAR_CACHE2935098032666540247.TMP

Now the GMER:

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-07-15 09:41:01
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-17 WDC_WD2000JD-22HBB0 rev.08.02D08
Running: 9evrv2qp.exe; Driver: C:\DOCUME~1\Kevin\LOCALS~1\Temp\kxtdqpod.sys


---- System - GMER 1.0.15 ----

SSDT 89B47CD8 ZwAllocateVirtualMemory
SSDT 89C0B208 ZwCreateKey
SSDT 89B482E8 ZwCreateProcess
SSDT 89B48270 ZwCreateProcessEx
SSDT 89B47FA8 ZwCreateThread
SSDT 89B4BD10 ZwDeleteKey
SSDT 89B483D8 ZwDeleteValueKey
SSDT 89B48360 ZwOpenKey
SSDT 89B47D50 ZwQueueApcThread
SSDT 89B47BE8 ZwReadVirtualMemory
SSDT 89B9A0A8 ZwRenameKey
SSDT 89B47E40 ZwSetContextThread
SSDT 89B484C8 ZwSetInformationKey
SSDT 89B48180 ZwSetInformationProcess
SSDT 89B47EB8 ZwSetInformationThread
SSDT 89B48450 ZwSetValueKey
SSDT 89B47020 ZwSuspendProcess
SSDT 89B47DC8 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA8435640]
SSDT 89B47F30 ZwTerminateThread
SSDT 89B47C60 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 132 804E498C 8 Bytes CALL F0D7FE13
.text ntoskrnl.exe!ZwYieldExecution + 35E 804E4BB8 4 Bytes [E8, 7B, B4, 89]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 89B47A78
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 89B47B70
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] 89B47B70
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] 89B47A78
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] 89B47A78
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] 89B47B70
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] 89B47B70
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] 89B47A78
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] 89B47B70
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] 89B47A78
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] 89B47B70
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] 89B47A78
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] 89B47B70
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] 89B47B70
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] 89B47A78

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip 894A3328
Device \Driver\Tcpip \Device\Ip 895D4020
Device \Driver\Tcpip \Device\Ip 8960D020
Device \Driver\Tcpip \Device\Ip 89734020
Device \Driver\Tcpip \Device\Ip 898E2310
Device \Driver\Tcpip \Device\Tcp 894A3328
Device \Driver\Tcpip \Device\Tcp 895D4020
Device \Driver\Tcpip \Device\Tcp 8960D020
Device \Driver\Tcpip \Device\Tcp 89734020
Device \Driver\Tcpip \Device\Tcp 898E2310
Device \Driver\Tcpip \Device\Udp 894A3328
Device \Driver\Tcpip \Device\Udp 895D4020
Device \Driver\Tcpip \Device\Udp 8960D020
Device \Driver\Tcpip \Device\Udp 89734020
Device \Driver\Tcpip \Device\Udp 898E2310
Device \Driver\Tcpip \Device\RawIp 894A3328
Device \Driver\Tcpip \Device\RawIp 895D4020
Device \Driver\Tcpip \Device\RawIp 8960D020
Device \Driver\Tcpip \Device\RawIp 89734020
Device \Driver\Tcpip \Device\RawIp 898E2310
Device \Driver\Tcpip \Device\IPMULTICAST 894A3328
Device \Driver\Tcpip \Device\IPMULTICAST 895D4020
Device \Driver\Tcpip \Device\IPMULTICAST 8960D020
Device \Driver\Tcpip \Device\IPMULTICAST 89734020
Device \Driver\Tcpip \Device\IPMULTICAST 898E2310

---- EOF - GMER 1.0.15 ----


Finally the MiniToolBox:

MiniToolBox by Farbar
Ran by Kevin (administrator) on 15-07-2011 at 09:45:54
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is enabled.
ProxyServer: http=127.0.0.1:58364

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================

"network.proxy.http", "127.0.0.1"
"network.proxy.http_port", 58364
"network.proxy.no_proxies_on", "*.local"
"network.proxy.type", 0

"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

========================= IP Configuration: ================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : 500gr

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : Belkin



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : Belkin

Description . . . . . . . . . . . : Intel® PRO/100 VE Network Connection

Physical Address. . . . . . . . . : 00-11-11-3B-EC-C1

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.2.3

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.2.1

DHCP Server . . . . . . . . . . . : 192.168.2.1

DNS Servers . . . . . . . . . . . : 192.168.2.1

192.168.0.1

Lease Obtained. . . . . . . . . . : Friday, July 15, 2011 6:50:52 AM

Lease Expires . . . . . . . . . . : Monday, January 18, 2038 10:14:07 PM

DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.2.1

DNS request timed out.
timeout was 2 seconds.
Name: google.com
Address: 74.125.225.49



Pinging google.com [74.125.225.82] with 32 bytes of data:



Reply from 74.125.225.82: bytes=32 time=20ms TTL=51

Reply from 74.125.225.82: bytes=32 time=20ms TTL=51



Ping statistics for 74.125.225.82:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 20ms, Maximum = 20ms, Average = 20ms

DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.2.1

DNS request timed out.
timeout was 2 seconds.
Name: yahoo.com
Address: 67.195.160.76



Pinging yahoo.com [67.195.160.76] with 32 bytes of data:



Reply from 67.195.160.76: bytes=32 time=72ms TTL=49

Reply from 67.195.160.76: bytes=32 time=72ms TTL=49



Ping statistics for 67.195.160.76:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 72ms, Maximum = 72ms, Average = 72ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 11 11 3b ec c1 ...... Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.3 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.2.3 192.168.2.3 20
192.168.2.0 255.255.255.0 192.168.2.3 192.168.2.3 20
192.168.2.3 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.2.255 255.255.255.255 192.168.2.3 192.168.2.3 20
224.0.0.0 240.0.0.0 192.168.2.3 192.168.2.3 20
255.255.255.255 255.255.255.255 192.168.2.3 192.168.2.3 1
Default Gateway: 192.168.2.1
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/14/2011 08:33:30 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (07/14/2011 08:33:21 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The server name or address could not be resolved

Error: (07/11/2011 08:21:06 AM) (Source: Application Hang) (User: )
Description: Hanging application firefox.exe, version 5.0.0.4183, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (07/07/2011 06:46:53 PM) (Source: Application Hang) (User: )
Description: Hanging application firefox.exe, version 5.0.0.4183, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (07/07/2011 06:46:12 PM) (Source: Application Hang) (User: )
Description: Hanging application firefox.exe, version 5.0.0.4183, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (07/02/2011 08:04:18 PM) (Source: Application Hang) (User: )
Description: Hanging application firefox.exe, version 5.0.0.4183, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (07/02/2011 07:32:14 PM) (Source: Application Hang) (User: )
Description: Hanging application firefox.exe, version 5.0.0.4183, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (06/23/2011 07:45:23 PM) (Source: Application Hang) (User: )
Description: Hanging application gwb.exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (06/23/2011 07:34:08 PM) (Source: Application Hang) (User: )
Description: Hanging application gwb.exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (06/23/2011 07:33:14 PM) (Source: Application Hang) (User: )
Description: Hanging application gwb.exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.


System errors:
=============
Error: (07/14/2011 08:43:54 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (07/14/2011 07:53:13 PM) (Source: DCOM) (User: Administrator)
Description: DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AD1-2166-11D1-B1D0-00805FC1270E}

Error: (07/14/2011 07:21:33 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AFD
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip

Error: (07/14/2011 07:21:33 PM) (Source: Service Control Manager) (User: )
Description: The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31

Error: (07/14/2011 07:21:33 PM) (Source: Service Control Manager) (User: )
Description: The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%31

Error: (07/14/2011 07:21:33 PM) (Source: Service Control Manager) (User: )
Description: The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%31

Error: (07/14/2011 07:21:33 PM) (Source: Service Control Manager) (User: )
Description: The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error:
%%31

Error: (07/14/2011 07:21:33 PM) (Source: Service Control Manager) (User: )
Description: The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%31

Error: (07/14/2011 07:21:33 PM) (Source: Service Control Manager) (User: )
Description: The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error:
%%31

Error: (07/14/2011 07:20:58 PM) (Source: DCOM) (User: Administrator)
Description: DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}


Microsoft Office Sessions:
=========================
Error: (07/14/2011 08:33:30 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis network connection does not exist.

Error: (07/14/2011 08:33:21 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe server name or address could not be resolved

Error: (07/11/2011 08:21:06 AM) (Source: Application Hang)(User: )
Description: firefox.exe5.0.0.4183hungapp0.0.0.000000000

Error: (07/07/2011 06:46:53 PM) (Source: Application Hang)(User: )
Description: firefox.exe5.0.0.4183hungapp0.0.0.000000000

Error: (07/07/2011 06:46:12 PM) (Source: Application Hang)(User: )
Description: firefox.exe5.0.0.4183hungapp0.0.0.000000000

Error: (07/02/2011 08:04:18 PM) (Source: Application Hang)(User: )
Description: firefox.exe5.0.0.4183hungapp0.0.0.000000000

Error: (07/02/2011 07:32:14 PM) (Source: Application Hang)(User: )
Description: firefox.exe5.0.0.4183hungapp0.0.0.000000000

Error: (06/23/2011 07:45:23 PM) (Source: Application Hang)(User: )
Description: gwb.exe0.0.0.0hungapp0.0.0.000000000

Error: (06/23/2011 07:34:08 PM) (Source: Application Hang)(User: )
Description: gwb.exe0.0.0.0hungapp0.0.0.000000000

Error: (06/23/2011 07:33:14 PM) (Source: Application Hang)(User: )
Description: gwb.exe0.0.0.0hungapp0.0.0.000000000


== End of log ==


What should I do now? Thank you so much for your help!

#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:06:06 AM

Posted 15 July 2011 - 10:00 AM

Are you still getting redirects?

#5 help my computer

help my computer
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 15 July 2011 - 10:15 AM

No I am not. I just want to make sure this thing is off. :)

#6 help my computer

help my computer
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 15 July 2011 - 10:19 AM

I am not going to do a system restore now because it looks like these programs cleaned up my computer, but why couldn't I do one yesterday? Is that function messed up now by whatever was on my computer?

#7 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:06:06 AM

Posted 15 July 2011 - 07:25 PM

Some malware can prevent system restore so it takes more work to get the infection removed.

#8 help my computer

help my computer
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 16 July 2011 - 01:56 PM

Now my wireless keyboard is acting strangely. It is hard to type. Some keys do not register and some stick. This happened before I noticed the redirect too. Then after all the scans it seemed resolved, but now it is starting again. Is this related to malware/a virus?

Thank you for all of your help.

#9 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:06:06 AM

Posted 16 July 2011 - 02:01 PM

Please perform the following, so that we can get the exact specs of your computer. This will better assist us in helping you more.

Publish a Snapshot using Speccy

The below is for those who cannot get online

Please take caution when attaching a text file to your post if you cannot copy/paste the link to your post, you will need to edit it to make sure that your Windows Key is not present.

#10 help my computer

help my computer
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 25 July 2011 - 06:16 PM

Hi,
Sorry I did not check your message. I totally missed it and now I have a problem again. The computer is redirecting again. this time to groupon of all sites. It does not do it all the time, but I know it is a problem. i ran malwarebytes and this is what the log showed:

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7277

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/25/2011 5:32:34 PM
mbam-log-2011-07-25 (17-32-34).txt

Scan type: Quick scan
Objects scanned: 173636
Time elapsed: 5 minute(s), 2 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
c:\WINDOWS\system32\rasrad32.exe (Trojan.Tracur.SGen) -> 1272 -> Unloaded process successfully.
c:\WINDOWS\system32\avicap3232.exe (Trojan.Tracur.SGen) -> 2880 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RSVP32 (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0EF852C3-87CB-4D0E-B44C-529BC128FCE7} (Trojan.Tracur.XGen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0EF852C3-87CB-4D0E-B44C-529BC128FCE7} (Trojan.Tracur.XGen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\rasrad32.exe (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\avicap3232.exe (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\avicap3232.dll (Trojan.Tracur.XGen) -> Quarantined and deleted successfully.
c:\documents and settings\Kevin\local settings\Temp\tmph8671627056459558639.tmp (Trojan.Tracur.SGen) -> Quarantined and deleted successfully.


Now I am running the SuperAntiSpyware. What should I do next? Is this the same virus as before? What am I doing wrong that I can't get this off/it keeps coming back. BTW, now my keyboard is working fine...

Thanks for your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users