Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Intermittent Google Redirect Virus


  • This topic is locked This topic is locked
14 replies to this topic

#1 NETio

NETio

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:06 PM

Posted 30 August 2011 - 09:23 PM

On between 50% and 10% of google results clicked I get redirected to find-fast-answers.com (and then to one of their ad-search sites). I've done multiple full scans with ESET, MBAM, ClamWin, TDSSKiller (removed a rootkit installed as driver), just ran GMER which found traces of the rootkit TDSS Killer cleaned up, and I've been through HJT and ESET SysInspector logs on my own. I'm to the point of doing a full reinstall of Windows just to get peace of mind and speed up my computer (which has been getting very sluggish). Also, I've been through the hosts file, flushed the DNS cache, checked system and FF proxy settings. None of that was messed up. It acts like a rootkit that is hooking one of FF's API calls. I'm just not sure where it is hiding. I've certainly never encountered anything this stealthy or hard to remove.

So shall I plan on a W7 reinstall this weekend or do you think it's worth salvaging?

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:06 PM

Posted 30 August 2011 - 09:39 PM

Welcome aboard Posted Image

Is IE affected as well?

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 NETio

NETio
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:06 PM

Posted 01 September 2011 - 06:44 PM

I'm not sure if IE is affected, I don't use IE. I will try it after I post up these results/logs.

Nothing other than traces of the driver TDSSKiller removed (sptd.sys) appear out of the ordinary. I do think that my problems are related to those traces, possibly it restored itself and downloaded an update that TDSSKiller does not detect. As far as proxies, I had Tor setup but disabled (normal), nothing odd in startup (do you want the HJT log?), no odd partitions (I run two WD Caviar Blacks in RAID 0, Boot/Software partition short-stroked to 300GB), I ran a MBR check program before and nothing other than standard Win 7 boot manager, nothing I can find in programs other than the fact I have way too many (and several are missing from that list, especially games).

And as for the MBAM being a quick scan; that's what you asked for and I ran a full scan last time my PC was on. I also ran a full scan with ESET which found nothing.
 

Results of screen317's Security Check version 0.99.7
Windows 7
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Duplicate Cleaner 2.0
Microsoft VM for Java
Java™ 6 Update 23
Out of date Java installed!
Adobe Flash Player 10.3.183.5
Adobe Reader X
Mozilla Firefox (x86 en-US..) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````

 

MiniToolBox Log:
MiniToolBox by Farbar 
Ran by Dwayne (administrator) on 01-09-2011 at 19:20:24
Windows 7 Ultimate  (X64)

***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ============================== 

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ============================== 

"network.proxy.http", "127.0.0.1"
"network.proxy.http_port", 8118
"network.proxy.no_proxies_on", "127.0.0.1"
"network.proxy.socks", "127.0.0.1"
"network.proxy.socks_port", 9050
"network.proxy.socks_remote_dns", true
"network.proxy.ssl", "127.0.0.1"
"network.proxy.ssl_port", 8118
"network.proxy.type", 0

"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================

74.208.10.249 gs.apple.com

========================= IP Configuration: ================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
add address name="VirtualBox Host-Only Network" address=192.168.56.1


popd
# End of IPv4 configuration



Windows IP Configuration

   Host Name . . . . . . . . . . . . : Dwayne-PC
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : wildblue.com

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . : wildblue.com
   Description . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit Ethernet NIC (NDIS 6.20) #2
   Physical Address. . . . . . . . . : 00-22-68-5E-D9-A6
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::fc8a:93af:1937:7392%12(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.1.101(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, September 01, 2011 7:12:22 PM
   Lease Expires . . . . . . . . . . : Friday, September 02, 2011 7:12:22 AM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 301998696
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-89-F4-90-00-22-68-5E-D9-A2
   DNS Servers . . . . . . . . . . . : 75.104.128.61
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.wildblue.com:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : wildblue.com
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:c4a:e4d:3f57:fe9a(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::c4a:e4d:3f57:fe9a%13(Preferred) 
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter 6TO4 Adapter:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft 6to4 Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  vip-cdns.wb1.syr.wldblu.net
Address:  75.104.128.61

Name:    google.com
Addresses:  74.125.91.104
	  74.125.91.105
	  74.125.91.106
	  74.125.91.147
	  74.125.91.99
	  74.125.91.103


Pinging google.com [74.125.93.106] with 32 bytes of data:
Reply from 74.125.93.106: bytes=32 time=1608ms TTL=48
Reply from 74.125.93.106: bytes=32 time=2137ms TTL=48

Ping statistics for 74.125.93.106:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1608ms, Maximum = 2137ms, Average = 1872ms
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  75.104.128.61

Name:    yahoo.com
Addresses:  69.147.125.65
	  72.30.2.43
	  98.137.149.56
	  209.191.122.70
	  67.195.160.76


Pinging yahoo.com [67.195.160.76] with 32 bytes of data:
Reply from 67.195.160.76: bytes=32 time=1439ms TTL=47
Reply from 67.195.160.76: bytes=32 time=1227ms TTL=47

Ping statistics for 67.195.160.76:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1227ms, Maximum = 1439ms, Average = 1333ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 12...00 22 68 5e d9 a6 ......Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit Ethernet NIC (NDIS 6.20) #2
  1...........................Software Loopback Interface 1
 25...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 24...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.101     20
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link     192.168.1.101    276
    192.168.1.101  255.255.255.255         On-link     192.168.1.101    276
    192.168.1.255  255.255.255.255         On-link     192.168.1.101    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.1.101    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.1.101    276
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 13     58 ::/0                     On-link
  1    306 ::1/128                  On-link
 13     58 2001::/32                On-link
 13    306 2001:0:4137:9e76:c4a:e4d:3f57:fe9a/128
                                    On-link
 12    276 fe80::/64                On-link
 13    306 fe80::/64                On-link
 13    306 fe80::c4a:e4d:3f57:fe9a/128
                                    On-link
 12    276 fe80::fc8a:93af:1937:7392/128
                                    On-link
  1    306 ff00::/8                 On-link
 13    306 ff00::/8                 On-link
 12    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

========================= Event log errors: ===============================

Application errors:
==================
Error: (09/01/2011 07:20:37 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"1".
Dependent Assembly Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (09/01/2011 07:20:25 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"1".
Dependent Assembly Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (09/01/2011 07:20:25 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"1".
Dependent Assembly Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (09/01/2011 07:20:24 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"1".
Dependent Assembly Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (09/01/2011 07:20:24 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"1".
Dependent Assembly Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (09/01/2011 07:17:35 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"1".
Dependent Assembly Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (09/01/2011 07:13:35 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"1".
Dependent Assembly Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (08/30/2011 08:43:45 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"1".
Dependent Assembly Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (08/30/2011 08:11:06 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"1".
Dependent Assembly Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (08/30/2011 08:04:06 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"1".
Dependent Assembly Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823" could not be found.
Please use sxstrace.exe for detailed diagnosis.


System errors:
=============
Error: (09/01/2011 07:14:17 PM) (Source: DCOM) (User: SYSTEM)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

Error: (09/01/2011 07:14:12 PM) (Source: Service Control Manager) (User: )
Description: The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error: 
%%-2140993535

Error: (09/01/2011 07:14:12 PM) (Source: Service Control Manager) (User: )
Description: The Peer Name Resolution Protocol service terminated with the following error: 
%%-2140993535

Error: (09/01/2011 07:14:12 PM) (Source: Service Control Manager) (User: )
Description: The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error: 
%%-2140993535

Error: (09/01/2011 07:14:12 PM) (Source: Service Control Manager) (User: )
Description: The Peer Name Resolution Protocol service terminated with the following error: 
%%-2140993535

Error: (09/01/2011 07:14:12 PM) (Source: PNRPSvc) (User: )
Description: 0x80630801

Error: (09/01/2011 07:14:12 PM) (Source: PNRPSvc) (User: )
Description: 0x80630801

Error: (09/01/2011 07:14:01 PM) (Source: Service Control Manager) (User: )
Description: The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error: 
%%-2140993535

Error: (09/01/2011 07:14:01 PM) (Source: Service Control Manager) (User: )
Description: The Peer Name Resolution Protocol service terminated with the following error: 
%%-2140993535

Error: (09/01/2011 07:14:01 PM) (Source: PNRPSvc) (User: )
Description: 0x80630801


Microsoft Office Sessions:
=========================
Error: (09/01/2011 07:20:37 PM) (Source: SideBySide)(User: )
Description: Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"C:\Windows\system32\conhost.exe

Error: (09/01/2011 07:20:25 PM) (Source: SideBySide)(User: )
Description: Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"C:\Windows\system32\conhost.exe

Error: (09/01/2011 07:20:25 PM) (Source: SideBySide)(User: )
Description: Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"C:\Windows\system32\conhost.exe

Error: (09/01/2011 07:20:24 PM) (Source: SideBySide)(User: )
Description: Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"C:\Windows\system32\conhost.exe

Error: (09/01/2011 07:20:24 PM) (Source: SideBySide)(User: )
Description: Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"C:\Windows\system32\conhost.exe

Error: (09/01/2011 07:17:35 PM) (Source: SideBySide)(User: )
Description: Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"C:\Windows\system32\conhost.exe

Error: (09/01/2011 07:13:35 PM) (Source: SideBySide)(User: )
Description: Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"C:\Windows\system32\conhost.exe

Error: (08/30/2011 08:43:45 PM) (Source: SideBySide)(User: )
Description: Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"C:\Windows\system32\conhost.exe

Error: (08/30/2011 08:11:06 PM) (Source: SideBySide)(User: )
Description: Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"C:\Windows\system32\conhost.exe

Error: (08/30/2011 08:04:06 PM) (Source: SideBySide)(User: )
Description: Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"C:\Windows\system32\conhost.exe


=========================== Installed Programs ============================

.NET Reactor
.NET Reactor (Version: 4.0.0.0)
.NET Reactor Registration v4.0.0.0 (Version: 4.0.0.0)
{smartassembly} (Version: 4.1.39)
µTorrent (Version: 2.2.0)
64 Bit HP CIO Components Installer (Version: 6.2.2)
7-Zip 9.20 (x64 edition) (Version: 9.20.00.0)
AC3Filter 1.63b (Version: 1.63b)
AccessPORT Driver 1.2.2
AccessPORT Manager 2.0.1.5 (Version: 2.0.1.5)
AccessTUNER Race - Subaru USDM 2011 Impreza STI 1.9.1.0-2236 (Version: 1.9.1.0-2236)
Acronis True Image Home (Version: 13.0.5055)
ActiveState Komodo Edit 6.0.3 (Version: 6.0.3)
Adobe AIR (Version: 2.5.1.17730)
Adobe Flash Player 10 ActiveX (Version: 10.1.102.64)
Adobe Flash Player 10 ActiveX 64-bit (Version: 10.3.162.28)
Adobe Flash Player 10 Plugin (Version: 10.3.183.5)
Adobe Flash Player 10 Plugin 64-bit (Version: 10.3.162.28)
Adobe Reader X (Version: 10.0.0)
Adobe Shockwave Player 11.5 (Version: 11.5.9.620)
Apple Application Support (Version: 2.1.1)
Apple Mobile Device Support (Version: 4.0.0.81)
Apple Software Update (Version: 2.1.3.127)
ASCII Art Studio
Assassin's Creed II (Version: 1.01)
ASUS Xonar DX Audio Driver
Audacity 1.3.12 (Unicode)
AutoIt v3.3.6.1
AviSynth 2.5
Battlefield: Bad Company™ 2 (Version: 1.0.0.0)
BDE_ENT (Version: 5.1.1)
Belarc Advisor 7.2
Bonjour (Version: 2.0.5.0)
Boost Libraries for C++Builder 2010
Boost Libraries for C++Builder 2010 (Version: 7.0)
Call of Duty: Black Ops
CCleaner (Version: 3.09)
Cheat Engine 6.0
CloneDVD2 (Version: 2.9.2.8)
Compare It! (Version: 4.2)
ConvertXtoDVD 2.2.3.258 (Version: 2.2.3.258)
Core Temp version 0.99.8 (Version: 0.99.8)
CPUID CPU-Z 1.56
Crysis® 2 (Version: 1.0.0.0)
Crystal Reports for Visual Studio (Version: 12.51.0.240)
D3DX10 (Version: 15.4.2368.0902)
Darkspore™ (Version: 1.00.0000)
Data Lifeguard Diagnostic for Windows 1.22
DivX Setup (Version: 2.3.0.20)
Dotfuscator Software Services - Community Edition (Version: 5.0.2300.0)
DriveImage XML (Private Edition) (Version: 2.20)
Duplicate Cleaner 2.0 (Version: 2.0)
DVDFab 8.0.8.5 (19/03/2011)
Embarcadero Delphi and C++Builder 2010 Database Pack
Embarcadero Delphi and C++Builder 2010 Database Pack (Version: 7.0)
Embarcadero Delphi and C++Builder 2010 Help System
Embarcadero Delphi and C++Builder 2010 Help System (Version: 7.0)
Embarcadero RAD Studio 2010
Embarcadero RAD Studio 2010 (Version: 7.0)
ESET NOD32 Antivirus (Version: 4.0.468.0)
EVEREST Ultimate Edition v5.30 (Version: 5.30)
EVGA Precision 2.0.3 (Version: 2.0.3)
Fable III (Version: 1.0.0000.131)
Fable III (Version: 1.0.0001.131)
FileZilla Client 3.4.0 (Version: 3.4.0)
Fraps (remove only)
FreeOCR 3.0 (Version: 3.0)
GIMP 2.6.7
Gpg4win (2.1.0) (Version: 2.1.0)
HandBrake 0.9.5 (Version: 0.9.5)
HD Tach version 3
HD Tune Pro 4.60
HiJackThis (Version: 1.0.0)
HP Photosmart C4700 All-in-One Driver 14.0 Rel. 6 (Version: 14.0)
iLinc Client
ILMerge (Version: 2.10.0526)
iTunes (Version: 10.5.0.90)
Java Auto Updater (Version: 2.0.2.4)
Java(TM) 6 Update 23 (Version: 6.0.230)
Java(TM) SE Development Kit 6 Update 24 (64-bit) (Version: 1.6.0.240)
Junk Mail filter update (Version: 15.4.3502.0922)
K-Lite Codec Pack 6.8.0 (Full) (Version: 6.8.0)
LiveZilla
LiveZilla (Version: 3.3.2.2)
Logitech SetPoint 6.20 (Version: 6.20.64)
Malwarebytes' Anti-Malware version 1.51.1.1800 (Version: 1.51.1.1800)
Media Player Classic - Home Cinema v1.4.2499.0 x64 (Version: 1.4.2499.0)
MediaPortal TV Server / Client (Version: 1.1.2)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft .NET Framework 4 Multi-Targeting Pack (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft ASP.NET MVC 2 - Visual Studio 2010 Tools (Version: 2.0.50217.0)
Microsoft ASP.NET MVC 2 (Version: 2.0.50217.0)
Microsoft Document Explorer 2008
Microsoft Document Explorer 2008 (Version: 9.0.21022)
Microsoft Games for Windows - LIVE Redistributable (Version: 3.5.88.0)
Microsoft Games for Windows Marketplace (Version: 3.5.50.0)
Microsoft Help Viewer 1.0 (Version: 1.0.30319)
Microsoft Office Access MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Excel MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Groove MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office InfoPath MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Office 32-bit Components 2010 (Version: 14.0.4734.1000)
Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Professional Plus 2010 (Version: 14.0.4734.1000)
Microsoft Office Proof (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Proof (French) 2010 (Version: 14.0.4734.1000)
Microsoft Office Proof (Spanish) 2010 (Version: 14.0.4734.1000)
Microsoft Office Proofing (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Shared 32-bit MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Shared MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Word MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Silverlight (Version: 4.0.60531.0)
Microsoft Silverlight 3 SDK (Version: 3.0.40818.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft SQL Server 2008 (64-bit)
Microsoft SQL Server 2008 Browser (Version: 10.1.2531.0)
Microsoft SQL Server 2008 Common Files (Version: 10.0.1600.22)
Microsoft SQL Server 2008 Common Files (Version: 10.1.2531.0)
Microsoft SQL Server 2008 Database Engine Services (Version: 10.1.2531.0)
Microsoft SQL Server 2008 Database Engine Shared (Version: 10.1.2531.0)
Microsoft SQL Server 2008 Native Client (Version: 10.1.2531.0)
Microsoft SQL Server 2008 R2 Data-Tier Application Framework (Version: 10.50.1447.4)
Microsoft SQL Server 2008 R2 Data-Tier Application Project (Version: 10.50.1447.4)
Microsoft SQL Server 2008 R2 Management Objects (Version: 10.50.1447.4)
Microsoft SQL Server 2008 R2 Management Objects (x64) (Version: 10.50.1447.4)
Microsoft SQL Server 2008 R2 Transact-SQL Language Service (Version: 10.50.1447.4)
Microsoft SQL Server 2008 RsFx Driver (Version: 10.1.2531.0)
Microsoft SQL Server 2008 Setup Support Files  (Version: 10.1.2731.0)
Microsoft SQL Server Compact 3.5 SP2 ENU (Version: 3.5.8080.0)
Microsoft SQL Server Compact 3.5 SP2 x64 ENU (Version: 3.5.8080.0)
Microsoft SQL Server Database Publishing Wizard 1.4 (Version: 10.1.2512.8)
Microsoft SQL Server System CLR Types (Version: 10.50.1447.4)
Microsoft SQL Server System CLR Types (x64) (Version: 10.50.1447.4)
Microsoft SQL Server VSS Writer (Version: 10.1.2531.0)
Microsoft Sync Framework Runtime v1.0 SP1 (x64) (Version: 1.0.3010.0)
Microsoft Sync Framework SDK v1.0 SP1 (Version: 1.0.3010.0)
Microsoft Sync Framework Services v1.0 SP1 (x64) (Version: 1.0.3010.0)
Microsoft Sync Services for ADO.NET v2.0 SP1 (x64) (Version: 2.0.3010.0)
Microsoft Team Foundation Server 2010 Object Model - ENU (Version: 10.0.30319)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974 (Version: 9.0.30729.4974)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010  x64 Designtime - 10.0.30319 (Version: 10.0.30319)
Microsoft Visual C++ 2010  x64 Runtime - 10.0.30319 (Version: 10.0.30319)
Microsoft Visual C++ 2010  x86 Runtime - 10.0.30319 (Version: 10.0.30319)
Microsoft Visual F# 2.0 Runtime (Version: 10.0.30319)
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual J# 2.0 Redistributable Package (Version: 2.0.50727)
Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools (Version: 10.0.30319)
Microsoft Visual Studio 2010 IntelliTrace Collection (x64) (Version: 10.0.30319)
Microsoft Visual Studio 2010 Office Developer Tools (x64) (Version: 10.0.30319)
Microsoft Visual Studio 2010 Performance Collection Tools - ENU (Version: 10.0.30319)
Microsoft Visual Studio 2010 SharePoint Developer Tools (Version: 10.0.30319)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (Version: 10.0.31117)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (Version: 10.0.31121)
Microsoft Visual Studio 2010 Ultimate - ENU (Version: 10.0.30319)
Microsoft Visual Studio Macro Tools (Version: 9.0.30729)
Microsoft VM for Java
MinGW-Get version 0.2-alpha-2 (Version: 0.2-alpha-2)
mirkes.de Tiny Hexer (Version: 1.8)
MKVtoolnix 4.4.0 (Version: 4.4.0)
Monkey Studio IDE (Version: 1.8.4.0)
Mozilla Firefox (3.5.6) (Version: 3.5.6 (en-US))
Mozilla Firefox 6.0 (x86 en-US) (Version: 6.0)
MSVCRT (Version: 15.4.2862.0708)
MSVCRT_amd64 (Version: 15.4.2862.0708)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MyAVScan.com Client 0.2
MySQL Server 5.1 (Version: 5.1.38)
NetBeans IDE 6.9.1 (Version: 6.9.1)
Network64 (Version: 140.0.215.000)
Nightly 6.0a1 (x64 en-US) (Version: 6.0a1)
Notepad++ (Version: 5.9.2)
NVIDIA 3D Vision Driver 266.58 (Version: 266.58)
NVIDIA Control Panel 266.58 (Version: 266.58)
NVIDIA Graphics Driver 266.58 (Version: 266.58)
NVIDIA HD Audio Driver 1.1.13.1 (Version: 1.1.13.1)
NVIDIA Install Application (Version: 2.265.36.0)
NVIDIA PhysX (Version: 9.10.0514)
NVIDIA PhysX System Software 9.10.0514 (Version: 9.10.0514)
NVIDIA Stereoscopic 3D Driver (Version: 7.17.12.6658)
Oblivion - Construction Set (Version: 1.00.0000)
Oblivion (Version: 1.00.0000)
OpenAL
Oracle VM VirtualBox 3.2.8 (Version: 3.2.8)
oZone3D.Net FurMark v1.7.0
PChat v1.4 (Version: 1.4.0.281)
PECompact (Version: 3.02.2)
pidgin-otr 3.2.0-1 (Version: 3.2.0-1)
Pidgin (Version: 2.7.9)
Polipo 1.0.4
Prototype(TM) (Version: 1.0)
PS_AIO_06_C4700_SW_Min (Version: 140.0.690.000)
Python 2.5 py2exe-0.6.9 (Version: 0.6.9)
Python 2.6 comtypes-0.6.2
Python 2.6 psyco-1.6
Python 2.6 pywin32-214
Python 2.6.5 (Version: 2.6.5150)
Python 2.7 pywin32-214
Python 2.7.2 (64-bit) (Version: 2.7.2150)
Python 3.1.3 (64-bit) (Version: 3.1.3150)
QuickTime (Version: 7.69.80.9)
RAD Studio 2007 SP2 Lite v1.3
Recuva (Version: 1.39)
Revo Uninstaller Pro 2.4.3 (Version: 2.4.3)
S.T.A.L.K.E.R. - Call of Pripyat [v1.6.02] (Version: 1.6.02)
Sauerbraten
Scan (Version: 140.0.80.000)
SciTE4AutoIt3 2/28/2010 (Version: 2/28/2010)
SDFormatter (Version: 3.0.0)
Secunia PSI (2.0.0.1003)
Service Pack 1 for SQL Server 2008 (KB968369) (64-bit) (Version: 10.1.2531.0)
Skype Toolbars (Version: 5.0.4137)
Skype™ 5.1 (Version: 5.1.112)
SmartAssembly 6 (Version: 6.0.0.513)
Sniper Ghost Warrior
SourceFormatX 2.56 (Version: 2.56)
SpeedFan (remove only)
Spoon Studio 2011 (Version: 9.0.1549.2)
Sql Server Customer Experience Improvement Program (Version: 10.1.2531.0)
Steam (Version: 1.0.0.0)
SummerProperties 1.2 (Version: 1.2)
TeamViewer 6 (Version: 6.0.10462)
TightVNC 2.0.2 (Version: 2.0.2)
Toolbox (Version: 140.0.428.000)
Tor 0.2.1.21
TrueCrypt (Version: 7.0a)
TVersity Codec Pack 1.4 (Version: 1.4)
TVersity Media Server 1.9.3 (Version: 1.9.3)
Ubisoft Game Launcher (Version: 1.0.0.0)
VC80CRTRedist - 8.0.50727.4053 (Version: 1.1.0)
Vidalia 0.2.6
Viewpoint Media Player
Virtual Dyno
Visual Studio 2010 Prerequisites - English (Version: 10.0.30319)
Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU (Version: 4.0.8080.0)
VLC media player 1.1.6 (Version: 1.1.6)
Wacom Tablet (Version: 6.1.6-7)
Web Deployment Tool (Version: 1.1.0618)
WebTablet IE Plugin (Version: 1.1.0.7)
WebTablet Netscape Plugin (Version: 1.1.0.5)
Wi-Fi Sync
Windows Live Communications Platform (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3508.1109)
Windows Live ID Sign-in Assistant (Version: 7.250.4225.0)
Windows Live Installer (Version: 15.4.3502.0922)
Windows Live Language Selector (Version: 15.4.3508.1109)
Windows Live Mail (Version: 15.4.3502.0922)
Windows Live Messenger (Version: 15.4.3502.0922)
Windows Live MIME IFilter (Version: 15.4.3502.0922)
Windows Live Movie Maker (Version: 15.4.3502.0922)
Windows Live Photo Common (Version: 15.4.3502.0922)
Windows Live Photo Gallery (Version: 15.4.3502.0922)
Windows Live PIMT Platform (Version: 15.4.3508.1109)
Windows Live SOXE (Version: 15.4.3502.0922)
Windows Live SOXE Definitions (Version: 15.4.3502.0922)
Windows Live UX Platform (Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (Version: 15.4.3508.1109)
Windows Live Writer (Version: 15.4.3502.0922)
Windows Live Writer Resources (Version: 15.4.3502.0922)
WinRAR archiver
WinX Free MP4 to WMV Converter 4.1.9
Wrye Bash
wxPython 2.8.11.0 (ansi) for Python 2.6 (Version: 2.8.11.0-ansi)
wxPython 2.8.11.0 (unicode) for Python 2.7 (Version: 2.8.11.0-unicode)
X-Chat 2.8.6-2 (Version: 2.8.6-2)
Xiph.Org Open Codecs 0.85.17777 (Version: 0.85.17777)

========================= Memory info: ===================================

Percentage of memory in use: 34%
Total physical RAM: 6135.14 MB
Available physical RAM: 4006.82 MB
Total Pagefile: 12268.43 MB
Available Pagefile: 9887.09 MB
Total Virtual: 4095.88 MB
Available Virtual: 3977.25 MB

========================= Partitions: =====================================

2 Drive c: (Boot) (Fixed) (Total:299.9 GB) (Free:35.51 GB) NTFS
3 Drive d: (Storage) (Fixed) (Total:1563.01 GB) (Free:269.96 GB) NTFS
5 Drive f: (Storage 1) (Fixed) (Total:465.66 GB) (Free:101.6 GB) NTFS

========================= Users: ========================================

User accounts for \\DWAYNE-PC

Administrator            Dwayne                   Guest                    


**** End of log ****

 

GooRedFix Results:
GooredFix by jpshortstuff (03.07.10.1)
Log created at 19:29 on 01/09/2011 (Dwayne)
Firefox version 6.0 (en-US)

========== GooredScan ==========


========== GooredLog ==========
C:\Program Files (x86)\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [22:05 20/04/2011]
{AB2CE124-6272-4b12-94A9-7303C7397BD1} [21:51 06/02/2011]
{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [06:15 13/01/2011]
{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} [21:10 10/02/2011]

C:\Users\Dwayne\Application Data\Mozilla\Firefox\Profiles\g1445rww.default\extensions\
elemhidehelper@adblockplus.org [04:13 07/06/2011]
fireform@mozilla.org [04:13 07/06/2011]
personas@christopher.beard [04:13 07/06/2011]
{966762eb-7132-4081-ac70-20d20161ad96} [00:35 24/02/2011]
{dc0fa143-3db3-73ee-e852-912722c852fd} [00:35 24/02/2011]

C:\Users\Dwayne\Application Data\Mozilla\Firefox\Profiles\iuskmd9f.Firefox 3.5\extensions\
{e4a8a97b-f2ed-450b-b12d-ee082ba24781} [01:49 23/02/2011]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{23fcfd51-4958-4f00-80a3-ae97e717ed8b}"="C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\html5video" [01:08 22/01/2011]
"{6904342A-8307-11DF-A508-4AE2DFD72085}"="C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\wpa" [01:08 22/01/2011]

-=E.O.F=-

 

GMER Log 1:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-30 22:18:01
Windows 6.1.7600  
Running: qewzstuq.exe


---- Registry - GMER 1.0.15 ----

Reg  HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0011671cec44                                    
Reg  HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1                                                             771343423
Reg  HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2                                                             285507792
Reg  HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0                                                             1
Reg  HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                               
Reg  HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                            C:\Program Files (x86)\DAEMON Tools Lite\
Reg  HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                            0xD4 0xC3 0x97 0x02 ...
Reg  HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                            0
Reg  HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                         0x8C 0xD7 0x1C 0xC5 ...
Reg  HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001                      
Reg  HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                   0x20 0x01 0x00 0x00 ...
Reg  HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                0x48 0xAF 0xD1 0x10 ...
Reg  HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0                 
Reg  HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12           0xBC 0x1A 0xEF 0xA0 ...
Reg  HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0011671cec44 (not active ControlSet)                
Reg  HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)           
Reg  HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                C:\Program Files (x86)\DAEMON Tools Lite\
Reg  HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                0xD4 0xC3 0x97 0x02 ...
Reg  HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                0
Reg  HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                             0x8C 0xD7 0x1C 0xC5 ...
Reg  HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)  
Reg  HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                       0x20 0x01 0x00 0x00 ...

---- EOF - GMER 1.0.15 ----

GMER Log 2:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-01 19:34:30
Windows 6.1.7600  
Running: qewzstuq.exe


---- Registry - GMER 1.0.15 ----

Reg  HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0011671cec44                                         
Reg  HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1                                                                  771343423
Reg  HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2                                                                  285507792
Reg  HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0                                                                  1
Reg  HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                                    
Reg  HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                 C:\Program Files (x86)\DAEMON Tools Lite\
Reg  HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                 0xD4 0xC3 0x97 0x02 ...
Reg  HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                 0
Reg  HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                              0x8C 0xD7 0x1C 0xC5 ...
Reg  HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001                           
Reg  HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                        0x20 0x01 0x00 0x00 ...
Reg  HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                     0x48 0xAF 0xD1 0x10 ...
Reg  HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0                      
Reg  HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                0xBA 0x5F 0xE6 0xB8 ...
Reg  HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0011671cec44 (not active ControlSet)                     
Reg  HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                
Reg  HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                     C:\Program Files (x86)\DAEMON Tools Lite\
Reg  HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                     0xD4 0xC3 0x97 0x02 ...
Reg  HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                     0
Reg  HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                  0x8C 0xD7 0x1C 0xC5 ...
Reg  HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)       
Reg  HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                            0x20 0x01 0x00 0x00 ...
Reg  HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                         0x48 0xAF 0xD1 0x10 ...
Reg  HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)  
Reg  HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                    0xBA 0x5F 0xE6 0xB8 ...

---- EOF - GMER 1.0.15 ----

 

MBAM Log:
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7588

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

9/1/2011 7:38:19 PM
mbam-log-2011-09-01 (19-38-19).txt

Scan type: Quick scan
Objects scanned: 173983
Time elapsed: 1 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

UPDATE:
Unfortunately I can confirm my computer IS still infected.

Edited by NETio, 01 September 2011 - 07:32 PM.


#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:06 PM

Posted 01 September 2011 - 09:16 PM

sptd.sys is a legit file.

I still need you to test IE.

So far I can see couple of issues, Firefox proxies and incorrect "hosts" file.

Please, go here: http://support.microsoft.com/kb/972034#FixItForMeAlways and click on "Fix it" button to reset your "hosts" file.

Re-run MiniToolbox.

Checkmark following boxes:
  • Flush DNS
  • Reset FF Proxy Settings
Click Go and post the result.

Restart computer.

Re-run MiniToolbox.

Checkmark following boxes:
  • Report FF Proxy Settings
  • List content of Hosts
Click Go and post the result.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 NETio

NETio
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:06 PM

Posted 01 September 2011 - 09:52 PM

My hosts file is fine. gs.apple.com is in there from TinyUmbrella, an iPhone jailbreak/hack tool.

UPDATE:
I can't reproduce the problem in IE.

UPDATE:
MiniToolBox by Farbar
Ran by Dwayne (administrator) on 01-09-2011 at 23:08:28
Windows 7 Ultimate (X64)

***************************************************************************

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================

74.208.10.249 gs.apple.com


**** End of log ****

Happy now? I'm not trying to be an a** but I told you those things were fine. I had FF set to use Tor (the proxy settings were there but weren't toggled) and gs.apple.com is in hosts for TinyUmbrella, a non-malicious iPhone Jailbreak/Hack tool.

Edited by NETio, 01 September 2011 - 10:13 PM.


#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:06 PM

Posted 01 September 2011 - 09:57 PM

Skip "hosts" file reset. Continue with others.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 NETio

NETio
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:06 PM

Posted 01 September 2011 - 10:29 PM

I performed what you asked, minus the hosts file reset. The log is in my last post. Thanks for your time.

Edited by NETio, 01 September 2011 - 10:30 PM.


#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:06 PM

Posted 01 September 2011 - 10:32 PM

Happy now?

Not quite with this type of reply.
Just trying to help...hmmmm

Does the issue still happen after resetting FF proxies?

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 NETio

NETio
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:06 PM

Posted 02 September 2011 - 06:34 PM

I apologize for my rude response, it was uncalled for. Yes the issue still happens in FF. I'm running FF 6.0.1. ESET turns up nothing, MBAM Full or Quick Scan turns up nothing, TDSSKiller turns up nothing, you checked the GMER log.

I'd really like to know if my OS is even easily salvageable at this point. Shall I start a clean install this weekend or do you think it is fixable?

UPDATE:
It's a very intermittent problem. I just did a Google search for "antivirus" and result 2 (non-sponsored) was www.avast.com, it redirected to http://www.pcsecurityshield.com/lp/shield-deluxe-53.aspx?wps800 and then from the same google page (I did not refresh) I clicked the same link and it took me to the right page. I firmly believe it is redirecting through API hooks, not a crude proxy system.

UPDATE:
Another scan with TDSS Killer, nothing found...

UPDATE:
I did everything you asked of me in Safe Mode once more. TDSS Killer found nothing, GMER returned the same log, the ESET Scanner found nothing, MBAM Quick Scan found nothing, no modified proxy settings. I did not think to try and reproduce the problem in Safe Mode.

Have you ever encountered anything this stealthy? I can't imagine how many people are infected and don't know it.

Edited by NETio, 02 September 2011 - 07:38 PM.


#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:06 PM

Posted 02 September 2011 - 07:45 PM

If you're using Firefox 3.x, close Firefox. Go Start>All Programs>Mozilla Firefox, click on Mozilla Firefox (safe mode).
If you're using Firefox 4, or higher go Help>Restart Firefox with Add-ons Disabled.
Same issue?

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#11 NETio

NETio
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:06 PM

Posted 02 September 2011 - 08:04 PM

I went ahead and tried out ComboFix... I think it may have fixed my problem. I will spend some time trying to reproduce the problem, but obviously running without add-ons/extensions would be pointless if I couldn't get the same problem with them.

Is there any way to be certain there are no keyloggers/form-grabbers/other spyware on my PC now? I already know the answer (no) but I'd like to have a little peace of mind with your opinion on if it's safe to do day to day activities again.

Now I remember why I loved using Gentoo so much...

#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:06 PM

Posted 02 September 2011 - 08:06 PM

I'm not allowed to comment on Combofix results.

If you want to take it for deeper check....

With the information you have provided I believe you will need help from the malware removal team.
Please make sure that you read the information about getting started first.
Then start a new thread HERE and include or required logs.
Including a link to this thread will be helpful.

Good luck and be patient. Help is on the way!

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#13 NETio

NETio
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:06 PM

Posted 03 September 2011 - 01:20 PM

I was under the impression that this was the place to get help from. Thanks for the time and assistance you provided.

Edited by NETio, 03 September 2011 - 01:22 PM.


#14 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:06 PM

Posted 03 September 2011 - 01:26 PM

Surely it is, but this is kind of preliminary forum.
Sometimes more advanced tools are needed and those are not allowed in this forum.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#15 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,009 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:06 PM

Posted 06 September 2011 - 12:20 AM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic417315.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users