Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Search Redirect


  • This topic is locked This topic is locked
45 replies to this topic

#1 BreadTM

BreadTM

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 24 July 2011 - 05:42 AM

Whenever I search on google, every once in awhile it redirects to something like http:// 64 dot 111 dot 211 dot 172 or find-fast-answers.com. At first I ignored it, thinking it was going to be easy to remove, but that has not been the case. I tried running Spybot, Malewarebytes, and Avast! already [all in safe mode.] They each found something, but it didn't remove the redirect.
Also, this happens in BOTH Firefox and Internet Explorer.

BC AdBot (Login to Remove)

 


#2 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:16 AM

Posted 24 July 2011 - 11:30 AM

Hi BreadTM,

:welcome: to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

:step1: :welcome: to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

:step1: Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt.
  • Please post the contents of that document.

:step2: Rerun Malwarebytes
Open Malwarebytes, click on the Update tab, and click the check for Updates button.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

If you have trouble updating, troubleshoot Malwarebytes' Anti-Malware

:step3: Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from http://www.superantispyware.com/downloads/SASDEFINITIONS.EXE (copy and paste that website address) and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a USB drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

:step4: I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

:step5: As this infection is known to be bundled with the TDSS rootkit infection, you should also run a program that can be used to scan for this infection. Please carefully follow the steps in the following guide:

How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller Please download a new version of TDSSKiller, as it is updated often.

If after running TDSSKiller, you are still unable to update Malwarebytes' Anti-malware or continue to have Google search result redirects, then you should post a virus removal request using the steps in the following topic rather than continuing with this here (please let me know if this is the case):

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help Topic


In your next reply, please include:
  • Security Check log file
  • Malwarebytes' log file
  • SuperAntiSpyware log file
  • ESET log file
  • TDSS killer log file (located at C:\)
  • How's the computer running now? Please provide a detailed description any remaining problems, detailed word-for-word error messages that you are receiving, and/or screenshots of strange behavior.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#3 BreadTM

BreadTM
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 24 July 2011 - 05:34 PM

Hey Jason, sorry for the delay, I just got home and should be home the rest of the day to fix this with you, thanks.
After doing these, i am still being redirected though.

Results of screen317's Security Check version 0.99.17
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
avast! Free Antivirus
ZoneAlarm
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

MVPS Hosts File
Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 21
Out of date Java installed!
Adobe Flash Player 10.3.181.26
````````````````````````````````
Process Check:
objlist.exe by Laurent

Alwil Software Avast5 AvastSvc.exe
ALWILS~1 Avast5 avastUI.exe
Zone Labs ZoneAlarm zlclient.exe
``````````End of Log````````````





Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7264

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/24/2011 3:48:13 PM
mbam-log-2011-07-24 (15-48-13).txt

Scan type: Quick scan
Objects scanned: 165107
Time elapsed: 8 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/24/2011 at 05:04 PM

Application Version : 4.55.1000

Core Rules Database Version : 7452
Trace Rules Database Version: 5264

Scan type : Complete Scan
Total Scan Time : 01:10:04

Memory items scanned : 540
Memory threats detected : 0
Registry items scanned : 5769
Registry threats detected : 0
File items scanned : 67390
File threats detected : 82

Adware.Tracking Cookie
C:\Documents and Settings\Kevin\Cookies\kevin@ad.wsod[2].txt
macromedia.com [ C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\2GZUFH3R ]
.chitika.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\aqrrtzbi.default\cookies.sqlite ]
.content.yieldmanager.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\aqrrtzbi.default\cookies.sqlite ]
.xiti.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\aqrrtzbi.default\cookies.sqlite ]
.at.atwola.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\aqrrtzbi.default\cookies.sqlite ]
.at.atwola.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\aqrrtzbi.default\cookies.sqlite ]
ext-us.bestofmedia.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\aqrrtzbi.default\cookies.sqlite ]
C:\Documents and Settings\Administrator\Cookies\administrator@ads.ookla[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adserver.adtechus[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@avgtechnologies.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@interclick[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@microsoftinternetexplorer.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@revsci[2].txt
acvs.mediaonenetwork.net [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
adsatt.espn.go.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
cdn.eyewonder.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
cdn.insights.gravity.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
cdn1.static.pornhub.phncdn.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
cdn4.specificclick.net [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
content.oddcast.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
convoad.technoratimedia.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
convoad.technoratimedia.net [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
core.insightexpressai.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
countdownpage.createyourcountdown.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
counter.rambler.ru [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
crackle.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
ds.serving-sys.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
i.adultswim.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
ia.media-imdb.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
ictv-ic-ec.indieclicktv.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
indieclick.3janecdn.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
input.insights.gravity.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
insight.randomhouse.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
konac.kontera.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
m1.2mdn.net [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
media.drjays.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
media.heavy.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
media.ign.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
media.kyte.tv [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
media.movieweb.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
media.mtvnservices.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
media.mtvu.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
media.nbcchicago.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
media.noob.us [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
media.philly.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
media.scanscout.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
media.socialvibe.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
media.theonion.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
media01.kyte.tv [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
media1.break.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
media1.gameinformer.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
mediacast.realgravity.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
mediaforgews.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
msnbcmedia.msn.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
msntest.serving-sys.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
naiadsystems.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
objects.tremormedia.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
s0.2mdn.net [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
secure-uk.imrworldwide.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
secure-us.imrworldwide.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
serving-sys.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
spe.atdmt.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
static.2mdn.net [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
static.xxxbunker.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
trackthis.uservoice.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
udn.specificclick.net [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
video.redorbit.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
videomedia.ign.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
vidii.hardsextube.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
vitamine.networldmedia.net [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
www.crackle.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
www.fantasyenhancer.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
www.naiadsystems.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
www.pornhub.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
www.royalmediamarketing.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
www.soundclick.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
www.websitetrafficmakers.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]
www.ziporn.com [ C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\#SharedObjects\2VGAXY76 ]




C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\aqrrtzbi.default\extensions\{0c828128-324e-4841-b69e-d03b5090ce3b}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\aqrrtzbi.default\extensions\{0c828128-324e-4841-b69e-d03b5090ce3b}\chrome\xulcache.jar JS/Agent.NDJ trojan deleted - quarantined
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\aqrrtzbi.default\extensions\{35b7faf8-1cc5-4857-af5f-4ae834f54067}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\aqrrtzbi.default\extensions\{35b7faf8-1cc5-4857-af5f-4ae834f54067}\chrome\xulcache.jar JS/Agent.NDJ trojan deleted - quarantined
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\aqrrtzbi.default\extensions\{3601ee76-cf77-4e93-bfcc-798649031fee}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\aqrrtzbi.default\extensions\{3601ee76-cf77-4e93-bfcc-798649031fee}\chrome\xulcache.jar JS/Agent.NDJ trojan deleted - quarantined
C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\ib4x1vzi.default\extensions\{0c828128-324e-4841-b69e-d03b5090ce3b}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\ib4x1vzi.default\extensions\{0c828128-324e-4841-b69e-d03b5090ce3b}\chrome\xulcache.jar JS/Agent.NDJ trojan deleted - quarantined
C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\ib4x1vzi.default\extensions\{35b7faf8-1cc5-4857-af5f-4ae834f54067}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\ib4x1vzi.default\extensions\{35b7faf8-1cc5-4857-af5f-4ae834f54067}\chrome\xulcache.jar JS/Agent.NDJ trojan deleted - quarantined
C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\ib4x1vzi.default\extensions\{3601ee76-cf77-4e93-bfcc-798649031fee}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\ib4x1vzi.default\extensions\{3601ee76-cf77-4e93-bfcc-798649031fee}\chrome\xulcache.jar JS/Agent.NDJ trojan deleted (after the next restart) - quarantined
C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\6.0\16\2a3a0790-6e595771 multiple threats deleted - quarantined
C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\6.0\33\30feb821-33804e88 multiple threats deleted - quarantined
C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\6.0\40\4262a9e8-3438a562 multiple threats deleted - quarantined
C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\6.0\52\31bba1f4-6885fe69 probably a variant of Win32/Agent.DYXWUMY trojan deleted - quarantined
C:\Documents and Settings\Kevin\Local Settings\Temp\NOD5065.tmp JS/Agent.NDJ trojan deleted (after the next restart) - quarantined




2011/07/24 18:24:30.0421 1864 TDSS rootkit removing tool 2.5.11.0 Jul 11 2011 16:56:56
2011/07/24 18:24:32.0421 1864 ================================================================================
2011/07/24 18:24:32.0421 1864 SystemInfo:
2011/07/24 18:24:32.0421 1864
2011/07/24 18:24:32.0421 1864 OS Version: 5.1.2600 ServicePack: 3.0
2011/07/24 18:24:32.0421 1864 Product type: Workstation
2011/07/24 18:24:32.0421 1864 ComputerName: BREADPUTER
2011/07/24 18:24:32.0421 1864 UserName: Kevin
2011/07/24 18:24:32.0421 1864 Windows directory: C:\WINDOWS
2011/07/24 18:24:32.0421 1864 System windows directory: C:\WINDOWS
2011/07/24 18:24:32.0421 1864 Processor architecture: Intel x86
2011/07/24 18:24:32.0421 1864 Number of processors: 2
2011/07/24 18:24:32.0421 1864 Page size: 0x1000
2011/07/24 18:24:32.0421 1864 Boot type: Normal boot
2011/07/24 18:24:32.0421 1864 ================================================================================
2011/07/24 18:24:33.0390 1864 Initialize success
2011/07/24 18:24:44.0406 4024 ================================================================================
2011/07/24 18:24:44.0406 4024 Scan started
2011/07/24 18:24:44.0406 4024 Mode: Manual;
2011/07/24 18:24:44.0406 4024 ================================================================================
2011/07/24 18:24:44.0734 4024 A3AB (21af8e9c727c6d7643ad497268f55bf1) C:\WINDOWS\system32\DRIVERS\A3AB.sys
2011/07/24 18:24:44.0828 4024 Aavmker4 (dfcdd5936cad0138775d5a105d4c7716) C:\WINDOWS\system32\drivers\Aavmker4.sys
2011/07/24 18:24:44.0921 4024 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/07/24 18:24:44.0968 4024 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/07/24 18:24:45.0046 4024 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/07/24 18:24:45.0109 4024 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/07/24 18:24:45.0265 4024 aswFsBlk (861cb512e4e850e87dd2316f88d69330) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2011/07/24 18:24:45.0359 4024 aswMon2 (7857e0b4c817f69ff463eea2c63e56f9) C:\WINDOWS\system32\drivers\aswMon2.sys
2011/07/24 18:24:45.0421 4024 aswRdr (8db043bf96bb6d334e5b4888e709e1c7) C:\WINDOWS\system32\drivers\aswRdr.sys
2011/07/24 18:24:45.0484 4024 aswSnx (17230708a2028cd995656df455f2e303) C:\WINDOWS\system32\drivers\aswSnx.sys
2011/07/24 18:24:45.0546 4024 aswSP (dbedd9d43b00630966ef05d2d8d04cee) C:\WINDOWS\system32\drivers\aswSP.sys
2011/07/24 18:24:45.0640 4024 aswTdi (984cfce2168286c2511695c2f9621475) C:\WINDOWS\system32\drivers\aswTdi.sys
2011/07/24 18:24:45.0671 4024 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/07/24 18:24:45.0781 4024 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\drivers\atapi.sys
2011/07/24 18:24:45.0859 4024 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/07/24 18:24:45.0906 4024 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/07/24 18:24:45.0953 4024 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/07/24 18:24:46.0203 4024 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/07/24 18:24:46.0250 4024 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/07/24 18:24:46.0265 4024 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/07/24 18:24:46.0312 4024 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/07/24 18:24:46.0343 4024 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2011/07/24 18:24:46.0453 4024 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/07/24 18:24:46.0500 4024 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/07/24 18:24:46.0562 4024 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/07/24 18:24:46.0578 4024 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/07/24 18:24:46.0593 4024 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/07/24 18:24:46.0640 4024 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/07/24 18:24:46.0718 4024 e1express (6f7ccd3c02b26d530900f06d98171a69) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2011/07/24 18:24:46.0781 4024 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/07/24 18:24:46.0843 4024 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/07/24 18:24:46.0968 4024 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/07/24 18:24:47.0031 4024 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/07/24 18:24:47.0078 4024 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/07/24 18:24:47.0140 4024 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/07/24 18:24:47.0187 4024 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/07/24 18:24:47.0234 4024 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/07/24 18:24:47.0265 4024 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/07/24 18:24:47.0343 4024 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/07/24 18:24:47.0421 4024 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
2011/07/24 18:24:47.0468 4024 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2011/07/24 18:24:47.0531 4024 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/07/24 18:24:47.0578 4024 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
2011/07/24 18:24:47.0609 4024 iastor (294110966cedd127629c5be48367c8cf) C:\WINDOWS\system32\DRIVERS\iaStor.sys
2011/07/24 18:24:47.0671 4024 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/07/24 18:24:47.0703 4024 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/07/24 18:24:47.0750 4024 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/07/24 18:24:47.0781 4024 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/07/24 18:24:47.0796 4024 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/07/24 18:24:47.0890 4024 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/07/24 18:24:47.0921 4024 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/07/24 18:24:47.0968 4024 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/07/24 18:24:48.0015 4024 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/07/24 18:24:48.0031 4024 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/07/24 18:24:48.0078 4024 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/07/24 18:24:48.0109 4024 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/07/24 18:24:48.0156 4024 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/07/24 18:24:48.0203 4024 MBAMSwissArmy (b18225739ed9caa83ba2df966e9f43e8) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011/07/24 18:24:48.0250 4024 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/07/24 18:24:48.0296 4024 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2011/07/24 18:24:48.0312 4024 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/07/24 18:24:48.0343 4024 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/07/24 18:24:48.0406 4024 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/07/24 18:24:48.0421 4024 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/07/24 18:24:48.0468 4024 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/07/24 18:24:48.0468 4024 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/07/24 18:24:48.0515 4024 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/07/24 18:24:48.0578 4024 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/07/24 18:24:48.0609 4024 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/07/24 18:24:48.0640 4024 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/07/24 18:24:48.0656 4024 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/07/24 18:24:48.0671 4024 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/07/24 18:24:48.0703 4024 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/07/24 18:24:48.0734 4024 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/07/24 18:24:48.0890 4024 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/07/24 18:24:48.0937 4024 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/07/24 18:24:48.0984 4024 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/07/24 18:24:49.0031 4024 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/07/24 18:24:49.0046 4024 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/07/24 18:24:49.0078 4024 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/07/24 18:24:49.0093 4024 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/07/24 18:24:49.0156 4024 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/07/24 18:24:49.0187 4024 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/07/24 18:24:49.0265 4024 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/07/24 18:24:49.0484 4024 nv (5950e6cc9fb3fabb61604d395dbc8550) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/07/24 18:24:49.0671 4024 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/07/24 18:24:49.0687 4024 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/07/24 18:24:49.0718 4024 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/07/24 18:24:49.0734 4024 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/07/24 18:24:49.0765 4024 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/07/24 18:24:49.0812 4024 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/07/24 18:24:49.0859 4024 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/07/24 18:24:49.0968 4024 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/07/24 18:24:49.0968 4024 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/07/24 18:24:50.0000 4024 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/07/24 18:24:50.0031 4024 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/07/24 18:24:50.0156 4024 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/07/24 18:24:50.0171 4024 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/07/24 18:24:50.0187 4024 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/07/24 18:24:50.0187 4024 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/07/24 18:24:50.0218 4024 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/07/24 18:24:50.0234 4024 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/07/24 18:24:50.0250 4024 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/07/24 18:24:50.0281 4024 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/07/24 18:24:50.0328 4024 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/07/24 18:24:50.0375 4024 RimUsb (92d33f76769a028ddc54a863eb7de4a2) C:\WINDOWS\system32\Drivers\RimUsb.sys
2011/07/24 18:24:50.0421 4024 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2011/07/24 18:24:50.0437 4024 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2011/07/24 18:24:50.0578 4024 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/07/24 18:24:50.0609 4024 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/07/24 18:24:50.0687 4024 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/07/24 18:24:50.0718 4024 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/07/24 18:24:50.0750 4024 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/07/24 18:24:50.0796 4024 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/07/24 18:24:50.0828 4024 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/07/24 18:24:50.0953 4024 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/07/24 18:24:51.0046 4024 STHDA (797fcc1d859b203958e915bb82528da9) C:\WINDOWS\system32\drivers\sthda.sys
2011/07/24 18:24:51.0125 4024 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/07/24 18:24:51.0171 4024 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/07/24 18:24:51.0281 4024 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/07/24 18:24:51.0343 4024 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/07/24 18:24:51.0437 4024 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/07/24 18:24:51.0453 4024 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/07/24 18:24:51.0484 4024 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/07/24 18:24:51.0531 4024 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/07/24 18:24:51.0625 4024 UnlockerDriver5 (bb879dcfd22926efbeb3298129898cbb) C:\Program Files\Unlocker\UnlockerDriver5.sys
2011/07/24 18:24:51.0671 4024 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/07/24 18:24:51.0734 4024 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/07/24 18:24:51.0750 4024 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/07/24 18:24:51.0796 4024 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/07/24 18:24:51.0843 4024 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/07/24 18:24:51.0906 4024 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/07/24 18:24:51.0968 4024 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/07/24 18:24:52.0015 4024 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/07/24 18:24:52.0046 4024 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/07/24 18:24:52.0125 4024 vsdatant (050c38ebb22512122e54b47dc278bccd) C:\WINDOWS\system32\vsdatant.sys
2011/07/24 18:24:52.0296 4024 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/07/24 18:24:52.0406 4024 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/07/24 18:24:52.0515 4024 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/07/24 18:24:52.0593 4024 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/07/24 18:24:52.0687 4024 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
2011/07/24 18:24:52.0781 4024 WudfPf (eaa6324f51214d2f6718977ec9ce0def) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/07/24 18:24:52.0796 4024 WudfRd (f91ff1e51fca30b3c3981db7d5924252) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/07/24 18:24:52.0859 4024 zumbus (337b9607f041b77824411750069aff2d) C:\WINDOWS\system32\DRIVERS\zumbus.sys
2011/07/24 18:24:52.0921 4024 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/07/24 18:24:53.0046 4024 MBR (0x1B8) (a4a15d6782e6fe1dce41a606cb3affe3) \Device\Harddisk1\DR2
2011/07/24 18:24:53.0078 4024 Boot (0x1200) (cff669926362397f7dc167c2d2b1a362) \Device\Harddisk0\DR0\Partition0
2011/07/24 18:24:53.0078 4024 Boot (0x1200) (e08f96b3546c1b3a6f980e54c9e46945) \Device\Harddisk1\DR2\Partition0
2011/07/24 18:24:53.0078 4024 ================================================================================
2011/07/24 18:24:53.0078 4024 Scan finished
2011/07/24 18:24:53.0078 4024 ================================================================================
2011/07/24 18:24:53.0093 1220 Detected object count: 0
2011/07/24 18:24:53.0093 1220 Actual detected object count: 0

#4 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:16 AM

Posted 24 July 2011 - 06:41 PM

Hi BreadTM,

Are you redirecting in all browsers (Firefox as well as Internet Explorer)?

:step1: Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

:step2: Let's upload a couple files for a second opinion on what they actually are.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Virustotal: http://www.virustotal.com/

When the Virustotal page has finished loading, click the Choose File button and navigate to the following file and click Send File.

C:\WINDOWS\system32\DRIVERS\cdrom.sys

C:\WINDOWS\system32\drivers\cercsr6.sys


Please post back the website address (URL) of each Virustotal result in your next post.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#5 BreadTM

BreadTM
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 24 July 2011 - 06:51 PM

Yes, this is happening in both Firefox and Internet Explorer.
I think I did the Virustotal links correctly, let me know if they're correct.

MiniToolBox by Farbar
Ran by Kevin (administrator) on 24-07-2011 at 19:47:16
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================


127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.10sek.com
127.0.0.1 10sek.com
127.0.0.1 www.123topsearch.com
127.0.0.1 123topsearch.com

There are 15026 more lines starting with "127.0.0.1"

========================= IP Configuration: ================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : breadputer

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : home



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : home

Description . . . . . . . . . . . : Intel® 82566DC Gigabit Network Connection

Physical Address. . . . . . . . . : 00-19-D1-00-EA-83

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.3

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.1

71.242.0.12

Lease Obtained. . . . . . . . . . : Sunday, July 24, 2011 6:28:27 PM

Lease Expires . . . . . . . . . . : Monday, July 25, 2011 6:28:27 PM

Server: Wireless_Broadband_Router.home
Address: 192.168.1.1

Name: google.com
Addresses: 74.125.91.103, 74.125.91.105, 74.125.91.147, 74.125.91.99
74.125.91.104, 74.125.91.106



Pinging google.com [74.125.91.106] with 32 bytes of data:



Reply from 74.125.91.106: bytes=32 time=33ms TTL=252

Request timed out.



Ping statistics for 74.125.91.106:

Packets: Sent = 2, Received = 1, Lost = 1 (50% loss),

Approximate round trip times in milli-seconds:

Minimum = 33ms, Maximum = 33ms, Average = 33ms

Server: Wireless_Broadband_Router.home
Address: 192.168.1.1

Name: yahoo.com
Addresses: 98.137.149.56, 209.191.122.70, 67.195.160.76, 69.147.125.65
72.30.2.43



Pinging yahoo.com [72.30.2.43] with 32 bytes of data:



Reply from 72.30.2.43: bytes=32 time=95ms TTL=250

Reply from 72.30.2.43: bytes=32 time=100ms TTL=250



Ping statistics for 72.30.2.43:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 95ms, Maximum = 100ms, Average = 97ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 19 d1 00 ea 83 ...... Intel® 82566DC Gigabit Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.3 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 20
192.168.1.3 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 20
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 20
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/24/2011 07:26:52 AM) (Source: Application Hang) (User: )
Description: Fault bucket 00000009.

Error: (07/24/2011 07:26:37 AM) (Source: Application Hang) (User: )
Description: Hanging application vlc.exe, version 1.1.11.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (07/24/2011 06:00:01 AM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (07/24/2011 06:00:01 AM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (07/22/2011 06:15:06 PM) (Source: Application Error) (User: )
Description: Fault bucket 00000009.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Error: (07/22/2011 06:15:03 PM) (Source: Application Error) (User: )
Description: Faulting application javaw.exe, version 6.0.210.7, faulting module portabledeviceapi.dll, version 5.2.5721.5145, fault address 0x0000dfcb.
Processing media-specific event for [javaw.exe!ws!]

Error: (07/21/2011 07:02:12 PM) (Source: Application Error) (User: )
Description: Fault bucket 1981069756.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Error: (07/21/2011 07:02:03 PM) (Source: Application Error) (User: )
Description: Faulting application javaw.exe, version 6.0.210.7, faulting module portabledeviceapi.dll, version 5.2.5721.5145, fault address 0x0000dfcb.
Processing media-specific event for [javaw.exe!ws!]

Error: (07/13/2011 08:46:03 PM) (Source: Application Error) (User: )
Description: Fault bucket 00000009.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Error: (07/13/2011 08:45:59 PM) (Source: Application Error) (User: )
Description: Faulting application javaw.exe, version 6.0.210.7, faulting module portabledeviceapi.dll, version 5.2.5721.5145, fault address 0x0000dfcb.
Processing media-specific event for [javaw.exe!ws!]


System errors:
=============
Error: (07/24/2011 06:24:53 PM) (Source: 0) (User: )
Description: \Device\Harddisk1\D

Error: (07/24/2011 06:24:53 PM) (Source: 0) (User: )
Description: \Device\Harddisk1\D

Error: (07/24/2011 06:24:53 PM) (Source: 0) (User: )
Description: \Device\Harddisk1\D

Error: (07/24/2011 06:24:53 PM) (Source: 0) (User: )
Description: \Device\Harddisk1\D

Error: (07/24/2011 06:24:53 PM) (Source: 0) (User: )
Description: \Device\Harddisk1\D

Error: (07/24/2011 06:00:20 AM) (Source: 0) (User: )
Description: \Device\Harddisk1\D

Error: (07/24/2011 06:00:20 AM) (Source: 0) (User: )
Description: \Device\Harddisk1\D

Error: (07/24/2011 06:00:20 AM) (Source: 0) (User: )
Description: \Device\Harddisk1\D

Error: (07/24/2011 06:00:20 AM) (Source: 0) (User: )
Description: \Device\Harddisk1\D

Error: (07/24/2011 06:00:20 AM) (Source: 0) (User: )
Description: \Device\Harddisk1\D


Microsoft Office Sessions:
=========================
Error: (07/24/2011 07:26:52 AM) (Source: Application Hang)(User: )
Description: 00000009

Error: (07/24/2011 07:26:37 AM) (Source: Application Hang)(User: )
Description: vlc.exe1.1.11.0hungapp0.0.0.000000000

Error: (07/24/2011 06:00:01 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (07/24/2011 06:00:01 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (07/22/2011 06:15:06 PM) (Source: Application Error)(User: )
Description: 00000009

Error: (07/22/2011 06:15:03 PM) (Source: Application Error)(User: )
Description: javaw.exe6.0.210.7portabledeviceapi.dll5.2.5721.51450000dfcb

Error: (07/21/2011 07:02:12 PM) (Source: Application Error)(User: )
Description: 1981069756

Error: (07/21/2011 07:02:03 PM) (Source: Application Error)(User: )
Description: javaw.exe6.0.210.7portabledeviceapi.dll5.2.5721.51450000dfcb

Error: (07/13/2011 08:46:03 PM) (Source: Application Error)(User: )
Description: 00000009

Error: (07/13/2011 08:45:59 PM) (Source: Application Error)(User: )
Description: javaw.exe6.0.210.7portabledeviceapi.dll5.2.5721.51450000dfcb


========================= Memory info: ===================================

Percentage of memory in use: 38%
Total physical RAM: 1021.85 MB
Available physical RAM: 626.56 MB
Total Pagefile: 2458.39 MB
Available Pagefile: 1782.79 MB
Total Virtual: 2047.88 MB
Available Virtual: 1994.54 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:232.82 GB) (Free:205.07 GB) NTFS
3 Drive e: (OneTouch 4) (Fixed) (Total:298.09 GB) (Free:252.72 GB) NTFS

========================= Users: ========================================

User accounts for \\BREADPUTER

Admin ASPNET Guest
HelpAssistant Kevin SUPPORT_388945a0


== End of log ==


http://www.virustotal.com/file-scan/report.html?id=88d9c066ffb863910ee1863ce63d38846aca2df72d6b5fdfce0f3379a6da5ef9-1311269356
http://www.virustotal.com/file-scan/report.html?id=65cacfa643e52a0c0e6b2d901228a8a0ad4993cafa3c287e65395f4b7c521089-1310743904

Edited by BreadTM, 24 July 2011 - 06:52 PM.


#6 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:16 AM

Posted 24 July 2011 - 07:03 PM

Hi BreadTM,

Yes, you did post the Virustotal links correctly. However, those files are not malware.

:step1: Please download GooredFix and save it to your Desktop. Click Yes when prompted. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

Edited by jntkwx, 24 July 2011 - 07:04 PM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#7 BreadTM

BreadTM
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 24 July 2011 - 07:08 PM

GooredFix by jpshortstuff (03.07.10.1)
Log created at 20:08 on 24/07/2011 (Kevin)
Firefox version 5.0 (en-US)

========== GooredScan ==========

Deleting "C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\ib4x1vzi.default\extensions\{3601ee76-cf77-4e93-bfcc-798649031fee}" -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [22:17 21/01/2010]
{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [21:16 02/08/2010]

C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\ib4x1vzi.default\extensions\
{0c828128-324e-4841-b69e-d03b5090ce3b} [07:10 24/07/2011]
{195A3098-0BD5-4e90-AE22-BA1C540AFD1E} [13:21 26/06/2011]
{35b7faf8-1cc5-4857-af5f-4ae834f54067} [02:07 22/07/2011]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [22:42 31/10/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [20:31 05/04/2010]

-=E.O.F=-

#8 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:16 AM

Posted 24 July 2011 - 07:13 PM

How's the computer running now? Still redirecting?
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#9 BreadTM

BreadTM
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 24 July 2011 - 07:19 PM

It seems to have been fixed!
Thank you very much, Jason.

#10 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:16 AM

Posted 24 July 2011 - 07:24 PM

:thumbsup: Awesome!

Let's run one more scan, just to be sure we've gotten everything.

:step1: Please run the F-Secure Online Scanner
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

Edited by jntkwx, 24 July 2011 - 07:24 PM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#11 BreadTM

BreadTM
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 24 July 2011 - 08:34 PM

Scanning Report
Sunday, July 24, 2011 20:36:35 - 21:32:43

Computer name: BREADPUTER
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\ E:\
2 malware found
Gen:Variant.Kazy.32028 (spyware)

System (Disinfected)

Gen:Variant.Kazy.32028 (virus)

C:\WINDOWS\SYSTEM32\AUDIODEV32.DLL (Not cleaned)

Statistics
Scanned:

Files: 45404
System: 3287
Not scanned: 8

Actions:

Disinfected: 1
Renamed: 0
Deleted: 0
Not cleaned: 1
Submitted: 0

Files not scanned:

C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\DOCUMENTS AND SETTINGS\KEVIN\LOCAL SETTINGS\TEMP\HSPERFDATA_KEVIN\3264
C:\DOCUMENTS AND SETTINGS\KEVIN\LOCAL SETTINGS\TEMP\HSPERFDATA_KEVIN\4080

Options
Scanning engines:

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use advanced heuristics

#12 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:16 AM

Posted 24 July 2011 - 08:42 PM

Looking good. :thumbup2: I think these are just leftovers.

Let's try and find if another antivirus will detect that one file that wasn't cleaned.

Please go to Virustotal: http://www.virustotal.com/
When the Virustotal page has finished loading, click the Choose File button and navigate to the following file and click Send File.

C:\WINDOWS\SYSTEM32\AUDIODEV32.DLL

Please post back the website address (URL) of the Virustotal result in your next post.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#13 BreadTM

BreadTM
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 24 July 2011 - 08:46 PM

audiodev32.dll is not showing up and I have hidden files/system files being shown.

here is audiodev.dll though...
http://www.virustotal.com/file-scan/report.html?id=bad65e874ef5ed0b1bc13224ecf1bf58cf4681efc8ab5ed41bd20abbe3f6c12a-1311303085

#14 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:16 AM

Posted 24 July 2011 - 08:49 PM

Try going to Tools > Folder Options > Select the View tab > Uncheck the box under Hide protected operating system files

See if that makes the file visible.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#15 BreadTM

BreadTM
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 24 July 2011 - 08:52 PM

I double-checked and it was already unchecked.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users