Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser hijacked Malwarebytes won't fix


  • Please log in to reply
45 replies to this topic

#1 TimsToys

TimsToys

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 24 July 2011 - 10:44 AM

Over the last couple of weeks, Malwarebytes keeps blocking me from going to Google websites, saying redirect blocked to 64.111.211.172. Then it says blocked outgoing to 91.217.153.48. I have run Malwarebytes a few times, Ad-Aware, cleaned out the cache and cookies, but no luck. The outgoing blocks are random times, and I see them pop up, but it usually happens when the computer is idle. I am not sure what to try next, as all the programs I try don't seem to fix it. Help would be appreciated.

Thanks in Advance,

Tim

BC AdBot (Login to Remove)

 


#2 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:09:07 AM

Posted 24 July 2011 - 11:29 AM

Hi TimsToys,

:welcome: to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

:step1: :welcome: to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

:step1: Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt.
  • Please post the contents of that document.

:step2: Rerun Malwarebytes
Open Malwarebytes, click on the Update tab, and click the check for Updates button.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

If you have trouble updating, troubleshoot Malwarebytes' Anti-Malware

:step3: Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from http://www.superantispyware.com/downloads/SASDEFINITIONS.EXE (copy and paste that website address) and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a USB drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

:step4: I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

:step5: As this infection is known to be bundled with the TDSS rootkit infection, you should also run a program that can be used to scan for this infection. Please carefully follow the steps in the following guide:

How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller Please download a new version of TDSSKiller, as it is updated often.

If after running TDSSKiller, you are still unable to update Malwarebytes' Anti-malware or continue to have Google search result redirects, then you should post a virus removal request using the steps in the following topic rather than continuing with this here (please let me know if this is the case):

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help Topic


In your next reply, please include:
  • Security Check log file
  • Malwarebytes' log file
  • SuperAntiSpyware log file
  • ESET log file
  • TDSS killer log file (located at C:\)
  • How's the computer running now? Please provide a detailed description any remaining problems, detailed word-for-word error messages that you are receiving, and/or screenshots of strange behavior.

Edited by jntkwx, 24 July 2011 - 11:29 AM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#3 TimsToys

TimsToys
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 25 July 2011 - 05:49 PM

Jason,

Did all of the above but still issues.

The logs

Results of screen317's Security Check version 0.99.17
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
```````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
Out of date HijackThis installed!
Malwarebytes' Anti-Malware
HijackThis 1.99.1
Hijackthis 1.99.1
Java™ 6 Update 23
Java™ 6 Update 3
Out of date Java installed!
Adobe Flash Player 10.3.181.26
Mozilla Firefox (x86 en-US..)
Mozilla Thunderbird (3.1.10) Thunderbird Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
``````````End of Log````````````



Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7260

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/24/2011 2:40:04 PM
mbam-log-2011-07-24 (14-40-04).txt

Scan type: Quick scan
Objects scanned: 169842
Time elapsed: 8 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/24/2011 at 04:10 PM

Application Version : 4.55.1000

Core Rules Database Version : 7452
Trace Rules Database Version: 5264

Scan type : Quick Scan
Total Scan Time : 01:04:27

Memory items scanned : 546
Memory threats detected : 0
Registry items scanned : 1297
Registry threats detected : 4
File items scanned : 105746
File threats detected : 45

Malware.Trace
HKU\.DEFAULT\Software\JP595IR86O
HKU\S-1-5-18\Software\JP595IR86O
HKU\.DEFAULT\SOFTWARE\XML
HKU\S-1-5-18\SOFTWARE\XML

Adware.Tracking Cookie
acvs.mediaonenetwork.net [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
adimages.scrippsnetworks.com [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
adsatt.espn.go.com [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
bbca.channelfinder.net [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
cache.specificmedia.com [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
cdn.eyewonder.com [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
cdn.insights.gravity.com [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
cdn4.specificclick.net [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
content.oddcast.com [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
content.yieldmanager.edgesuite.net [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
convoad.technoratimedia.com [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
convoad.technoratimedia.net [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
core.insightexpressai.com [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
crackle.com [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
ds.serving-sys.com [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
espn360.channelfinder.net [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
googleads.g.doubleclick.net [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
ia.media-imdb.com [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
interclick.com [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
m1.2mdn.net [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
media.foxcharlotte.com [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
media.mtvnservices.com [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
media.resulthost.org [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
media.scanscout.com [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
media.tattomedia.com [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
media1.break.com [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
media2.myfoxtampabay.com [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
mediaforgews.com [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
msnbcmedia.msn.com [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
objects.tremormedia.com [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
s0.2mdn.net [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
secure-uk.imrworldwide.com [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
secure-us.imrworldwide.com [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
serving-sys.com [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
spe.atdmt.com [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
speed.pointroll.com [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
static.discoverymedia.com [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
track.webgains.com [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
udn.specificclick.net [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
unitedmedia.a.mms.mavenapps.net [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
video.redorbit.com [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
www.crackle.com [ C:\Documents and Settings\Dad\Application Data\Macromedia\Flash Player\#SharedObjects\JRQ7N2R7 ]
core.insightexpressai.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\ASMLM5CX ]
media1.break.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\ASMLM5CX ]
secure-us.imrworldwide.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\ASMLM5CX ]


C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\13\27d4524d-43bffac0 multiple threats deleted - quarantined
C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\2\64d94f02-415a88c8 Java/Exploit.CVE-2010-3562.A trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\22\72ec9856-1d17b79a a variant of Java/TrojanDownloader.OpenStream.NCE trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\22\72ec9856-327f3605 a variant of Java/TrojanDownloader.OpenStream.NCE trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\22\72ec9856-5c4e860e a variant of Java/TrojanDownloader.OpenStream.NCE trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\22\72ec9856-6d0e66dc a variant of Java/TrojanDownloader.OpenStream.NCE trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\22\72ec9856-7bffcc32 a variant of Java/TrojanDownloader.OpenStream.NCE trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\22\72ec9856-7ebc10ad a variant of Java/TrojanDownloader.OpenStream.NCE trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\26\7aa0815a-31fdadcb probably a variant of Java/Agent.BR trojan deleted - quarantined
C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\27\15bee2db-35cc0ef0 multiple threats deleted - quarantined
C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\31\1f843e1f-393211e3 probably a variant of Java/TrojanDownloader.Agent.AB trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\32\6fc668a0-353a870c Java/Exploit.CVE-2010-3562.A trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\33\2265a3e1-7d610976 probably a variant of Win32/Agent.CDGQEWH trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\35\4c5157e3-36f86c95 Java/Exploit.CVE-2009-2843.B trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\37\1765e425-10175c02 probably a variant of Win32/Agent.CDGQEWH trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\41\15467029-22079609 multiple threats deleted - quarantined
C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\41\418b0369-4bf7f110 Java/Exploit.CVE-2009-2843.B trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\50\4b6f1eb2-37addca1 probably a variant of Win32/Agent.ZVRMM trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\52\58fe4034-1ca80010 a variant of Java/Agent.BR trojan deleted - quarantined
C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\52\7d85ea74-1a7c26cb Java/TrojanDownloader.OpenStream.NBV trojan deleted - quarantined
C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\56\58e40278-37eacd54 multiple threats deleted - quarantined
C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\60\240bc57c-5252312c probably a variant of Win32/Agent.ZVRMM trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\61\7ae6b8bd-6f258438 probably a variant of Win32/Agent.CDGQEWH trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\63\25097d3f-27bc3a4e Java/Exploit.CVE-2009-2843.B trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\7\406df447-42d89459 probably a variant of Win32/Agent.ZVRMM trojan cleaned by deleting - quarantined
C:\Documents and Settings\Dad\Application Data\Sun\Java\Deployment\cache\6.0\9\36c06809-3b468c80 probably a variant of Win32/Agent.RPSVWU trojan cleaned by deleting - quarantined
C:\Program Files\DrNpHFc4EUHMt-MAYBEBAD\R5Z6hEc.cpl a variant of Win32/Sefnit.AO trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\iqfs4stb.default\extensions\{36d31585-7a79-409c-8d26-72fccbef743b}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\iqfs4stb.default\extensions\{36d31585-7a79-409c-8d26-72fccbef743b}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\explorer.exe.vir Win32/Patched.GM trojan deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\uratikapawogep.dll.vir Win32/Adware.SpywareProtect2009 application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\6to4v32.dll.vir a variant of Win32/Wimpixo.AA trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\cbXRKdaY.dll.vir a variant of Win32/Adware.Virtumonde.NCU application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon.exe.vir Win32/Bamital.FH trojan deleted - quarantined
C:\System Volume Information\_restore{F3BD6D90-F1E2-450C-93F5-BF2D5C7C18A6}\RP154\A0022659.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{F3BD6D90-F1E2-450C-93F5-BF2D5C7C18A6}\RP154\A0022661.dll a variant of Win32/Adware.Virtumonde.NCU application cleaned by deleting - quarantined
C:\System Volume Information\_restore{F3BD6D90-F1E2-450C-93F5-BF2D5C7C18A6}\RP156\A0024214.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{F3BD6D90-F1E2-450C-93F5-BF2D5C7C18A6}\RP158\A0024541.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{F3BD6D90-F1E2-450C-93F5-BF2D5C7C18A6}\RP158\A0024542.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{F3BD6D90-F1E2-450C-93F5-BF2D5C7C18A6}\RP158\A0024543.manifest Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{F3BD6D90-F1E2-450C-93F5-BF2D5C7C18A6}\RP158\A0024544.exe a variant of Win32/HackTool.Patcher.P application cleaned by deleting - quarantined
C:\System Volume Information\_restore{F3BD6D90-F1E2-450C-93F5-BF2D5C7C18A6}\RP158\A0024545.exe probably a variant of Win32/TrojanDropper.Agent.HMBNEEC trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{F3BD6D90-F1E2-450C-93F5-BF2D5C7C18A6}\RP158\A0024546.cpl a variant of Win32/Sefnit.AO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{F3BD6D90-F1E2-450C-93F5-BF2D5C7C18A6}\RP158\A0024547.exe Win32/HackTool.Patcher.A application cleaned by deleting - quarantined
C:\WINDOWS\Lsabiqeniware.dat Win32/Adware.SpywareProtect2009 application cleaned by deleting - quarantined
C:\WINDOWS\system32\Improve Your PC.lnk LNK/URL.B trojan cleaned by deleting - quarantined



2011/07/25 18:16:36.0343 2940 TDSS rootkit removing tool 2.5.11.0 Jul 11 2011 16:56:56
2011/07/25 18:16:36.0609 2940 ================================================================================
2011/07/25 18:16:36.0609 2940 SystemInfo:
2011/07/25 18:16:36.0609 2940
2011/07/25 18:16:36.0609 2940 OS Version: 5.1.2600 ServicePack: 3.0
2011/07/25 18:16:36.0609 2940 Product type: Workstation
2011/07/25 18:16:36.0609 2940 ComputerName: WINDTUNNEL
2011/07/25 18:16:36.0609 2940 UserName: Dad
2011/07/25 18:16:36.0609 2940 Windows directory: C:\WINDOWS
2011/07/25 18:16:36.0609 2940 System windows directory: C:\WINDOWS
2011/07/25 18:16:36.0609 2940 Processor architecture: Intel x86
2011/07/25 18:16:36.0609 2940 Number of processors: 4
2011/07/25 18:16:36.0609 2940 Page size: 0x1000
2011/07/25 18:16:36.0609 2940 Boot type: Normal boot
2011/07/25 18:16:36.0609 2940 ================================================================================
2011/07/25 18:16:38.0781 2940 Initialize success
2011/07/25 18:16:52.0718 3324 ================================================================================
2011/07/25 18:16:52.0718 3324 Scan started
2011/07/25 18:16:52.0718 3324 Mode: Manual;
2011/07/25 18:16:52.0718 3324 ================================================================================
2011/07/25 18:16:54.0921 3324 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/07/25 18:16:55.0187 3324 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/07/25 18:16:55.0515 3324 ADIHdAudAddService (f277c43c2e0672eed28cca0d13ce175f) C:\WINDOWS\system32\drivers\ADIHdAud.sys
2011/07/25 18:16:56.0062 3324 AEAudio (fff87a9b1ab36ee4b7bec98a4cb01b79) C:\WINDOWS\system32\drivers\AEAudio.sys
2011/07/25 18:16:56.0328 3324 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/07/25 18:16:56.0640 3324 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/07/25 18:16:58.0093 3324 AmbFilt (f2d902f7f5973026571d20c3641c195d) C:\WINDOWS\system32\drivers\Ambfilt.sys
2011/07/25 18:16:58.0937 3324 AN983 (116bff96077a4a724e0aab800525ceb5) C:\WINDOWS\system32\DRIVERS\AN983.sys
2011/07/25 18:16:59.0359 3324 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/07/25 18:17:00.0281 3324 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/07/25 18:17:00.0515 3324 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/07/25 18:17:00.0937 3324 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/07/25 18:17:01.0187 3324 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/07/25 18:17:01.0406 3324 BackupReader (22f769c67cb88ef32a985132041a6169) C:\WINDOWS\system32\DRIVERS\BackupReader.sys
2011/07/25 18:17:01.0625 3324 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/07/25 18:17:01.0921 3324 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/07/25 18:17:02.0312 3324 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/07/25 18:17:02.0546 3324 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/07/25 18:17:02.0796 3324 cdrbsdrv (e0042bd5bef17a6a3ef1df576bde24d1) C:\WINDOWS\system32\drivers\cdrbsdrv.sys
2011/07/25 18:17:03.0015 3324 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/07/25 18:17:04.0281 3324 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/07/25 18:17:04.0687 3324 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/07/25 18:17:05.0140 3324 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/07/25 18:17:05.0390 3324 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/07/25 18:17:05.0640 3324 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/07/25 18:17:06.0046 3324 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/07/25 18:17:06.0312 3324 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/07/25 18:17:06.0546 3324 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/07/25 18:17:06.0765 3324 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/07/25 18:17:07.0000 3324 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/07/25 18:17:07.0234 3324 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/07/25 18:17:07.0453 3324 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/07/25 18:17:07.0687 3324 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/07/25 18:17:07.0937 3324 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/07/25 18:17:08.0203 3324 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/07/25 18:17:08.0437 3324 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/07/25 18:17:08.0921 3324 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/07/25 18:17:09.0593 3324 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/07/25 18:17:10.0015 3324 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/07/25 18:17:10.0703 3324 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/07/25 18:17:10.0953 3324 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/07/25 18:17:11.0187 3324 IPFilter (9ea02e03ed52d25551a6e46cf3b94b01) C:\WINDOWS\system32\DRIVERS\IPFilter.sys
2011/07/25 18:17:11.0406 3324 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/07/25 18:17:11.0640 3324 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/07/25 18:17:11.0890 3324 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/07/25 18:17:12.0140 3324 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/07/25 18:17:12.0359 3324 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/07/25 18:17:12.0578 3324 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/07/25 18:17:12.0828 3324 ivusb (339dea550cc17283d6fd689ac7e67c57) C:\WINDOWS\system32\DRIVERS\ivusb.sys
2011/07/25 18:17:13.0046 3324 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/07/25 18:17:13.0296 3324 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/07/25 18:17:13.0562 3324 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/07/25 18:17:13.0828 3324 Lbd (336abe8721cbc3110f1c6426da633417) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2011/07/25 18:17:14.0265 3324 LNE100 (e7a30b307ac29afbb993049df04bb91b) C:\WINDOWS\system32\DRIVERS\LNE100V5.sys
2011/07/25 18:17:14.0500 3324 MBAMProtector (eca00eed9ab95489007b0ef84c7149de) C:\WINDOWS\system32\drivers\mbam.sys
2011/07/25 18:17:14.0750 3324 MBAMSwissArmy (b18225739ed9caa83ba2df966e9f43e8) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011/07/25 18:17:15.0015 3324 mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\WINDOWS\system32\DRIVERS\mcdbus.sys
2011/07/25 18:17:15.0265 3324 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/07/25 18:17:15.0484 3324 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/07/25 18:17:15.0718 3324 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/07/25 18:17:15.0937 3324 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/07/25 18:17:16.0156 3324 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/07/25 18:17:16.0625 3324 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/07/25 18:17:17.0000 3324 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/07/25 18:17:17.0328 3324 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/07/25 18:17:17.0531 3324 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/07/25 18:17:17.0750 3324 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/07/25 18:17:17.0953 3324 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/07/25 18:17:18.0171 3324 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/07/25 18:17:18.0390 3324 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
2011/07/25 18:17:18.0609 3324 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/07/25 18:17:18.0875 3324 mv61xx (e6f48050af7548e4bf775f0d83873794) C:\WINDOWS\system32\DRIVERS\mv61xx.sys
2011/07/25 18:17:19.0187 3324 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/07/25 18:17:19.0453 3324 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/07/25 18:17:19.0703 3324 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/07/25 18:17:19.0968 3324 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/07/25 18:17:20.0218 3324 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/07/25 18:17:20.0437 3324 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/07/25 18:17:20.0687 3324 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/07/25 18:17:20.0968 3324 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/07/25 18:17:21.0203 3324 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
2011/07/25 18:17:21.0421 3324 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/07/25 18:17:21.0765 3324 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/07/25 18:17:22.0125 3324 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/07/25 18:17:25.0000 3324 nv (ed9816dbaf6689542ea7d022631906a1) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/07/25 18:17:27.0937 3324 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/07/25 18:17:28.0171 3324 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/07/25 18:17:28.0390 3324 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/07/25 18:17:28.0640 3324 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/07/25 18:17:28.0875 3324 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/07/25 18:17:29.0093 3324 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/07/25 18:17:29.0328 3324 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/07/25 18:17:29.0765 3324 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/07/25 18:17:30.0000 3324 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/07/25 18:17:31.0531 3324 PIEUsb (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\Drivers\usbscan.sys
2011/07/25 18:17:31.0781 3324 Point32 (dcdf0421a1c14f2923e298a30fd7636d) C:\WINDOWS\system32\DRIVERS\point32.sys
2011/07/25 18:17:32.0000 3324 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/07/25 18:17:32.0234 3324 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/07/25 18:17:32.0453 3324 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/07/25 18:17:32.0656 3324 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/07/25 18:17:33.0875 3324 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/07/25 18:17:34.0093 3324 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/07/25 18:17:34.0312 3324 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/07/25 18:17:34.0515 3324 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/07/25 18:17:34.0781 3324 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/07/25 18:17:35.0015 3324 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/07/25 18:17:35.0265 3324 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/07/25 18:17:35.0515 3324 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/07/25 18:17:35.0687 3324 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/07/25 18:17:35.0765 3324 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/07/25 18:17:36.0015 3324 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/07/25 18:17:36.0234 3324 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/07/25 18:17:36.0468 3324 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/07/25 18:17:37.0078 3324 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/07/25 18:17:37.0453 3324 sptd (5f10aa0b741abbd1c0bf676e60a5007c) C:\WINDOWS\system32\Drivers\sptd.sys
2011/07/25 18:17:37.0843 3324 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/07/25 18:17:38.0171 3324 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/07/25 18:17:38.0468 3324 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/07/25 18:17:38.0687 3324 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/07/25 18:17:39.0734 3324 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/07/25 18:17:40.0062 3324 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/07/25 18:17:40.0359 3324 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/07/25 18:17:40.0578 3324 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/07/25 18:17:40.0796 3324 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/07/25 18:17:41.0250 3324 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/07/25 18:17:41.0765 3324 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/07/25 18:17:42.0078 3324 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/07/25 18:17:42.0312 3324 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/07/25 18:17:42.0531 3324 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/07/25 18:17:42.0765 3324 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/07/25 18:17:42.0968 3324 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/07/25 18:17:43.0234 3324 vaxscsi (92cebc2bc7be2c8d49391b365569f306) C:\WINDOWS\System32\Drivers\vaxscsi.sys
2011/07/25 18:17:43.0500 3324 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/07/25 18:17:43.0937 3324 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/07/25 18:17:44.0171 3324 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/07/25 18:17:44.0640 3324 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/07/25 18:17:44.0937 3324 WsAudio_DeviceS(1) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(1).sys
2011/07/25 18:17:45.0171 3324 WsAudio_DeviceS(2) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(2).sys
2011/07/25 18:17:45.0421 3324 WsAudio_DeviceS(3) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(3).sys
2011/07/25 18:17:45.0703 3324 WsAudio_DeviceS(4) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(4).sys
2011/07/25 18:17:45.0937 3324 WsAudio_DeviceS(5) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(5).sys
2011/07/25 18:17:46.0218 3324 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/07/25 18:17:46.0484 3324 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/07/25 18:17:47.0000 3324 yukonwxp (67331fd053f97a874a60374be6b59523) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
2011/07/25 18:17:47.0109 3324 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/07/25 18:17:47.0406 3324 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
2011/07/25 18:17:47.0421 3324 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk2\DR2
2011/07/25 18:17:47.0515 3324 MBR (0x1B8) (35c6b2fcde68facbefe0a4a7200bae58) \Device\Harddisk3\DR3
2011/07/25 18:17:47.0562 3324 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk4\DR4
2011/07/25 18:17:47.0593 3324 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk5\DR5
2011/07/25 18:17:47.0593 3324 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk11\DR22
2011/07/25 18:17:47.0609 3324 MBR (0x1B8) (ddae9d649db12f6aff24483f2c298989) \Device\Harddisk12\DR23
2011/07/25 18:17:47.0609 3324 Boot (0x1200) (bf0af467f5b886d930d5f87dde7d52eb) \Device\Harddisk0\DR0\Partition0
2011/07/25 18:17:47.0609 3324 Boot (0x1200) (2d8fb8c753de797290ee07b234de0cc5) \Device\Harddisk1\DR1\Partition0
2011/07/25 18:17:47.0625 3324 Boot (0x1200) (17617560649da60c650f8d8a30a3f076) \Device\Harddisk2\DR2\Partition0
2011/07/25 18:17:47.0625 3324 Boot (0x1200) (2f335a81070a97cb2e40b11a186c6e16) \Device\Harddisk3\DR3\Partition0
2011/07/25 18:17:47.0640 3324 Boot (0x1200) (2de09105822f21335b9bd33cd63ae2dd) \Device\Harddisk4\DR4\Partition0
2011/07/25 18:17:47.0671 3324 Boot (0x1200) (285f8888a2f7c4a5b4b76723d793d96b) \Device\Harddisk5\DR5\Partition0
2011/07/25 18:17:47.0671 3324 Boot (0x1200) (0b9609e0eade61e062e5eb5a9c48404c) \Device\Harddisk11\DR22\Partition0
2011/07/25 18:17:47.0671 3324 Boot (0x1200) (520cbe60efa0c55184fe677006fed5af) \Device\Harddisk12\DR23\Partition0
2011/07/25 18:17:47.0671 3324 ================================================================================
2011/07/25 18:17:47.0671 3324 Scan finished
2011/07/25 18:17:47.0671 3324 ================================================================================
2011/07/25 18:17:47.0687 4004 Detected object count: 0
2011/07/25 18:17:47.0687 4004 Actual detected object count: 0

#4 TimsToys

TimsToys
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 25 July 2011 - 05:56 PM

It took 20+ hours to do the ESET OnlineScan
So finally posting the above and the issues.


Issues:

On reboot after all that I got a message:

Malwarebytes has detected a malicious process attempting to start and has blocked the execution attempt. Please select an option below:
C:\windows\system32\atrace32.exe
Quarantine

and

with nothing typed, it just came up

Malware bytes anti-malware successfully blocked access to a potentially malicious website:
64.14.48.151
Type:outgoing


after going into firefox and doing a search in google:
Malware bytes anti-malware successfully blocked access to a potentially malicious website:
208.87.149.250
Type:outgoing

#5 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:09:07 AM

Posted 25 July 2011 - 05:56 PM

Hi TimsToys,

:step1: Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

:step2: Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from http://www.superantispyware.com/downloads/SASDEFINITIONS.EXE (copy and paste that website address) and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a USB drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

:step3: Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.


In your next reply, please include:
  • MiniToolBox log
  • SuperAntiSpyware log
  • GMER log

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#6 TimsToys

TimsToys
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 26 July 2011 - 05:32 PM

Lots of issues running this
unplugged from internet
disabled Malwarebytes

Minitoolbox ran fine
SuperAntiSpyware I had to rename to zzz.exe to make it run
While running, Malwarebytes gave me 4 errors - Guess I should turn it off next time
C:\windows\system32\xactengine2_232.exe
C:\windows\System32\atrace32.exe
One file in temp directory
one file in vol restore directory

GMER seemed to run, but the machine rebooted on its own in the middle
then it auto ran Ad-aware, and I did not have it set to autorun.

turned off and reran.

While typing this, I still get the malwarebytes blocking site message

MiniToolBox by Farbar
Ran by Dad (administrator) on 25-07-2011 at 19:05:24
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection 3"

set address name="Local Area Connection 3" source=dhcp
set dns name="Local Area Connection 3" source=dhcp register=PRIMARY
set wins name="Local Area Connection 3" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : windtunnel

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : tampabay.rr.com



Ethernet adapter Local Area Connection 3:



Connection-specific DNS Suffix . : tampabay.rr.com

Description . . . . . . . . . . . : Linksys LNE100TX(v5) Fast Ethernet Adapter

Physical Address. . . . . . . . . : 00-20-78-1C-93-1A

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.100

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 65.32.5.111

65.32.5.112

Lease Obtained. . . . . . . . . . : Monday, July 25, 2011 6:39:17 PM

Lease Expires . . . . . . . . . . : Tuesday, July 26, 2011 6:39:17 PM

Server: dns-redir-lb-01.tampabay.rr.com
Address: 65.32.5.111

Name: google.com
Addresses: 74.125.67.103, 74.125.67.104, 74.125.67.105, 74.125.67.106
74.125.67.147, 74.125.67.99



Pinging google.com [74.125.157.147] with 32 bytes of data:



Reply from 74.125.157.147: bytes=32 time=28ms TTL=52

Reply from 74.125.157.147: bytes=32 time=28ms TTL=52



Ping statistics for 74.125.157.147:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 28ms, Maximum = 28ms, Average = 28ms

Server: dns-redir-lb-01.tampabay.rr.com
Address: 65.32.5.111

Name: yahoo.com
Addresses: 72.30.2.43, 98.137.149.56, 209.191.122.70, 67.195.160.76
69.147.125.65



Pinging yahoo.com [98.137.149.56] with 32 bytes of data:



Reply from 98.137.149.56: bytes=32 time=82ms TTL=50

Reply from 98.137.149.56: bytes=32 time=83ms TTL=51



Ping statistics for 98.137.149.56:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 82ms, Maximum = 83ms, Average = 82ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 20 78 1c 93 1a ...... Linksys LNE100TX Fast Ethernet Adapter(LNE100TX v4) - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.100 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.100 192.168.1.100 20
192.168.1.100 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.100 192.168.1.100 20
224.0.0.0 240.0.0.0 192.168.1.100 192.168.1.100 20
255.255.255.255 255.255.255.255 192.168.1.100 192.168.1.100 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/25/2011 06:42:48 PM) (Source: EWA net DB Core) (User: )
Description: TransBase Multiplexer error report:
select()

Error: (07/25/2011 06:32:43 PM) (Source: EWA net DB Core) (User: )
Description: TransBase Multiplexer error report:
select()

Error: (07/25/2011 06:32:37 PM) (Source: EWA net DB Core) (User: )
Description: TransBase Multiplexer error report:
select()

Error: (07/25/2011 06:23:13 PM) (Source: EWA net DB Core) (User: )
Description: TransBase Multiplexer error report:
select()

Error: (07/24/2011 04:53:31 PM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module ieframe.dll, version 8.0.6001.19072, fault address 0x000b78d5.
Processing media-specific event for [iexplore.exe!ws!]

Error: (07/24/2011 04:35:51 PM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (07/24/2011 04:35:51 PM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (07/24/2011 04:27:24 PM) (Source: EWA net DB Core) (User: )
Description: TransBase Multiplexer error report:
select()

Error: (07/23/2011 09:10:22 PM) (Source: EWA net DB Core) (User: )
Description: TransBase Multiplexer error report:
select()

Error: (07/23/2011 00:47:32 PM) (Source: EWA net DB Core) (User: )
Description: TransBase Multiplexer error report:
select()


System errors:
=============
Error: (07/25/2011 06:41:05 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.

Error: (07/25/2011 06:41:05 PM) (Source: Service Control Manager) (User: )
Description: The Single Frame Film Scanner service failed to start due to the following error:
%%1058

Error: (07/25/2011 06:31:15 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.

Error: (07/25/2011 06:31:15 PM) (Source: Service Control Manager) (User: )
Description: The Single Frame Film Scanner service failed to start due to the following error:
%%1058

Error: (07/25/2011 06:22:54 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.

Error: (07/25/2011 06:22:54 PM) (Source: Service Control Manager) (User: )
Description: The Single Frame Film Scanner service failed to start due to the following error:
%%1058

Error: (07/25/2011 06:21:18 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.101 for the Network Card with network address 0020781C931A has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (07/24/2011 04:26:42 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.

Error: (07/24/2011 04:26:42 PM) (Source: Service Control Manager) (User: )
Description: The Single Frame Film Scanner service failed to start due to the following error:
%%1058

Error: (07/24/2011 04:24:57 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.101 for the Network Card with network address 0020781C931A has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).


Microsoft Office Sessions:
=========================
Error: (07/25/2011 06:42:48 PM) (Source: EWA net DB Core)(User: )
Description: TransBase Multiplexer error report:
select()

Error: (07/25/2011 06:32:43 PM) (Source: EWA net DB Core)(User: )
Description: TransBase Multiplexer error report:
select()

Error: (07/25/2011 06:32:37 PM) (Source: EWA net DB Core)(User: )
Description: TransBase Multiplexer error report:
select()

Error: (07/25/2011 06:23:13 PM) (Source: EWA net DB Core)(User: )
Description: TransBase Multiplexer error report:
select()

Error: (07/24/2011 04:53:31 PM) (Source: Application Error)(User: )
Description: iexplore.exe8.0.6001.18702ieframe.dll8.0.6001.19072000b78d5

Error: (07/24/2011 04:35:51 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (07/24/2011 04:35:51 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (07/24/2011 04:27:24 PM) (Source: EWA net DB Core)(User: )
Description: TransBase Multiplexer error report:
select()

Error: (07/23/2011 09:10:22 PM) (Source: EWA net DB Core)(User: )
Description: TransBase Multiplexer error report:
select()

Error: (07/23/2011 00:47:32 PM) (Source: EWA net DB Core)(User: )
Description: TransBase Multiplexer error report:
select()


========================= Memory info: ===================================

Percentage of memory in use: 22%
Total physical RAM: 3327.04 MB
Available physical RAM: 2592.6 MB
Total Pagefile: 5211.01 MB
Available Pagefile: 4590.18 MB
Total Virtual: 2047.88 MB
Available Virtual: 1994.7 MB

========================= Partitions: =====================================

2 Drive c: (WindTunnelC) (Fixed) (Total:232.88 GB) (Free:170.7 GB) NTFS
5 Drive f: (750 Gig SATA 2) (Fixed) (Total:698.64 GB) (Free:210.71 GB) NTFS
6 Drive g: (2 Tarabyte) (Fixed) (Total:1863.01 GB) (Free:1271.28 GB) NTFS
7 Drive h: (1.5 Tarabyte) (Fixed) (Total:1397.25 GB) (Free:649.68 GB) NTFS
8 Drive i: (750 Gig SATA 3) (Fixed) (Total:698.64 GB) (Free:232.34 GB) NTFS
9 Drive j: (1 Tarabyte) (Fixed) (Total:931.5 GB) (Free:375.49 GB) NTFS
10 Drive k: (2T External) (Fixed) (Total:1863.01 GB) (Free:349.68 GB) NTFS
17 Drive r: (KINGSTON) (Removable) (Total:29.81 GB) (Free:19.95 GB) FAT32

========================= Users: ========================================

User accounts for \\WINDTUNNEL

Administrator ASPNET Dad
Guest HelpAssistant SUPPORT_388945a0


== End of log ==



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/26/2011 at 00:14 AM

Application Version : 4.55.1000

Core Rules Database Version : 7457
Trace Rules Database Version: 5269

Scan type : Complete Scan
Total Scan Time : 05:03:05

Memory items scanned : 506
Memory threats detected : 0
Registry items scanned : 8901
Registry threats detected : 0
File items scanned : 224700
File threats detected : 5

Trojan.Agent/Gen-Nullo[Short]
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F3BD6D90-F1E2-450C-93F5-BF2D5C7C18A6}\RP153\A0020194.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F3BD6D90-F1E2-450C-93F5-BF2D5C7C18A6}\RP153\A0020378.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F3BD6D90-F1E2-450C-93F5-BF2D5C7C18A6}\RP153\A0020379.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F3BD6D90-F1E2-450C-93F5-BF2D5C7C18A6}\RP153\A0020381.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F3BD6D90-F1E2-450C-93F5-BF2D5C7C18A6}\RP154\A0022492.EXE



GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-07-26 18:18:59
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 ST3250310NS rev.SN05
Running: o2ysjfgh.exe; Driver: C:\DOCUME~1\Dad\LOCALS~1\Temp\kxlyauog.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xB811887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xB8118BFE]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6B823A0, 0x59FFE5, 0xE8000020]
init C:\WINDOWS\system32\drivers\Ambfilt.sys entry point in "init" section [0xB3972830]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[608] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\EWA net\server\bin\tomcat.exe[1624] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [10001291] C:\Program Files\EWA net\apps\jre\private_jre\bin\server\jvm.dll
IAT C:\Program Files\EWA net\server\bin\tomcat.exe[1624] @ C:\WINDOWS\system32\SHELL32.DLL [KERNEL32.dll!LoadLibraryA] [10001291] C:\Program Files\EWA net\apps\jre\private_jre\bin\server\jvm.dll

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xC1 0x8B 0x5C 0xD1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x5E 0xE6 0x55 0xE5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xBC 0xC1 0x76 0xDE ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xC1 0x8B 0x5C 0xD1 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x5E 0xE6 0x55 0xE5 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xBC 0xC1 0x76 0xDE ...

---- EOF - GMER 1.0.15 ----


Thanks for the help.

#7 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:09:07 AM

Posted 26 July 2011 - 07:16 PM

Hi TimsToys,

Let's try this:

:step1: Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :dir
    C:\WINDOWS\system32 /n*.exe /t14
    C:\Program Files\
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#8 TimsToys

TimsToys
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 26 July 2011 - 07:19 PM

SystemLook 04.09.10 by jpshortstuff
Log created at 20:19 on 26/07/2011 by Dad
Administrator - Elevation successful

========== dir ==========

C:\WINDOWS\system32 - Parameters: "/n*.exe /t14"

---Files---
atrace32.exe ------- 793088 bytes [01:21 24/07/2011] [01:21 24/07/2011]
lsdelete.exe --a---- 16432 bytes [18:26 23/07/2011] [18:20 23/07/2011]
MRT.exe --a---- 49089992 bytes [04:47 10/11/2008] [22:40 21/07/2011]
xactengine2_232.exe ------- 793088 bytes [01:21 24/07/2011] [01:21 24/07/2011]

---Folders---
1025 d------ [19:29 09/11/2008]
1028 d------ [19:29 09/11/2008]
1031 d------ [19:29 09/11/2008]
1033 d------ [19:29 09/11/2008]
1037 d------ [19:29 09/11/2008]
1041 d------ [19:29 09/11/2008]
1042 d------ [19:29 09/11/2008]
1054 d------ [19:29 09/11/2008]
2052 d------ [19:29 09/11/2008]
3076 d------ [19:29 09/11/2008]
3com_dmi d------ [19:29 09/11/2008]
bits d------ [04:30 10/11/2008]
CanonIJ Uninstaller Information d--h--- [13:52 13/02/2011]
CatRoot d------ [19:35 09/11/2008]
CatRoot2 d------ [19:35 09/11/2008]
Color d------ [01:29 15/11/2008]
Com d------ [01:34 10/11/2008]
config d------ [19:29 09/11/2008]
dhcp d------ [19:29 09/11/2008]
DirectX d------ [01:36 10/11/2008]
dllcache dr-hsc- [19:29 09/11/2008]
drivers d------ [19:29 09/11/2008]
DRVSTORE d----c- [02:19 10/11/2008]
en d------ [04:30 10/11/2008]
en-us d------ [04:30 10/11/2008]
export d------ [19:29 09/11/2008]
GAMMA d------ [00:16 15/11/2008]
GroupPolicy d------ [00:05 11/11/2008]
ias d------ [19:29 09/11/2008]
icsxml d------ [19:29 09/11/2008]
IME d------ [19:29 09/11/2008]
inetsrv d------ [19:29 09/11/2008]
LogFiles d------ [00:04 11/11/2008]
logs d------ [18:45 10/07/2011]
Macromed d------ [01:36 10/11/2008]
Microsoft d---s-- [01:48 10/11/2008]
MsDtc d------ [01:34 10/11/2008]
mui d------ [19:29 09/11/2008]
npp d------ [19:29 09/11/2008]
NtmsData d------ [23:29 01/01/2011]
oobe d------ [19:29 09/11/2008]
PreInstall d------ [04:04 10/11/2008]
ras d------ [19:29 09/11/2008]
ReinstallBackups d------ [02:19 10/11/2008]
Restore d------ [01:36 10/11/2008]
scripting d------ [04:30 10/11/2008]
Setup d------ [19:29 09/11/2008]
ShellExt d------ [19:29 09/11/2008]
SoftwareDistribution d------ [03:27 10/11/2008]
spool d------ [19:29 09/11/2008]
URTTemp d------ [07:12 23/11/2008]
usmt d------ [19:29 09/11/2008]
wbem d------ [19:29 09/11/2008]
WindowsPowerShell d------ [10:48 08/07/2010]
winrm d------ [10:48 08/07/2010]
wins d------ [19:29 09/11/2008]
xircom d------ [01:38 10/11/2008]
XPSViewer d------ [16:15 01/03/2009]

C:\Program Files - Parameters: "(none)"

---Files---
None found.

---Folders---
ACDSee32 d------ [23:27 12/11/2008]
activePDF d------ [04:04 13/11/2008]
Adobe d------ [02:02 13/11/2008]
Adobe Media Player d------ [00:17 21/08/2010]
Aimersoft d------ [17:26 23/07/2011]
Alcohol Soft d------ [04:38 13/11/2008]
Amazon d------ [17:40 29/05/2011]
Analog Devices d------ [02:57 10/11/2008]
AnvSoft d------ [04:49 02/01/2010]
Apple Software Update d------ [03:38 14/11/2008]
ArcSoft d------ [01:17 15/11/2008]
ASUS d------ [03:15 10/11/2008]
ATF Cleaner d------ [04:18 13/11/2008]
AviSynth 2.5 d------ [15:42 06/03/2010]
BitTorrent d------ [16:56 12/07/2009]
BookSmart d------ [03:27 27/07/2010]
Brother's Keeper 6 d------ [04:37 24/01/2010]
Canon d------ [02:10 14/11/2008]
CanonBJ d--h--- [13:52 13/02/2011]
CDisplay d------ [05:52 01/02/2009]
Charting Companion for FTM d------ [01:55 14/11/2008]
ColorWasher2 d------ [01:02 18/02/2009]
Combined Community Codec Pack d------ [15:06 10/01/2010]
ComicRack d------ [23:39 28/02/2009]
Common Files d------ [19:36 09/11/2008]
ComPlus Applications d------ [01:35 10/11/2008]
ConvertHelper d------ [06:23 16/02/2010]
Corel d------ [02:15 15/11/2008]
Creative d------ [03:01 10/11/2008]
Creative Installation Information d--h--- [03:05 10/11/2008]
DrNpHFc4EUHMt-MAYBEBAD d------ [01:24 24/01/2011]
DVD Decrypter d------ [03:49 13/11/2008]
DVD Flick d------ [02:00 16/12/2009]
DVD Shrink d------ [03:49 13/11/2008]
ESET d------ [20:36 24/07/2011]
EWA net d------ [03:31 22/03/2009]
EWANAPI d------ [03:50 22/03/2009]
Family Tree Maker 11 d------ [01:30 18/01/2009]
Family Tree Maker 2006 d------ [01:53 14/11/2008]
FastCopy d------ [01:20 23/11/2009]
FLV Player d------ [01:23 16/04/2009]
FLVCodec d------ [00:06 07/06/2010]
Free&Easy Font Viewer d------ [04:10 13/11/2008]
Handbrake d------ [12:06 23/07/2011]
Hewlett-Packard d------ [02:26 13/11/2008]
Hijackthis d------ [02:09 15/11/2008]
Illustrate d------ [04:43 25/01/2009]
ImageConverter Plus d------ [23:08 29/11/2009]
InstallShield Installation Information d--h--- [02:57 10/11/2008]
Intel d------ [02:19 10/11/2008]
Internet Explorer d------ [01:35 10/11/2008]
Java d------ [22:51 18/03/2009]
Lavasoft d------ [23:23 13/10/2009]
Legacy d------ [14:58 18/01/2009]
MagicDisc d------ [19:24 01/01/2011]
Malwarebytes' Anti-Malware d------ [04:24 13/11/2008]
Marvell d------ [02:18 10/11/2008]
Medieval Software d------ [05:44 25/01/2009]
Messenger d------ [01:35 10/11/2008]
MFInstall d------ [22:57 11/08/2009]
Microsoft ActiveSync d------ [02:36 13/11/2008]
microsoft frontpage d------ [01:38 10/11/2008]
Microsoft Hardware d------ [04:03 16/11/2008]
Microsoft Office d------ [02:35 13/11/2008]
Microsoft Silverlight d------ [03:08 13/04/2011]
Microsoft Visual Studio d------ [02:35 13/11/2008]
Microsoft Works d------ [02:35 13/11/2008]
Microsoft.NET d------ [02:35 13/11/2008]
Movie Maker d------ [01:36 10/11/2008]
Mozilla Firefox d------ [01:23 13/11/2008]
Mozilla Thunderbird d------ [01:36 13/11/2008]
MSBuild d------ [16:15 01/03/2009]
MSECache d------ [03:30 04/03/2009]
MSN d------ [01:34 10/11/2008]
MSN Gaming Zone d------ [01:35 10/11/2008]
MSXML 4.0 d------ [23:41 14/11/2008]
Musicmatch d------ [04:28 13/11/2008]
My Company Name d------ [03:38 10/11/2008]
Mystik Media d------ [21:12 29/11/2009]
Nero d------ [03:51 14/11/2008]
NetMeeting d------ [01:36 10/11/2008]
NewSoft d------ [01:17 15/11/2008]
Nikon d------ [01:28 15/11/2008]
Nitro PDF d------ [00:43 02/11/2009]
NVIDIA Corporation d------ [10:56 08/07/2010]
One-click Ringtone Converter d------ [02:06 15/11/2008]
Online Services d------ [01:35 10/11/2008]
Outlook Express d------ [01:36 10/11/2008]
PeerGuardian2 d------ [05:18 01/03/2009]
Pegasys Inc d------ [23:58 14/11/2008]
PicaLoader d------ [01:39 11/01/2009]
Plextor d------ [02:36 07/01/2009]
QuickPar d------ [03:04 13/11/2008]
QuickTime d------ [06:32 05/12/2009]
Recosoft PDF2ID d------ [00:01 10/03/2011]
Red Kawa d------ [15:47 06/03/2010]
Reference Assemblies d------ [16:15 01/03/2009]
Regensoft d------ [15:47 06/03/2010]
Rename Master d------ [04:15 13/11/2008]
ScanSoft d------ [01:18 15/11/2008]
ScanWrite d------ [00:14 15/11/2008]
SmartSoftVideoConverterPro d------ [06:09 05/12/2009]
SUPERAntiSpyware d------ [18:41 24/07/2011]
UCT d------ [01:53 28/02/2011]
Uninstall Information d--h--- [01:52 10/11/2008]
uTorrent d------ [03:08 14/11/2008]
Web ImageGrabber 2 d------ [01:29 10/01/2009]
WinAVIVideoConverter d------ [06:14 05/12/2009]
Windows Desktop Search d------ [00:05 11/11/2008]
Windows Home Server d------ [02:49 15/11/2008]
Windows Media Connect 2 d------ [00:05 11/11/2008]
Windows Media Player d------ [01:35 10/11/2008]
Windows NT d------ [01:34 10/11/2008]
WindowsUpdate d--h--- [01:37 10/11/2008]
Winmail Reader d------ [20:00 14/11/2009]
WinRAR d------ [03:03 13/11/2008]
Womble Multimedia d------ [03:27 14/11/2008]
Wondershare d------ [01:14 22/07/2011]
WS_FTP d------ [03:12 14/11/2008]
xerox d------ [01:38 10/11/2008]
Zenographics d--h--- [02:26 13/11/2008]

-= EOF =-

#9 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:09:07 AM

Posted 26 July 2011 - 07:36 PM

Hi TimsToys,

Please rerun SystemLook.
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :dir
    C:\Program Files\DrNpHFc4EUHMt-MAYBEBAD /s
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Do you recognize a program recently installed called Wondershare?

Edited by jntkwx, 26 July 2011 - 07:37 PM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#10 TimsToys

TimsToys
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 26 July 2011 - 08:14 PM

SystemLook 04.09.10 by jpshortstuff
Log created at 21:14 on 26/07/2011 by Dad
Administrator - Elevation successful

========== dir ==========

C:\Program Files\DrNpHFc4EUHMt-MAYBEBAD - Parameters: "/s"

---Files---
None found.

No folders found.

-= EOF =-

#11 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:09:07 AM

Posted 26 July 2011 - 08:19 PM

Do you recognize a program recently installed called Wondershare?
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#12 TimsToys

TimsToys
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 26 July 2011 - 08:33 PM

Yes.
Video converter program, but I can remove as I don't plan on using it.

#13 TimsToys

TimsToys
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 26 July 2011 - 08:35 PM

I think a while ago I renamed this directory

DrNpHFc4EUHMt-MAYBEBAD

It is empty, so I can delete it

#14 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:09:07 AM

Posted 26 July 2011 - 08:37 PM

Hi TimsToys,

Yes, go ahead and delete that directory.

Did you have any redirect problems before you installed Wondershare? (on July 22nd)


Let's upload a couple files for a second opinion on what they actually are.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Virustotal: http://www.virustotal.com/

When the Virustotal page has finished loading, click the Choose File button and navigate to each of the following files and click Send File.

C:\WINDOWS\system32\atrace32.exe

C:\WINDOWS\system32\xactengine2_232.exe


Please post back the website addresses (URLs) of the Virustotal results in your next post.

Edited by jntkwx, 26 July 2011 - 08:39 PM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#15 TimsToys

TimsToys
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 26 July 2011 - 08:45 PM

http://www.virustotal.com/file-scan/reanalysis.html?id=3aeaf528e611a8a47b8a62a01f66d0719524a6da012ba0cbe36f298083d65870-1311730924
atrace32.exe
File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:
MD5: 36577e45657d392c9abb2e034c4c979d
Date first seen: 2011-07-23 14:34:35 (UTC)
Date last seen: 2011-07-25 15:45:24 (UTC)
Detection ratio: 14/43

What do you wish to do?

http://www.virustotal.com/file-scan/reanalysis.html?id=3aeaf528e611a8a47b8a62a01f66d0719524a6da012ba0cbe36f298083d65870-1311730254
xactengine2_232.exe
File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:
MD5: 36577e45657d392c9abb2e034c4c979d
Date first seen: 2011-07-23 14:34:35 (UTC)
Date last seen: 2011-07-25 15:45:24 (UTC)
Detection ratio: 14/43

What do you wish to do?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users