Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer possibly infected and cannot run antispyware or antivirus


  • Please log in to reply
21 replies to this topic

#1 nottechsavvy

nottechsavvy

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 02 August 2011 - 10:14 PM

Computer is running Windows XP x86 SP3.

Firefox and IE run very slowly, sometimes locking up, and often get redirected to iamwired.net. I have tried runing online scanners like Bitdefender Quickscan, but the scan terminates or won't start. I've tried running Malwarebytes, but I get a message saying "Windows cannot access the specified device, path or file." Super Anti Spyware starts but then dies after a few minutes.

I am also not able to start the machine in Safe Mode.



EDIT: Moved from XP to the Am I Infected forum.

Edited by boopme, 02 August 2011 - 10:23 PM.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:03 AM

Posted 02 August 2011 - 10:33 PM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 nottechsavvy

nottechsavvy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 03 August 2011 - 02:44 AM

Thank you very much for your help and your prompt response.

Here is the information that you requested:



Security Check:



Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3 (UAC is disabled!)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Rootkit Unhooker LE 3.8 SR 2
CCleaner
Java™ 6 Update 24
Out of date Java installed!
Adobe Flash Player 10.3.181.26
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Out of date Adobe Reader installed!
Mozilla Firefox (x86 en-US..) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````





MiniToolBox:


MiniToolBox by Farbar
Ran by Liz (administrator) on 03-08-2011 at 01:38:09
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

"network.proxy.no_proxies_on", "*.local"
========================= Hosts content: =================================



127.0.0.1 localhost
127.0.0.1 vkontakte.ru
127.0.0.1 www.vkontakte.ru
127.0.0.1 login.vk.com
127.0.0.1 vk.com
127.0.0.1 www.vk.com
127.0.0.1 odnoklassniki.ru
127.0.0.1 www.odnoklassniki.ru
127.0.0.1 facebook.com
127.0.0.1 www.facebook.com
127.0.0.1 af-za.facebook.com
127.0.0.1 az-az.facebook.com
127.0.0.1 id-id.facebook.com
127.0.0.1 ms-my.facebook.com
127.0.0.1 bs-ba.facebook.com
127.0.0.1 ca-es.facebook.com
127.0.0.1 cs-cz.facebook.com
127.0.0.1 cy-gb.facebook.com
127.0.0.1 da-dk.facebook.com

There are 63 more lines starting with "127.0.0.1"

========================= IP Configuration: ================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : DELL-DESKTOP

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel® 82562V 10/100 Network Connection

Physical Address. . . . . . . . . : 00-19-D1-27-BF-D1

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.100

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 207.69.188.186

207.69.188.187

Lease Obtained. . . . . . . . . . : Tuesday, August 02, 2011 6:18:32 PM

Lease Expires . . . . . . . . . . : Wednesday, August 03, 2011 6:18:32 PM

Server: ns2.mindspring.com
Address: 207.69.188.186

Name: google.com
Addresses: 74.125.91.105, 74.125.91.99, 74.125.91.104, 74.125.91.106
74.125.91.147, 74.125.91.103



Pinging google.com [74.125.93.106] with 32 bytes of data:



Reply from 74.125.93.106: bytes=32 time=28ms TTL=53

Reply from 74.125.93.106: bytes=32 time=29ms TTL=53



Ping statistics for 74.125.93.106:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 28ms, Maximum = 29ms, Average = 28ms

Server: ns2.mindspring.com
Address: 207.69.188.186

Name: yahoo.com
Addresses: 209.191.122.70, 67.195.160.76, 69.147.125.65, 72.30.2.43
98.137.149.56



Pinging yahoo.com [98.137.149.56] with 32 bytes of data:



Reply from 98.137.149.56: bytes=32 time=98ms TTL=52

Reply from 98.137.149.56: bytes=32 time=86ms TTL=52



Ping statistics for 98.137.149.56:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 86ms, Maximum = 98ms, Average = 92ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 19 d1 27 bf d1 ...... Intel® 82562V 10/100 Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.100 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.100 192.168.1.100 20
192.168.1.100 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.100 192.168.1.100 20
224.0.0.0 240.0.0.0 192.168.1.100 192.168.1.100 20
255.255.255.255 255.255.255.255 192.168.1.100 192.168.1.100 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (08/03/2011 01:34:11 AM) (Source: Application Hang) (User: )
Description: Hanging application MiniToolBox.exe, version 3.3.6.1, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (08/01/2011 05:13:43 PM) (Source: Media Center Extender Services) (User: )
Description: ERROR: Device Service Listener - UDP networking failed. Error code 0x80072742.

Error: (08/01/2011 05:13:39 PM) (Source: ASA 9.0) (User: )
Description: QuickBooksDB17Could not start server

Error: (08/01/2011 05:13:39 PM) (Source: ASA 9.0) (User: )
Description: QuickBooksDB17Unable to initialize requested communication links

Error: (07/31/2011 08:05:16 PM) (Source: Application Hang) (User: )
Description: Hanging application firefox.exe, version 5.0.0.4183, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (07/26/2011 07:29:07 PM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.


System errors:
=============
Error: (08/02/2011 06:19:00 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AvgLdx86
AvgTdiX

Error: (08/02/2011 06:18:59 PM) (Source: Service Control Manager) (User: )
Description: The AVG Free8 E-mail Scanner service depends on the AVG Free8 WatchDog service which failed to start because of the following error:
%%3

Error: (08/02/2011 06:18:59 PM) (Source: Service Control Manager) (User: )
Description: The srvsysdriver32 service failed to start due to the following error:
%%2

Error: (08/02/2011 06:18:59 PM) (Source: Service Control Manager) (User: )
Description: The Machine Debug Manager service failed to start due to the following error:
%%2

Error: (08/02/2011 06:18:59 PM) (Source: Service Control Manager) (User: )
Description: The Intel® Matrix Storage Event Monitor service failed to start due to the following error:
%%2

Error: (08/02/2011 06:18:59 PM) (Source: Service Control Manager) (User: )
Description: The Google Update Service (gupdate) service failed to start due to the following error:
%%2

Error: (08/02/2011 06:18:59 PM) (Source: Service Control Manager) (User: )
Description: The Bonjour Service service failed to start due to the following error:
%%2

Error: (08/02/2011 06:18:59 PM) (Source: Service Control Manager) (User: )
Description: The AVG Free8 WatchDog service failed to start due to the following error:
%%3

Error: (08/02/2011 06:18:59 PM) (Source: Service Control Manager) (User: )
Description: The Apple Mobile Device service failed to start due to the following error:
%%2

Error: (08/02/2011 06:18:59 PM) (Source: Service Control Manager) (User: )
Description: The Zune Bus Enumerator Driver service failed to start due to the following error:
%%2


Microsoft Office Sessions:
=========================
Error: (08/03/2011 01:34:11 AM) (Source: Application Hang)(User: )
Description: MiniToolBox.exe3.3.6.1hungapp0.0.0.000000000

Error: (08/01/2011 05:13:43 PM) (Source: Media Center Extender Services)(User: )
Description: UDP0x80072742

Error: (08/01/2011 05:13:39 PM) (Source: ASA 9.0)(User: )
Description: QuickBooksDB17Could not start server

Error: (08/01/2011 05:13:39 PM) (Source: ASA 9.0)(User: )
Description: QuickBooksDB17Unable to initialize requested communication links

Error: (07/31/2011 08:05:16 PM) (Source: Application Hang)(User: )
Description: firefox.exe5.0.0.4183hungapp0.0.0.000000000

Error: (07/26/2011 07:29:07 PM) (Source: Application Hang)(User: )
Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000


========================= Memory info: ===================================

Percentage of memory in use: 33%
Total physical RAM: 2037.84 MB
Available physical RAM: 1353.13 MB
Total Pagefile: 3933.72 MB
Available Pagefile: 3486.72 MB
Total Virtual: 2047.88 MB
Available Virtual: 1998.65 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:144.33 GB) (Free:113.33 GB) NTFS

========================= Users: ========================================

User accounts for \\DELL-DESKTOP

Administrator Guest HelpAssistant
Liz QBDataServiceUser17 SUPPORT_388945a0


== End of log ==





GMER:



GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-03 06:32:07
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST316081 rev.3.AD
Running: o3zmedoh.exe; Driver: C:\DOCUME~1\Liz\LOCALS~1\Temp\kwlyypog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1E4BB497-DF99-76E5-884F-05A62074D157}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1E4BB497-DF99-76E5-884F-05A62074D157}@cblfpakhccjoafkfllncjbjkfkdfdclckapopn 0x6A 0x61 0x61 0x62 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1E4BB497-DF99-76E5-884F-05A62074D157}@bbfgnaefhmmnkmakeiongfbelodgkbhhjkjj 0x6A 0x61 0x61 0x62 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1E4BB497-DF99-76E5-884F-05A62074D157}@ialfpakhccjoafkfll 0x61 0x61 0x00 0x01
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1E4BB497-DF99-76E5-884F-05A62074D157}@hafgnaefhmmnkmak 0x61 0x61 0x00 0x01
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1E4BB497-DF99-76E5-884F-05A62074D157}@iapchoepdenphfbhgm 0x61 0x61 0x00 0x01
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7457F20B-0232-830C-6163-4920BF4831F8}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7457F20B-0232-830C-6163-4920BF4831F8}@dbofinpdlfanjeikffcngajmenodmhjeaplfkhop 0x6A 0x61 0x62 0x62 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7457F20B-0232-830C-6163-4920BF4831F8}@cbeegifnnhimkocapndgifjnancodacmndlhnb 0x6A 0x61 0x70 0x61 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7457F20B-0232-830C-6163-4920BF4831F8}@iaofinpdlfanjeikff 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7457F20B-0232-830C-6163-4920BF4831F8}@haeegifnnhimkoca 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7457F20B-0232-830C-6163-4920BF4831F8}@iacdmifcgjlikclmja 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7457F20B-0232-830C-6163-4920BF4831F8}@abcdmnniakbkkhebhkanfmjdionhfnckgd 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7457F20B-0232-830C-6163-4920BF4831F8}@mabdhoagnomcoifgajlhpnhegb 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DD27F51A-6EA4-7529-B3E1-D5B4656604F1}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DD27F51A-6EA4-7529-B3E1-D5B4656604F1}@dbfkgpdiokakgjafanlbpkpcccgmjpecdkjgfpmb 0x6A 0x61 0x61 0x70 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DD27F51A-6EA4-7529-B3E1-D5B4656604F1}@cbhceaehnledimalhjbklmdpcdmfgghnoefmon 0x6A 0x61 0x61 0x70 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB57971$\2727823645 0 bytes
File C:\WINDOWS\$NtUninstallKB57971$\513868589 0 bytes
File C:\WINDOWS\$NtUninstallKB57971$\513868589\click.tlb 2144 bytes
File C:\WINDOWS\$NtUninstallKB57971$\513868589\L 0 bytes
File C:\WINDOWS\$NtUninstallKB57971$\513868589\L\pdmzmplg 335240 bytes
File C:\WINDOWS\$NtUninstallKB57971$\513868589\loader.tlb 2540 bytes
File C:\WINDOWS\$NtUninstallKB57971$\513868589\U 0 bytes
File C:\WINDOWS\$NtUninstallKB57971$\513868589\U\@00000001 42512 bytes
File C:\WINDOWS\$NtUninstallKB57971$\513868589\U\@000000c0 2560 bytes
File C:\WINDOWS\$NtUninstallKB57971$\513868589\U\@000000cb 2048 bytes
File C:\WINDOWS\$NtUninstallKB57971$\513868589\U\@000000cf 1536 bytes
File C:\WINDOWS\$NtUninstallKB57971$\513868589\U\@80000000 24576 bytes
File C:\WINDOWS\$NtUninstallKB57971$\513868589\U\@800000c0 33280 bytes
File C:\WINDOWS\$NtUninstallKB57971$\513868589\U\@800000cb 27648 bytes
File C:\WINDOWS\$NtUninstallKB57971$\513868589\U\@800000cf 27648 bytes
File C:\WINDOWS\$NtUninstallKB57971$\513868589\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6} 2048 bytes

---- EOF - GMER 1.0.15 ----

Edited by nottechsavvy, 03 August 2011 - 05:44 AM.


#4 nottechsavvy

nottechsavvy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 03 August 2011 - 06:01 PM

I was able to run Emsisoft Emergency Kit off a USB drive and subsequently run Malwarebytes. Here are the results from those scans:



Emsisoft Emergency Kit - Version 1.0
Last update: 8/1/2011 4:59:42 PM

Scan settings:

Scan type: Deep Scan
Objects: Memory, Traces, Cookies, C:\
Scan archives: On
Heuristics: Off
ADS Scan: On

Scan start: 8/1/2011 5:16:03 PM

[352] C:\WINDOWS\update.tray-12-0\svchost.exe detected: Virus.Win32.Agent!IK
[520] C:\WINDOWS\sysdriver32.exe detected: Trojan.Win32.Delf!IK
[548] C:\WINDOWS\sysdriver32_.exe detected: Trojan.Win32.Delf!IK
[1024] C:\WINDOWS\l1rezerv.exe detected: Trojan-Spy.Win32.Zbot!IK
[1032] C:\WINDOWS\systemup.exe detected: Trojan-Spy.Win32.Zbot!IK
[228] C:\Program Files\Google\Update\GoogleUpdate.exe detected: Trojan-Spy.Win32.Zbot!IK
[224] C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe detected: Trojan-Spy.Win32.Zbot!IK
[2000] C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE detected: Trojan-Spy.Win32.Zbot!IK
[3684] C:\WINDOWS\update.5.0\svchost.exe detected: Trojan.Win32.Delf!IK
[2088] C:\WINDOWS\update.2\svchost.exe detected: Trojan.Win32.Malex!IK
[2280] C:\WINDOWS\update.5.0\svchost.exe detected: Trojan.Win32.Delf!IK
[3688] C:\WINDOWS\sysdriver32.exe detected: Trojan.Win32.Delf!IK
[3968] C:\WINDOWS\update.1\svchost.exe detected: Virus.Win32.Agent!IK
[2848] C:\WINDOWS\update.2\svchost.exe detected: Trojan.Win32.Malex!IK
Value: HKEY_CURRENT_USER\Software\JollyBear\Big City Adventure San Francisco\3DSettings --> Driver detected: Trace.Registry.GameFiesta Big City Adventure San Francisco!A2
Value: HKEY_CURRENT_USER\Software\JollyBear\Big City Adventure San Francisco\3DSettings --> DriverDate detected: Trace.Registry.GameFiesta Big City Adventure San Francisco!A2
Value: HKEY_CURRENT_USER\Software\JollyBear\Big City Adventure San Francisco\3DSettings --> DriverDescription detected: Trace.Registry.GameFiesta Big City Adventure San Francisco!A2
Key: HKEY_LOCAL_MACHINE\software\Freeze.com\ detected: Trace.Registry.Freeze!A2
Key: HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\SearchScopes\{8E02D41C-5924-4816-9490-33CCD28BEB72} detected: Trace.Registry.MegaSearch!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Freeze.com\Installer --> id detected: Trace.Registry.EZ Game Cheats!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\iMesh --> Changed detected: Trace.Registry.iMesh 6!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\iMesh --> SlowInfoCache detected: Trace.Registry.iMesh 6!A2
Key: HKEY_CURRENT_USER\software\imesh detected: Trace.Registry.IMesh!A2
Value: HKEY_CURRENT_USER\Software\iMesh --> LastOpenFileDir detected: Trace.Registry.iMesh!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:5173 detected: Trace.TrackingCookie.chtah.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:5969 detected: Trace.TrackingCookie.about.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:5970 detected: Trace.TrackingCookie.about.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:5972 detected: Trace.TrackingCookie.about.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:5973 detected: Trace.TrackingCookie.about.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:5974 detected: Trace.TrackingCookie.about.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:5975 detected: Trace.TrackingCookie.about.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:5976 detected: Trace.TrackingCookie.about.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:6881 detected: Trace.TrackingCookie.fandango.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:7059 detected: Trace.TrackingCookie.fandango.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:7060 detected: Trace.TrackingCookie.fandango.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:7061 detected: Trace.TrackingCookie.fandango.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:7062 detected: Trace.TrackingCookie.fandango.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:7063 detected: Trace.TrackingCookie.fandango.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:7064 detected: Trace.TrackingCookie.fandango.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:7066 detected: Trace.TrackingCookie.fandango.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:7067 detected: Trace.TrackingCookie.fandango.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:7068 detected: Trace.TrackingCookie.fandango.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:7069 detected: Trace.TrackingCookie.fandango.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:7130 detected: Trace.TrackingCookie.fandango.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:7131 detected: Trace.TrackingCookie.fandango.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:7135 detected: Trace.TrackingCookie.fandango.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:7144 detected: Trace.TrackingCookie.fandango.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:7145 detected: Trace.TrackingCookie.fandango.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:7393 detected: Trace.TrackingCookie.go.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:7399 detected: Trace.TrackingCookie.go.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:8802 detected: Trace.TrackingCookie.www.mediatraffic.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:9782 detected: Trace.TrackingCookie.chtah.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:10610 detected: Trace.TrackingCookie.fandango.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:10612 detected: Trace.TrackingCookie.fandango.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:10621 detected: Trace.TrackingCookie.fandango.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:11412 detected: Trace.TrackingCookie.thefreedictionary.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:15856 detected: Trace.TrackingCookie.ctix8.cheaptickets.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:17387 detected: Trace.TrackingCookie.adserv!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:24206 detected: Trace.TrackingCookie.trafficmp.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:30984 detected: Trace.TrackingCookie.fr.sitestat.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:30985 detected: Trace.TrackingCookie.fr.sitestat.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:32723 detected: Trace.TrackingCookie.aol.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:50139 detected: Trace.TrackingCookie.go.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:50451 detected: Trace.TrackingCookie.analytics.worldnow.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:50470 detected: Trace.TrackingCookie.trafficmp.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:50471 detected: Trace.TrackingCookie.trafficmp.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:50472 detected: Trace.TrackingCookie.trafficmp.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:50473 detected: Trace.TrackingCookie.trafficmp.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:55022 detected: Trace.TrackingCookie.www.clickmanage.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:55023 detected: Trace.TrackingCookie.www.clickmanage.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:55503 detected: Trace.TrackingCookie.go.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:56037 detected: Trace.TrackingCookie.trafficmp.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:56038 detected: Trace.TrackingCookie.trafficmp.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:56233 detected: Trace.TrackingCookie.sales.liveperson.net!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:57447 detected: Trace.TrackingCookie.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:63554 detected: Trace.TrackingCookie.chtah.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:63980 detected: Trace.TrackingCookie.go.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:64000 detected: Trace.TrackingCookie.go.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:64477 detected: Trace.TrackingCookie.go.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:64478 detected: Trace.TrackingCookie.go.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:64479 detected: Trace.TrackingCookie.go.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:64485 detected: Trace.TrackingCookie.go.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:64542 detected: Trace.TrackingCookie.go.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:65179 detected: Trace.TrackingCookie.chtah.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:67239 detected: Trace.TrackingCookie.count!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:67316 detected: Trace.TrackingCookie.m.webtrends.com!A2
C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\l88c9cip.default\cookies.sqlite:67500 detected: Trace.TrackingCookie.server.iad.livepers!A2
C:\Documents and Settings\Guest\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-54e206d6-69f23f6d.zip/vmain.class detected: Trojan-Downloader.Java.Agent!IK
C:\Program Files\Bonjour\mDNSResponder.exe detected: Trojan-Spy.Win32.Zbot!IK
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe detected: Trojan-Spy.Win32.Zbot!IK
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe detected: Trojan-Spy.Win32.Zbot!IK
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE detected: Trojan-Spy.Win32.Zbot!IK
C:\Program Files\Google\Update\GoogleUpdate.exe detected: Trojan-Spy.Win32.Zbot!IK
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe detected: Trojan-Spy.Win32.Zbot!IK
C:\Program Files\iPod\bin\iPodService.exe detected: Trojan-Spy.Win32.Zbot!IK
C:\Program Files\Java\jre6\bin\jqs.exe detected: Trojan-Spy.Win32.Zbot!IK
C:\Program Files\Mozilla Firefox\extensions\{d43bdc9a-64c7-dbeb-384d-7a8b1bb1bcb2}\components\LH-FCO.dll detected: Trojan.SuspectCRC!IK
C:\WINDOWS\l1rezerv.exe detected: Trojan-Spy.Win32.Zbot!IK
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe detected: Virus.Win32.Zbot!IK
C:\WINDOWS\phoenix\phoenix.exe detected: Trojan.Win32.Swrort!IK
C:\WINDOWS\phoenix.rar/phoenix.exe detected: Trojan.Win32.Swrort!IK
C:\WINDOWS\services32.exe detected: Trojan.Win32.AntiAV!IK
C:\WINDOWS\sysdriver32.exe detected: Trojan.Win32.Delf!IK
C:\WINDOWS\sysdriver32_.exe detected: Trojan.Win32.Delf!IK
C:\WINDOWS\system32\c_79214.nl_ detected: Backdoor.Win32.Smadow!IK
C:\WINDOWS\system32\d4dX5SFHZMq.dll detected: Riskware.AdWare.Win32.EZula!IK
C:\WINDOWS\system32\drivers\afd.sys detected: Trojan-Dropper.Win32.Sirefef!IK
C:\WINDOWS\system32\drivers\avgldx86.sys detected: Trojan-Dropper.Win32.Sirefef!IK
C:\WINDOWS\system32\drivers\avgtdix.sys detected: Trojan-Dropper.Win32.Sirefef!IK
C:\WINDOWS\system32\drivers\cdrom.sys detected: Trojan-Dropper.Win32.Sirefef!IK
C:\WINDOWS\system32\wuauclt.exe detected: Trojan-Spy.Win32.Zbot!IK
C:\WINDOWS\systemup.exe detected: Trojan-Spy.Win32.Zbot!IK
C:\WINDOWS\Temp\66574810-loader2.exe detected: Trojan.Win32.Delf!IK
C:\WINDOWS\Temp\7771080.exe detected: Trojan.Win32.Malex!IK
C:\WINDOWS\Temp\8520117.exe detected: Trojan.Win32.Delf!IK
C:\WINDOWS\Temp\8877902.exe detected: Trojan.Win32.Delf!IK
C:\WINDOWS\Temp\9251628.exe detected: Trojan.Win32.Malex!IK
C:\WINDOWS\ufa\ufa.exe detected: possible-Threat.Win32.BitCoinMiner!IK
C:\WINDOWS\ufa.rar/ufa.exe detected: possible-Threat.Win32.BitCoinMiner!IK
C:\WINDOWS\update.1\svchost.exe detected: Virus.Win32.Agent!IK
C:\WINDOWS\update.2\svchost.exe detected: Trojan.Win32.Malex!IK
C:\WINDOWS\update.3\svchost.exe detected: Trojan.Win32.Malex!IK
C:\WINDOWS\update.5.0\svchost.exe detected: Trojan.Win32.Delf!IK
C:\WINDOWS\update.tray-12-0\svchost.exe detected: Virus.Win32.Agent!IK
C:\WINDOWS\update.tray-12-0-lnk\svchost.exe detected: Virus.Win32.Agent!IK

Scanned

Files: 185068
Traces: 477849
Cookies: 2522
Processes: 39

Found

Files: 38
Traces: 10
Cookies: 65
Processes: 14
Registry keys: 0

Scan end: 8/1/2011 6:51:17 PM
Scan time: 1:35:14

C:\WINDOWS\ufa\ufa.exe Quarantined possible-Threat.Win32.BitCoinMiner!IK
C:\WINDOWS\ufa.rar/ufa.exe Quarantined possible-Threat.Win32.BitCoinMiner!IK
C:\WINDOWS\system32\drivers\afd.sys Quarantined Trojan-Dropper.Win32.Sirefef!IK
C:\WINDOWS\system32\drivers\avgldx86.sys Quarantined Trojan-Dropper.Win32.Sirefef!IK
C:\WINDOWS\system32\drivers\avgtdix.sys Quarantined Trojan-Dropper.Win32.Sirefef!IK
C:\WINDOWS\system32\drivers\cdrom.sys Quarantined Trojan-Dropper.Win32.Sirefef!IK
C:\WINDOWS\system32\c_79214.nl_ Quarantined Backdoor.Win32.Smadow!IK
C:\WINDOWS\services32.exe Quarantined Trojan.Win32.AntiAV!IK
C:\WINDOWS\phoenix\phoenix.exe Quarantined Trojan.Win32.Swrort!IK
C:\WINDOWS\phoenix.rar/phoenix.exe Quarantined Trojan.Win32.Swrort!IK
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe Quarantined Virus.Win32.Zbot!IK
C:\Program Files\Mozilla Firefox\extensions\{d43bdc9a-64c7-dbeb-384d-7a8b1bb1bcb2}\components\LH-FCO.dll Quarantined Trojan.SuspectCRC!IK
C:\Documents and Settings\Guest\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-54e206d6-69f23f6d.zip/vmain.class Quarantined Trojan-Downloader.Java.Agent!IK
[2088] C:\WINDOWS\update.2\svchost.exe Quarantined Trojan.Win32.Malex!IK
C:\WINDOWS\Temp\7771080.exe Quarantined Trojan.Win32.Malex!IK
C:\WINDOWS\Temp\9251628.exe Quarantined Trojan.Win32.Malex!IK
C:\WINDOWS\update.2\svchost.exe Quarantined Trojan.Win32.Malex!IK
C:\WINDOWS\update.3\svchost.exe Quarantined Trojan.Win32.Malex!IK
[1024] C:\WINDOWS\l1rezerv.exe Quarantined Trojan-Spy.Win32.Zbot!IK
[1032] C:\WINDOWS\systemup.exe Quarantined Trojan-Spy.Win32.Zbot!IK
[224] C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe Quarantined Trojan-Spy.Win32.Zbot!IK
[2000] C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE Quarantined Trojan-Spy.Win32.Zbot!IK
C:\Program Files\Bonjour\mDNSResponder.exe Quarantined Trojan-Spy.Win32.Zbot!IK
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe Quarantined Trojan-Spy.Win32.Zbot!IK
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe Quarantined Trojan-Spy.Win32.Zbot!IK
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE Quarantined Trojan-Spy.Win32.Zbot!IK
C:\Program Files\Google\Update\GoogleUpdate.exe Quarantined Trojan-Spy.Win32.Zbot!IK
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe Quarantined Trojan-Spy.Win32.Zbot!IK
C:\Program Files\iPod\bin\iPodService.exe Quarantined Trojan-Spy.Win32.Zbot!IK
C:\Program Files\Java\jre6\bin\jqs.exe Quarantined Trojan-Spy.Win32.Zbot!IK
C:\WINDOWS\l1rezerv.exe Quarantined Trojan-Spy.Win32.Zbot!IK
C:\WINDOWS\system32\wuauclt.exe Quarantined Trojan-Spy.Win32.Zbot!IK
C:\WINDOWS\systemup.exe Quarantined Trojan-Spy.Win32.Zbot!IK
[3684] C:\WINDOWS\update.5.0\svchost.exe Quarantined Trojan.Win32.Delf!IK
[3688] C:\WINDOWS\sysdriver32.exe Quarantined Trojan.Win32.Delf!IK
C:\WINDOWS\sysdriver32.exe Quarantined Trojan.Win32.Delf!IK
C:\WINDOWS\sysdriver32_.exe Quarantined Trojan.Win32.Delf!IK
C:\WINDOWS\Temp\66574810-loader2.exe Quarantined Trojan.Win32.Delf!IK
C:\WINDOWS\Temp\8520117.exe Quarantined Trojan.Win32.Delf!IK
C:\WINDOWS\Temp\8877902.exe Quarantined Trojan.Win32.Delf!IK
C:\WINDOWS\update.5.0\svchost.exe Quarantined Trojan.Win32.Delf!IK
[352] C:\WINDOWS\update.tray-12-0\svchost.exe Quarantined Virus.Win32.Agent!IK
[3968] C:\WINDOWS\update.1\svchost.exe Quarantined Virus.Win32.Agent!IK
C:\WINDOWS\update.1\svchost.exe Quarantined Virus.Win32.Agent!IK
C:\WINDOWS\update.tray-12-0\svchost.exe Quarantined Virus.Win32.Agent!IK
C:\WINDOWS\update.tray-12-0-lnk\svchost.exe Quarantined Virus.Win32.Agent!IK

Quarantined

Files: 37
Traces: 0
Cookies: 0





-------------------------------


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7366

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/3/2011 6:13:19 PM
mbam-log-2011-08-03 (18-13-09).txt

Scan type: Full scan (C:\|)
Objects scanned: 287847
Time elapsed: 37 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 10
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 29

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\sysdriver32.exe (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\systeminfog (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\SERVICES32.EXE (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wxpdrivers (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\wxpdrivers (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SRVSYSDRIVER32 (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srvbtcclient (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srvsysdriver32 (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\WXPDRIVERS (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4d030fad-85d5-6e17-622c-46fb8d655426} (Adware.Adrotator) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{4d030fad-85d5-6e17-622c-46fb8d655426} (Adware.Adrotator) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{4D030FAD-85D5-6E17-622C-46FB8D655426} (Adware.Adrotator) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4D030FAD-85D5-6E17-622C-46FB8D655426} (Adware.Adrotator) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8877902.exe (Trojan.Downloader.Gen) -> Value: 8877902.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysdriver32.exe (Trojan.Agent) -> Value: sysdriver32.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysdriver32_.exe (Trojan.Agent) -> Value: sysdriver32_.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8520117.exe (Trojan.Downloader.Gen) -> Value: 8520117.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\66574810-loader2.exe (Trojan.Agent) -> Value: 66574810-loader2.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\l1rezerv.exe (Trojan.Agent) -> Value: l1rezerv.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\systemup (Trojan.Agent.Gen) -> Value: systemup -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9251628.exe (Trojan.Downloader.Gen) -> Value: 9251628.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Services32.exe\close (Trojan.Agent) -> Value: close -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wxpDrivers\ImagePath (Trojan.Agent) -> Value: ImagePath -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.StartPage) -> Bad: (http://mn.iamwired.net/) Good: (http://www.google.com) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
c:\WINDOWS\rpcminer (Trojan.BCMiner) -> No action taken.

Files Infected:
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1008\A0216925.exe (Trojan.Agent.H) -> No action taken.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1010\A0218060.exe (Trojan.Dropper) -> No action taken.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1024\A0218484.exe (Trojan.Dropper) -> No action taken.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1024\A0218485.exe (Trojan.Dropper) -> No action taken.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1024\A0218491.exe (Trojan.Dropper) -> No action taken.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1024\A0218492.exe (Trojan.Dropper) -> No action taken.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1026\A0218638.exe (Trojan.Dropper) -> No action taken.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1026\A0218702.exe (Trojan.Agent) -> No action taken.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1026\A0218703.exe (Trojan.Dropper) -> No action taken.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1026\A0218704.exe (Trojan.Dropper) -> No action taken.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1026\A0218705.exe (Trojan.Dropper) -> No action taken.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1026\A0218637.exe (Trojan.Dropper) -> No action taken.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1026\A0218679.exe (Trojan.Dropper) -> No action taken.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1026\A0218687.exe (Trojan.Agent) -> No action taken.
c:\WINDOWS\rpcminer\bitcoinmineropencl.cl (Trojan.BCMiner) -> No action taken.
c:\WINDOWS\rpcminer\bitcoinminercuda_10.cubin (Trojan.BCMiner) -> No action taken.
c:\WINDOWS\rpcminer\bitcoinminercuda_11.cubin (Trojan.BCMiner) -> No action taken.
c:\WINDOWS\rpcminer\bitcoinminercuda_20.cubin (Trojan.BCMiner) -> No action taken.
c:\WINDOWS\rpcminer\cudart32_32_16.dll (Trojan.BCMiner) -> No action taken.
c:\WINDOWS\rpcminer\curllib.dll (Trojan.BCMiner) -> No action taken.
c:\WINDOWS\rpcminer\libeay32.dll (Trojan.BCMiner) -> No action taken.
c:\WINDOWS\rpcminer\libsasl.dll (Trojan.BCMiner) -> No action taken.
c:\WINDOWS\rpcminer\openldap.dll (Trojan.BCMiner) -> No action taken.
c:\WINDOWS\rpcminer\rpcminer-4way.exe (Trojan.BCMiner) -> No action taken.
c:\WINDOWS\rpcminer\rpcminer-cpu.exe (Trojan.BCMiner) -> No action taken.
c:\WINDOWS\rpcminer\rpcminer-cuda.exe (Trojan.BCMiner) -> No action taken.
c:\WINDOWS\rpcminer\rpcminer-opencl.exe (Trojan.BCMiner) -> No action taken.
c:\WINDOWS\rpcminer\ssleay32.dll (Trojan.BCMiner) -> No action taken.
c:\WINDOWS\system32\d4dx5sfhzmq.dll (Adware.Adrotator) -> No action taken.






Any advice on how I should proceed would be appreciated.

#5 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:03 AM

Posted 03 August 2011 - 06:18 PM

Did you run MBAM from USB stick, or normally?
The log says "No action taken".
I want you to re-run MBAM and FIX all issues.
Post new log.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#6 nottechsavvy

nottechsavvy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 03 August 2011 - 09:15 PM

I was able to reinstall MBAM and run normally. I had not clicked "Remove Selected" until now, and then was asked to restart machine. Here is the new log:




Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7366

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/3/2011 9:59:35 PM
mbam-log-2011-08-03 (21-59-35).txt

Scan type: Full scan (C:\|)
Objects scanned: 287847
Time elapsed: 37 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 10
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 29

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\sysdriver32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\systeminfog (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\SERVICES32.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wxpdrivers (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\wxpdrivers (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SRVSYSDRIVER32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srvbtcclient (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srvsysdriver32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\WXPDRIVERS (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4d030fad-85d5-6e17-622c-46fb8d655426} (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d030fad-85d5-6e17-622c-46fb8d655426} (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{4D030FAD-85D5-6E17-622C-46FB8D655426} (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4D030FAD-85D5-6E17-622C-46FB8D655426} (Adware.Adrotator) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8877902.exe (Trojan.Downloader.Gen) -> Value: 8877902.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysdriver32.exe (Trojan.Agent) -> Value: sysdriver32.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysdriver32_.exe (Trojan.Agent) -> Value: sysdriver32_.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8520117.exe (Trojan.Downloader.Gen) -> Value: 8520117.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\66574810-loader2.exe (Trojan.Agent) -> Value: 66574810-loader2.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\l1rezerv.exe (Trojan.Agent) -> Value: l1rezerv.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\systemup (Trojan.Agent.Gen) -> Value: systemup -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9251628.exe (Trojan.Downloader.Gen) -> Value: 9251628.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Services32.exe\close (Trojan.Agent) -> Value: close -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wxpDrivers\ImagePath (Trojan.Agent) -> Value: ImagePath -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.StartPage) -> Bad: (http://mn.iamwired.net/) Good: (http://www.google.com) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\WINDOWS\rpcminer (Trojan.BCMiner) -> Quarantined and deleted successfully.

Files Infected:
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1008\A0216925.exe (Trojan.Agent.H) -> Quarantined and deleted successfully.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1010\A0218060.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1024\A0218484.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1024\A0218485.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1024\A0218491.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1024\A0218492.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1026\A0218638.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1026\A0218702.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1026\A0218703.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1026\A0218704.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1026\A0218705.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1026\A0218637.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1026\A0218679.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1026\A0218687.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\rpcminer\bitcoinmineropencl.cl (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\WINDOWS\rpcminer\bitcoinminercuda_10.cubin (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\WINDOWS\rpcminer\bitcoinminercuda_11.cubin (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\WINDOWS\rpcminer\bitcoinminercuda_20.cubin (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\WINDOWS\rpcminer\cudart32_32_16.dll (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\WINDOWS\rpcminer\curllib.dll (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\WINDOWS\rpcminer\libeay32.dll (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\WINDOWS\rpcminer\libsasl.dll (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\WINDOWS\rpcminer\openldap.dll (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\WINDOWS\rpcminer\rpcminer-4way.exe (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\WINDOWS\rpcminer\rpcminer-cpu.exe (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\WINDOWS\rpcminer\rpcminer-cuda.exe (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\WINDOWS\rpcminer\rpcminer-opencl.exe (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\WINDOWS\rpcminer\ssleay32.dll (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\d4dx5sfhzmq.dll (Adware.Adrotator) -> Quarantined and deleted successfully.

#7 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:03 AM

Posted 03 August 2011 - 09:18 PM

Quite a bit.

Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/


  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
  • Close SUPERAntiSpyware.
Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

  • Open SUPERAntiSpyware.
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Post SUPERAntiSpyware log.

=====================================================================================

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#8 nottechsavvy

nottechsavvy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 03 August 2011 - 11:39 PM

Here are the results for all scans:



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/03/2011 at 11:43 PM

Application Version : 5.0.1108

Core Rules Database Version : 7508
Trace Rules Database Version: 5320

Scan type : Complete Scan
Total Scan Time : 00:49:32

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned : 245
Memory threats detected : 0
Registry items scanned : 36331
Registry threats detected : 91
File items scanned : 87430
File threats detected : 9

Adware.180solutions/Seekmo
HKCR\SkCoreSrv.LfgAx
HKCR\SkCoreSrv.LfgAx\CLSID
HKCR\SkCoreSrv.LfgAx\CurVer
HKCR\SkCoreSrv.SkCoreServices
HKCR\SkCoreSrv.SkCoreServices\CLSID
HKCR\SkCoreSrv.SkCoreServices\CurVer

Adware.Zango Toolbar/Hb
HKCR\Interface\{06784C15-B640-40F8-AEE8-3C1A3C7A899C}
HKCR\Interface\{06784C15-B640-40F8-AEE8-3C1A3C7A899C}\ProxyStubClsid
HKCR\Interface\{06784C15-B640-40F8-AEE8-3C1A3C7A899C}\ProxyStubClsid32
HKCR\Interface\{06784C15-B640-40F8-AEE8-3C1A3C7A899C}\TypeLib
HKCR\Interface\{06784C15-B640-40F8-AEE8-3C1A3C7A899C}\TypeLib#Version
HKCR\Interface\{195EF37C-0FF4-4AEF-B51B-47D326F01978}
HKCR\Interface\{195EF37C-0FF4-4AEF-B51B-47D326F01978}\ProxyStubClsid
HKCR\Interface\{195EF37C-0FF4-4AEF-B51B-47D326F01978}\ProxyStubClsid32
HKCR\Interface\{195EF37C-0FF4-4AEF-B51B-47D326F01978}\TypeLib
HKCR\Interface\{195EF37C-0FF4-4AEF-B51B-47D326F01978}\TypeLib#Version
HKCR\Interface\{1D5DF418-73EA-4B20-B0D1-5F9C6C949CB0}
HKCR\Interface\{1D5DF418-73EA-4B20-B0D1-5F9C6C949CB0}\ProxyStubClsid
HKCR\Interface\{1D5DF418-73EA-4B20-B0D1-5F9C6C949CB0}\ProxyStubClsid32
HKCR\Interface\{1D5DF418-73EA-4B20-B0D1-5F9C6C949CB0}\TypeLib
HKCR\Interface\{1D5DF418-73EA-4B20-B0D1-5F9C6C949CB0}\TypeLib#Version
HKCR\Interface\{3A6691EA-C844-46F2-9237-1386A85CE119}
HKCR\Interface\{3A6691EA-C844-46F2-9237-1386A85CE119}\ProxyStubClsid
HKCR\Interface\{3A6691EA-C844-46F2-9237-1386A85CE119}\ProxyStubClsid32
HKCR\Interface\{3A6691EA-C844-46F2-9237-1386A85CE119}\TypeLib
HKCR\Interface\{3A6691EA-C844-46F2-9237-1386A85CE119}\TypeLib#Version
HKCR\Interface\{3D2E7662-85FB-4CC1-875C-A624B1AA5D96}
HKCR\Interface\{3D2E7662-85FB-4CC1-875C-A624B1AA5D96}\ProxyStubClsid
HKCR\Interface\{3D2E7662-85FB-4CC1-875C-A624B1AA5D96}\ProxyStubClsid32
HKCR\Interface\{3D2E7662-85FB-4CC1-875C-A624B1AA5D96}\TypeLib
HKCR\Interface\{3D2E7662-85FB-4CC1-875C-A624B1AA5D96}\TypeLib#Version
HKCR\Interface\{72FEEB09-BB27-46D3-A06D-930D4D544227}
HKCR\Interface\{72FEEB09-BB27-46D3-A06D-930D4D544227}\ProxyStubClsid
HKCR\Interface\{72FEEB09-BB27-46D3-A06D-930D4D544227}\ProxyStubClsid32
HKCR\Interface\{72FEEB09-BB27-46D3-A06D-930D4D544227}\TypeLib
HKCR\Interface\{72FEEB09-BB27-46D3-A06D-930D4D544227}\TypeLib#Version
HKCR\Interface\{736918FE-2349-4230-BA9A-1F23649E32AD}
HKCR\Interface\{736918FE-2349-4230-BA9A-1F23649E32AD}\ProxyStubClsid
HKCR\Interface\{736918FE-2349-4230-BA9A-1F23649E32AD}\ProxyStubClsid32
HKCR\Interface\{736918FE-2349-4230-BA9A-1F23649E32AD}\TypeLib
HKCR\Interface\{736918FE-2349-4230-BA9A-1F23649E32AD}\TypeLib#Version
HKCR\Interface\{85E06077-C824-43D0-A8DC-5EFB17BC348A}
HKCR\Interface\{85E06077-C824-43D0-A8DC-5EFB17BC348A}\ProxyStubClsid
HKCR\Interface\{85E06077-C824-43D0-A8DC-5EFB17BC348A}\ProxyStubClsid32
HKCR\Interface\{85E06077-C824-43D0-A8DC-5EFB17BC348A}\TypeLib
HKCR\Interface\{85E06077-C824-43D0-A8DC-5EFB17BC348A}\TypeLib#Version
HKCR\Interface\{89D36231-6BD9-4E20-BBA0-FD28C3A83C40}
HKCR\Interface\{89D36231-6BD9-4E20-BBA0-FD28C3A83C40}\ProxyStubClsid
HKCR\Interface\{89D36231-6BD9-4E20-BBA0-FD28C3A83C40}\ProxyStubClsid32
HKCR\Interface\{89D36231-6BD9-4E20-BBA0-FD28C3A83C40}\TypeLib
HKCR\Interface\{89D36231-6BD9-4E20-BBA0-FD28C3A83C40}\TypeLib#Version
HKCR\Interface\{972BC913-312C-44B7-AA91-4AE3EC2E264B}
HKCR\Interface\{972BC913-312C-44B7-AA91-4AE3EC2E264B}\ProxyStubClsid
HKCR\Interface\{972BC913-312C-44B7-AA91-4AE3EC2E264B}\ProxyStubClsid32
HKCR\Interface\{972BC913-312C-44B7-AA91-4AE3EC2E264B}\TypeLib
HKCR\Interface\{972BC913-312C-44B7-AA91-4AE3EC2E264B}\TypeLib#Version
HKCR\Interface\{A0BA9F0F-BCEF-49CF-8A8E-D87E19E066F3}
HKCR\Interface\{A0BA9F0F-BCEF-49CF-8A8E-D87E19E066F3}\ProxyStubClsid
HKCR\Interface\{A0BA9F0F-BCEF-49CF-8A8E-D87E19E066F3}\ProxyStubClsid32
HKCR\Interface\{A0BA9F0F-BCEF-49CF-8A8E-D87E19E066F3}\TypeLib
HKCR\Interface\{A0BA9F0F-BCEF-49CF-8A8E-D87E19E066F3}\TypeLib#Version
HKCR\Interface\{A53762B6-30F7-469F-BA92-13D63CF09A93}
HKCR\Interface\{A53762B6-30F7-469F-BA92-13D63CF09A93}\ProxyStubClsid
HKCR\Interface\{A53762B6-30F7-469F-BA92-13D63CF09A93}\ProxyStubClsid32
HKCR\Interface\{A53762B6-30F7-469F-BA92-13D63CF09A93}\TypeLib
HKCR\Interface\{A53762B6-30F7-469F-BA92-13D63CF09A93}\TypeLib#Version
HKCR\Interface\{BD31DF26-7178-41F4-88DD-F16B82D827CA}
HKCR\Interface\{BD31DF26-7178-41F4-88DD-F16B82D827CA}\ProxyStubClsid
HKCR\Interface\{BD31DF26-7178-41F4-88DD-F16B82D827CA}\ProxyStubClsid32
HKCR\Interface\{BD31DF26-7178-41F4-88DD-F16B82D827CA}\TypeLib
HKCR\Interface\{BD31DF26-7178-41F4-88DD-F16B82D827CA}\TypeLib#Version
HKCR\Interface\{C4DB76D5-B430-4652-8599-7CD2C8FE6CC6}
HKCR\Interface\{C4DB76D5-B430-4652-8599-7CD2C8FE6CC6}\ProxyStubClsid
HKCR\Interface\{C4DB76D5-B430-4652-8599-7CD2C8FE6CC6}\ProxyStubClsid32
HKCR\Interface\{C4DB76D5-B430-4652-8599-7CD2C8FE6CC6}\TypeLib
HKCR\Interface\{C4DB76D5-B430-4652-8599-7CD2C8FE6CC6}\TypeLib#Version
HKCR\Interface\{E4662B0A-DA6B-4408-A73B-5A2BBB2B0CC8}
HKCR\Interface\{E4662B0A-DA6B-4408-A73B-5A2BBB2B0CC8}\ProxyStubClsid
HKCR\Interface\{E4662B0A-DA6B-4408-A73B-5A2BBB2B0CC8}\ProxyStubClsid32
HKCR\Interface\{E4662B0A-DA6B-4408-A73B-5A2BBB2B0CC8}\TypeLib
HKCR\Interface\{E4662B0A-DA6B-4408-A73B-5A2BBB2B0CC8}\TypeLib#Version
HKCR\Interface\{E977DE7C-34EA-4876-B333-207C4504589E}
HKCR\Interface\{E977DE7C-34EA-4876-B333-207C4504589E}\ProxyStubClsid
HKCR\Interface\{E977DE7C-34EA-4876-B333-207C4504589E}\ProxyStubClsid32
HKCR\Interface\{E977DE7C-34EA-4876-B333-207C4504589E}\TypeLib
HKCR\Interface\{E977DE7C-34EA-4876-B333-207C4504589E}\TypeLib#Version
HKCR\Interface\{F5FC30C3-68AD-451B-8BC1-8ABD98F2C69A}
HKCR\Interface\{F5FC30C3-68AD-451B-8BC1-8ABD98F2C69A}\ProxyStubClsid
HKCR\Interface\{F5FC30C3-68AD-451B-8BC1-8ABD98F2C69A}\ProxyStubClsid32
HKCR\Interface\{F5FC30C3-68AD-451B-8BC1-8ABD98F2C69A}\TypeLib
HKCR\Interface\{F5FC30C3-68AD-451B-8BC1-8ABD98F2C69A}\TypeLib#Version

Malware.Installer-Pkg/Gen
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{26D2C2C3-CF14-4ED7-B1FC-0BE64AFBA3B3}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{3C48F877-A164-45E9-B9DA-26A049FFC207}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6293BC00-4EB8-4C65-8548-53E2FC3BF937}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6B6A7665-DB48-4762-AB5D-BEEB9E1CD7FA}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{989E4C3B-B2C9-4486-9A09-D5A8F953837C}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C0A0AA4D-C79B-48CA-8843-2B02B626C9E6}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{D1A6F3FD-7B40-443F-8767-BADB25A0D222}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{E0814F95-5380-4892-B8C8-7FA4B349EF46}.EXE

Adware.CouponBar
C:\WINDOWS\SYSTEM32\CPNPRT2.CID





-----------------------





Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3 (UAC is disabled!)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 24
Out of date Java installed!
Adobe Flash Player 10.3.181.26
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Out of date Adobe Reader installed!
Mozilla Firefox (x86 en-US..) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````




------------------------------



MiniToolBox by Farbar
Ran by Liz (administrator) on 04-08-2011 at 13:33:27
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

"network.proxy.no_proxies_on", "*.local"
========================= Hosts content: =================================



127.0.0.1 localhost
127.0.0.1 vkontakte.ru
127.0.0.1 www.vkontakte.ru
127.0.0.1 login.vk.com
127.0.0.1 vk.com
127.0.0.1 www.vk.com
127.0.0.1 odnoklassniki.ru
127.0.0.1 www.odnoklassniki.ru
127.0.0.1 facebook.com
127.0.0.1 www.facebook.com
127.0.0.1 af-za.facebook.com
127.0.0.1 az-az.facebook.com
127.0.0.1 id-id.facebook.com
127.0.0.1 ms-my.facebook.com
127.0.0.1 bs-ba.facebook.com
127.0.0.1 ca-es.facebook.com
127.0.0.1 cs-cz.facebook.com
127.0.0.1 cy-gb.facebook.com
127.0.0.1 da-dk.facebook.com

There are 63 more lines starting with "127.0.0.1"

========================= IP Configuration: ================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : DELL-DESKTOP

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : nc.rr.com



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : nc.rr.com

Description . . . . . . . . . . . : Intel® 82562V 10/100 Network Connection

Physical Address. . . . . . . . . : 00-19-D1-27-BF-D1

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 173.95.154.100

Subnet Mask . . . . . . . . . . . : 255.255.248.0

Default Gateway . . . . . . . . . : 173.95.152.1

DHCP Server . . . . . . . . . . . : 10.118.224.1

DNS Servers . . . . . . . . . . . : 209.18.47.61

209.18.47.62

Lease Obtained. . . . . . . . . . : Thursday, August 04, 2011 1:59:10 PM

Lease Expires . . . . . . . . . . : Friday, August 05, 2011 1:59:10 AM

Server: dns-cac-lb-01.rr.com
Address: 209.18.47.61

Name: google.com
Addresses: 74.125.93.99, 74.125.93.103, 74.125.93.104, 74.125.93.105
74.125.93.106, 74.125.93.147



Pinging google.com [74.125.91.103] with 32 bytes of data:



Reply from 74.125.91.103: bytes=32 time=27ms TTL=54

Reply from 74.125.91.103: bytes=32 time=29ms TTL=54



Ping statistics for 74.125.91.103:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 27ms, Maximum = 29ms, Average = 28ms

Server: dns-cac-lb-01.rr.com
Address: 209.18.47.61

Name: yahoo.com
Addresses: 67.195.160.76, 69.147.125.65, 72.30.2.43, 98.137.149.56
209.191.122.70



Pinging yahoo.com [72.30.2.43] with 32 bytes of data:



Reply from 72.30.2.43: bytes=32 time=89ms TTL=54

Reply from 72.30.2.43: bytes=32 time=90ms TTL=54



Ping statistics for 72.30.2.43:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 89ms, Maximum = 90ms, Average = 89ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 19 d1 27 bf d1 ...... Intel® 82562V 10/100 Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 173.95.152.1 173.95.154.100 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
173.95.152.0 255.255.248.0 173.95.154.100 173.95.154.100 20
173.95.154.100 255.255.255.255 127.0.0.1 127.0.0.1 20
173.95.255.255 255.255.255.255 173.95.154.100 173.95.154.100 20
224.0.0.0 240.0.0.0 173.95.154.100 173.95.154.100 20
255.255.255.255 255.255.255.255 173.95.154.100 173.95.154.100 1
Default Gateway: 173.95.152.1
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (08/04/2011 11:02:59 AM) (Source: Application Hang) (User: )
Description: Fault bucket -1805600120.

Error: (08/04/2011 11:02:30 AM) (Source: Application Hang) (User: )
Description: Hanging application firefox.exe, version 5.0.0.4183, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (08/03/2011 06:23:18 PM) (Source: Application Hang) (User: )
Description: Hanging application firefox.exe, version 5.0.0.4183, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (08/03/2011 01:34:11 AM) (Source: Application Hang) (User: )
Description: Hanging application MiniToolBox.exe, version 3.3.6.1, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (08/01/2011 05:13:43 PM) (Source: Media Center Extender Services) (User: )
Description: ERROR: Device Service Listener - UDP networking failed. Error code 0x80072742.

Error: (08/01/2011 05:13:39 PM) (Source: ASA 9.0) (User: )
Description: QuickBooksDB17Could not start server

Error: (08/01/2011 05:13:39 PM) (Source: ASA 9.0) (User: )
Description: QuickBooksDB17Unable to initialize requested communication links

Error: (07/31/2011 08:05:16 PM) (Source: Application Hang) (User: )
Description: Hanging application firefox.exe, version 5.0.0.4183, hang module hungapp, version 0.0.0.0, hang address 0x00000000.


System errors:
=============
Error: (08/04/2011 01:29:09 PM) (Source: Dhcp) (User: )
Description: Your computer has lost the lease to its IP address 192.168.100.11 on the
Network Card with network address 0019D127BFD1.

Error: (08/04/2011 01:28:46 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.1.100 for the Network Card with network address 0019D127BFD1 has been
denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

Error: (08/04/2011 01:28:20 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AvgLdx86
AvgTdiX

Error: (08/04/2011 01:28:16 PM) (Source: Service Control Manager) (User: )
Description: The AVG Free8 E-mail Scanner service depends on the AVG Free8 WatchDog service which failed to start because of the following error:
%%3

Error: (08/04/2011 01:28:16 PM) (Source: Service Control Manager) (User: )
Description: The Machine Debug Manager service failed to start due to the following error:
%%2

Error: (08/04/2011 01:28:16 PM) (Source: Service Control Manager) (User: )
Description: The Intel® Matrix Storage Event Monitor service failed to start due to the following error:
%%2

Error: (08/04/2011 01:28:16 PM) (Source: Service Control Manager) (User: )
Description: The Google Update Service (gupdate) service failed to start due to the following error:
%%2

Error: (08/04/2011 01:28:16 PM) (Source: Service Control Manager) (User: )
Description: The Bonjour Service service failed to start due to the following error:
%%2

Error: (08/04/2011 01:28:16 PM) (Source: Service Control Manager) (User: )
Description: The AVG Free8 WatchDog service failed to start due to the following error:
%%3

Error: (08/04/2011 01:28:16 PM) (Source: Service Control Manager) (User: )
Description: The Apple Mobile Device service failed to start due to the following error:
%%2


Microsoft Office Sessions:
=========================
Error: (08/04/2011 11:02:59 AM) (Source: Application Hang)(User: )
Description: -1805600120

Error: (08/04/2011 11:02:30 AM) (Source: Application Hang)(User: )
Description: firefox.exe5.0.0.4183hungapp0.0.0.000000000

Error: (08/03/2011 06:23:18 PM) (Source: Application Hang)(User: )
Description: firefox.exe5.0.0.4183hungapp0.0.0.000000000

Error: (08/03/2011 01:34:11 AM) (Source: Application Hang)(User: )
Description: MiniToolBox.exe3.3.6.1hungapp0.0.0.000000000

Error: (08/01/2011 05:13:43 PM) (Source: Media Center Extender Services)(User: )
Description: UDP0x80072742

Error: (08/01/2011 05:13:39 PM) (Source: ASA 9.0)(User: )
Description: QuickBooksDB17Could not start server

Error: (08/01/2011 05:13:39 PM) (Source: ASA 9.0)(User: )
Description: QuickBooksDB17Unable to initialize requested communication links

Error: (07/31/2011 08:05:16 PM) (Source: Application Hang)(User: )
Description: firefox.exe5.0.0.4183hungapp0.0.0.000000000


========================= Memory info: ===================================

Percentage of memory in use: 19%
Total physical RAM: 2037.84 MB
Available physical RAM: 1647.17 MB
Total Pagefile: 3933.72 MB
Available Pagefile: 3720.2 MB
Total Virtual: 2047.88 MB
Available Virtual: 1998.65 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:144.33 GB) (Free:112.99 GB) NTFS

========================= Users: ========================================

User accounts for \\DELL-DESKTOP

Administrator Guest HelpAssistant
Liz QBDataServiceUser17 SUPPORT_388945a0


== End of log ==




---------------------------






GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-04 18:28:45
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST316081 rev.3.AD
Running: o3zmedoh.exe; Driver: C:\DOCUME~1\Liz\LOCALS~1\Temp\kwlyypog.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \Fat 9CD80D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1E4BB497-DF99-76E5-884F-05A62074D157}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1E4BB497-DF99-76E5-884F-05A62074D157}@cblfpakhccjoafkfllncjbjkfkdfdclckapopn 0x6A 0x61 0x61 0x62 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1E4BB497-DF99-76E5-884F-05A62074D157}@bbfgnaefhmmnkmakeiongfbelodgkbhhjkjj 0x6A 0x61 0x61 0x62 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1E4BB497-DF99-76E5-884F-05A62074D157}@ialfpakhccjoafkfll 0x61 0x61 0x00 0x01
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1E4BB497-DF99-76E5-884F-05A62074D157}@hafgnaefhmmnkmak 0x61 0x61 0x00 0x01
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1E4BB497-DF99-76E5-884F-05A62074D157}@iapchoepdenphfbhgm 0x61 0x61 0x00 0x01
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7457F20B-0232-830C-6163-4920BF4831F8}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7457F20B-0232-830C-6163-4920BF4831F8}@dbofinpdlfanjeikffcngajmenodmhjeaplfkhop 0x6A 0x61 0x62 0x62 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7457F20B-0232-830C-6163-4920BF4831F8}@cbeegifnnhimkocapndgifjnancodacmndlhnb 0x6A 0x61 0x70 0x61 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7457F20B-0232-830C-6163-4920BF4831F8}@iaofinpdlfanjeikff 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7457F20B-0232-830C-6163-4920BF4831F8}@haeegifnnhimkoca 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7457F20B-0232-830C-6163-4920BF4831F8}@iacdmifcgjlikclmja 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7457F20B-0232-830C-6163-4920BF4831F8}@abcdmnniakbkkhebhkanfmjdionhfnckgd 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7457F20B-0232-830C-6163-4920BF4831F8}@mabdhoagnomcoifgajlhpnhegb 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DD27F51A-6EA4-7529-B3E1-D5B4656604F1}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DD27F51A-6EA4-7529-B3E1-D5B4656604F1}@dbfkgpdiokakgjafanlbpkpcccgmjpecdkjgfpmb 0x6A 0x61 0x61 0x70 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DD27F51A-6EA4-7529-B3E1-D5B4656604F1}@cbhceaehnledimalhjbklmdpcdmfgghnoefmon 0x6A 0x61 0x61 0x70 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB57971$\2727823645 0 bytes
File C:\WINDOWS\$NtUninstallKB57971$\513868589 0 bytes
File C:\WINDOWS\$NtUninstallKB57971$\513868589\click.tlb 2144 bytes
File C:\WINDOWS\$NtUninstallKB57971$\513868589\L 0 bytes
File C:\WINDOWS\$NtUninstallKB57971$\513868589\L\pdmzmplg 335240 bytes
File C:\WINDOWS\$NtUninstallKB57971$\513868589\loader.tlb 2540 bytes
File C:\WINDOWS\$NtUninstallKB57971$\513868589\U 0 bytes
File C:\WINDOWS\$NtUninstallKB57971$\513868589\U\@00000001 42512 bytes
File C:\WINDOWS\$NtUninstallKB57971$\513868589\U\@000000c0 2560 bytes
File C:\WINDOWS\$NtUninstallKB57971$\513868589\U\@000000cb 2048 bytes
File C:\WINDOWS\$NtUninstallKB57971$\513868589\U\@000000cf 1536 bytes
File C:\WINDOWS\$NtUninstallKB57971$\513868589\U\@80000000 24576 bytes
File C:\WINDOWS\$NtUninstallKB57971$\513868589\U\@800000c0 33280 bytes
File C:\WINDOWS\$NtUninstallKB57971$\513868589\U\@800000cb 27648 bytes
File C:\WINDOWS\$NtUninstallKB57971$\513868589\U\@800000cf 27648 bytes
File C:\WINDOWS\$NtUninstallKB57971$\513868589\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6} 2048 bytes

---- EOF - GMER 1.0.15 ----

Edited by nottechsavvy, 04 August 2011 - 05:46 PM.


#9 nottechsavvy

nottechsavvy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 04 August 2011 - 08:00 PM

All scan logs have been posted. Please advise on how to proceed from here.

#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:03 AM

Posted 04 August 2011 - 08:06 PM

Very well.

How is computer doing?

I don't see any AV program installed.
Install one of these:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- Avira free antivirus: http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html
Update, run full scan, report on any findings.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#11 nottechsavvy

nottechsavvy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 04 August 2011 - 08:41 PM

The computer seems to be working fine. No redirects on Firefox or IE. The only problem I'm having is installing Windows Malicious Software Removal Tool from Automatic Updates. It says "Installation Complete" but continues to reappear in Automatic Updates.

As for the lack of AV, this is my sisters computer, and it looks like she had AVG Free edition and tried uninstalling it--AVG still appears in the Start Menu list of programs but does not run nor can it be uninstalled. I will install Avast! and run a full scan.

Thanks again for your help.

#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:03 AM

Posted 04 August 2011 - 08:43 PM

it looks like she had AVG Free edition and tried uninstalling it

Make sure to run AVG Remover to get rid of all leftovers: http://www.avg.com/us-en/utilities

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#13 nottechsavvy

nottechsavvy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 04 August 2011 - 10:08 PM

Here is the scan result:

*
* avast! Scan Report
* This file is generated automatically
*
* Scan name: Full system scan
* Started on: Thursday, August 04, 2011 10:17:27 PM
* VPS: 110804-1, 08/04/2011
*

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1008\A0216923.sys [L] Win32:Sirefef-F [Drp] (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1008\A0216924.ini [L] Win32:Malware-gen (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1009\A0216935.sys [L] Win32:Sirefef-F [Drp] (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1009\A0216936.ini [L] Win32:Malware-gen (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1010\A0217935.sys [L] Win32:Sirefef-F [Drp] (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1010\A0217936.ini [L] Win32:Malware-gen (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1010\A0217963.rbf [L] Win32:Patched-WQ [Trj] (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1010\A0218079.sys [L] Win32:Sirefef-F [Drp] (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1010\A0218080.ini [L] Win32:Malware-gen (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1010\A0218093.sys [L] Win32:Sirefef-F [Drp] (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1010\A0218094.ini [L] Win32:Malware-gen (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1013\A0218400.sys [L] Win32:Sirefef-F [Drp] (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1013\A0218401.ini [L] Win32:Malware-gen (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1019\A0218435.sys [L] Win32:Sirefef-F [Drp] (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1019\A0218436.ini [L] Win32:Malware-gen (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1021\A0218445.sys [L] Win32:Sirefef-F [Drp] (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1021\A0218446.ini [L] Win32:Malware-gen (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1024\A0218469.sys [L] Win32:Sirefef-F [Drp] (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1024\A0218470.ini [L] Win32:Malware-gen (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1024\A0218495.sys [L] Win32:Sirefef-F [Drp] (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1024\A0218496.ini [L] Win32:Malware-gen (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1025\A0218572.sys [L] Win32:Sirefef-F [Drp] (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1025\A0218573.ini [L] Win32:Malware-gen (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1026\A0218641.sys [L] Win32:Sirefef-F [Drp] (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1026\A0218642.ini [L] Win32:Malware-gen (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1026\A0218652.sys [L] Win32:Sirefef-F [Drp] (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1026\A0218653.ini [L] Win32:Malware-gen (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1026\A0218665.sys [L] Win32:Sirefef-F [Drp] (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1026\A0218666.ini [L] Win32:Malware-gen (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1026\A0218673.exe [L] Win32:BitCoinMiner-B [PUP] (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1026\A0218674.sys [L] Win32:Sirefef-F [Drp] (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1026\A0218675.sys [L] Win32:Sirefef-F [Drp] (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1026\A0218676.sys [L] Win32:Sirefef-F [Drp] (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1026\A0218683.exe [L] Win32:Patched-WQ [Trj] (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1026\A0218685.exe [L] Win32:Patched-WQ [Trj] (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1026\A0218686.exe [L] Win32:Patched-WQ [Trj] (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1026\A0218688.exe [L] Win32:Patched-WQ [Trj] (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1026\A0218689.exe [L] Win32:Patched-WQ [Trj] (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1026\A0218690.EXE [L] Win32:Patched-WQ [Trj] (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1026\A0218691.exe [L] Win32:Patched-WQ [Trj] (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1026\A0218692.exe [L] Win32:Patched-WQ [Trj] (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1026\A0218693.exe [L] Win32:Patched-WQ [Trj] (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1026\A0218694.exe [L] Win32:Patched-WQ [Trj] (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1026\A0218695.exe [L] Win32:Patched-WQ [Trj] (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1026\A0218696.exe [L] Win32:Patched-WQ [Trj] (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1026\A0218697.exe [L] Win32:Patched-WQ [Trj] (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1026\A0218700.exe [L] Win32:Patched-WQ [Trj] (0)
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1026\A0218701.exe [L] Win32:Patched-WQ [Trj] (0)
C:\WINDOWS\assembly\GAC_MSIL\Desktop.ini [L] Win32:Malware-gen (0)
Infected files: 49
Total files: 137907
Total folders: 13244
Total size: 39.3 GB

*
* Scan stopped: Thursday, August 04, 2011 10:59:42 PM
* Run-time was 42 minute(s), 15 second(s)
*






Should I delete all or simply quarantine for now?

Edited by nottechsavvy, 04 August 2011 - 10:09 PM.


#14 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:03 AM

Posted 04 August 2011 - 10:17 PM

You can delete all of it (almost all findings are in your restore points).

The only problem I'm having is installing Windows Malicious Software Removal Tool from Automatic Updates. It says "Installation Complete" but continues to reappear in Automatic Updates.

This is more, or less worthless tool, so I wouldn't be losing your sleep over it.

Last steps....

Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

=============================================================================

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#15 nottechsavvy

nottechsavvy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 05 August 2011 - 01:25 AM

Here are the results of the ESET scan:


C:\WINDOWS\system32\drivers\etc\hosts Win32/Qhost trojan




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users