Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Virus -What to do next?


  • This topic is locked This topic is locked
13 replies to this topic

#1 veedub3

veedub3

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 02 October 2011 - 02:39 PM

I got a virus on my computer. I have ran every single virus program I have and after cleaning they all now say not infected yet iexplore keeps opening or I get a crash error report. I then look in the task manager, and ieuser, and iexplore is running and my cpu usage is up to 100%. AVG found 12 infected files - removed, Norton found 11 - removed, Malware bytes found 16 one day then 2 the next - removed, McAfee found 12 - removed, Spybot found 11, then found 9 the next day - removed. All of these programs now say no files infected yet I still get iexplorer opening and crashing and if I open chrome it redirects my browser.

Need help, I am at my wits end.

Thanks in advance

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:23 PM

Posted 02 October 2011 - 02:48 PM

Hello, if you have 2 active AV programs you may get false raeadings amongst other issues.

Please post the MBAM log. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 veedub3

veedub3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 02 October 2011 - 04:56 PM

MBAM Log

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7837

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

10/1/2011 11:37:46 AM
mbam-log-2011-10-01 (11-37-46).txt

Scan type: Full scan (C:\|D:\|H:\|)
Objects scanned: 557383
Time elapsed: 2 hour(s), 28 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Mogul\AppData\Roaming\microsoft\Protect\emshof.kf (Backdoor.Agent) -> Quarantined and

deleted successfully.
c:\Users\Mogul\downloads\camtasia studio 7 + keygen\camtasia_studio_7_keygen.exe

(RiskWare.Tool.CK) -> Quarantined and deleted successfully.




Result.txt (Mini Tool)

MiniToolBox by Farbar
Ran by Mogul (administrator) on 02-10-2011 at 16:56:48
Windows Vista ™ Home Premium Service Pack 2 (X86)

***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================

::1 localhost
127.0.0.1 localhost
127.0.0.1 localhost
127.0.0.1
127.0.0.1 localhost

========================= IP Configuration: ================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : Mogul-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : gateway.2wire.net

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : gateway.2wire.net
Description . . . . . . . . . . . : NVIDIA nForce 10/100 Mbps Ethernet
Physical Address. . . . . . . . . : 00-21-97-22-12-89
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::cd80:a549:bdd:ef85%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.102(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Sunday, October 02, 2011 3:46:26 PM
Lease Expires . . . . . . . . . . : Monday, October 03, 2011 3:46:25 PM
Default Gateway . . . . . . . . . : 192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.254
DHCPv6 IAID . . . . . . . . . . . : 251666064
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-10-DC-4B-F8-00-21-97-42-36-2F
DNS Servers . . . . . . . . . . . : 192.168.1.254
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 6:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:10ef:3704:3f57:fe99(Preferred)
Link-local IPv6 Address . . . . . : fe80::10ef:3704:3f57:fe99%11(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Local Area Connection* 7:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : gateway.2wire.net
Description . . . . . . . . . . . : isatap.gateway.2wire.net
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: homeportal
Address: 192.168.1.254

Name: google.com
Addresses: 74.125.159.106
74.125.159.104
74.125.159.105
74.125.159.147
74.125.159.103
74.125.159.99

Pinging google.com [74.125.159.103] with 32 bytes of data:Reply from 74.125.159.103: bytes=32

time=23ms TTL=50Reply from 74.125.159.103: bytes=32 time=23ms TTL=50Ping statistics for

74.125.159.103: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip

times in milli-seconds: Minimum = 23ms, Maximum = 23ms, Average = 23msServer: homeportal
Address: 192.168.1.254

Name: yahoo.com
Addresses: 209.191.122.70
67.195.160.76
72.30.2.43
98.137.149.56
98.139.180.149

Pinging yahoo.com [98.137.149.56] with 32 bytes of data:Reply from 98.137.149.56: bytes=32

time=81ms TTL=51Reply from 98.137.149.56: bytes=32 time=80ms TTL=51Ping statistics for

98.137.149.56: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip

times in milli-seconds: Minimum = 80ms, Maximum = 81ms, Average = 80msPinging 127.0.0.1 with

32 bytes of data:Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Reply from 127.0.0.1: bytes=32

time<1ms TTL=128Ping statistics for 127.0.0.1: Packets: Sent = 2, Received = 2, Lost = 0 (0%

loss),Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average =

0ms===========================================================================
Interface List
10 ...00 21 97 22 12 89 ...... NVIDIA nForce 10/100 Mbps Ethernet
1

........................... Software Loopback Interface 1
11 ...02 00 54 55 4e 01 ...... Teredo

Tunneling Pseudo-Interface
15 ...00 00 00 00 00 00 00 e0 isatap.gateway.2wire.net
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.102 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.102 276
192.168.1.102 255.255.255.255 On-link 192.168.1.102 276
192.168.1.255 255.255.255.255 On-link 192.168.1.102 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.102 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.102 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
11 18 ::/0 On-link
1 306 ::1/128 On-link
11 18 2001::/32 On-link
11 266 2001:0:4137:9e76:10ef:3704:3f57:fe99/128
On-link
10 276 fe80::/64 On-link
11 266 fe80::/64 On-link
11 266 fe80::10ef:3704:3f57:fe99/128
On-link
10 276 fe80::cd80:a549:bdd:ef85/128
On-link
1 306 ff00::/8 On-link
11 266 ff00::/8 On-link
10 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\system32\NLAapi.dll [48128] (Microsoft Corporation)
Catalog5 02 C:\Windows\system32\napinsp.dll [50176] (Microsoft Corporation)
Catalog5 03 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 04 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 05 C:\Windows\System32\mswsock.dll [223232] (Microsoft Corporation)
Catalog5 06 C:\Windows\System32\winrnr.dll [19968] (Microsoft Corporation)
Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [152864] (Apple Inc.)
Catalog9 01 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 22 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 23 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 24 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 25 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 26 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (10/02/2011 04:05:54 PM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 7.0.6002.18005, time stamp 0x49e01e78,

faulting module msvcrt.dll, version 7.0.6002.18005, time stamp 0x49e0379e, exception code

0xc0000409, fault offset 0x00025085,
process id 0x141c, application start time 0xiexplore.exe0.

Error: (10/02/2011 04:03:01 PM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 7.0.6002.18005, time stamp 0x49e01e78,

faulting module mshtml.dll, version 7.0.6002.18457, time stamp 0x4db05548, exception code

0xc0000096, fault offset 0x000a004e,
process id 0x141c, application start time 0xiexplore.exe0.

Error: (10/02/2011 04:02:43 PM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 7.0.6002.18005, time stamp 0x49e01e78,

faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault

offset 0x0064007d,
process id 0x141c, application start time 0xiexplore.exe0.

Error: (10/02/2011 03:52:51 PM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 7.0.6002.18005, time stamp 0x49e01e78,

faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc000001d, fault

offset 0x00610070,
process id 0xa84, application start time 0xiexplore.exe0.

Error: (10/02/2011 03:49:47 PM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 7.0.6002.18005, time stamp 0x49e01e78,

faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault

offset 0x00000000,
process id 0xa84, application start time 0xiexplore.exe0.

Error: (10/02/2011 03:48:58 PM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 7.0.6002.18005, time stamp 0x49e01e78,

faulting module mshtml.dll, version 7.0.6002.18457, time stamp 0x4db05548, exception code

0xc0000096, fault offset 0x0009fb30,
process id 0xa84, application start time 0xiexplore.exe0.

Error: (10/02/2011 03:47:25 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE

TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/02/2011 03:37:52 PM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 7.0.6002.18005, time stamp 0x49e01e78,

faulting module ntdll.dll, version 6.0.6002.18327, time stamp 0x4cb73436, exception code

0xc0000374, fault offset 0x000b06fc,
process id 0x1470, application start time 0xiexplore.exe0.

Error: (10/02/2011 03:37:29 PM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 7.0.6002.18005, time stamp 0x49e01e78,

faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc000001d, fault

offset 0x000e0009,
process id 0x1470, application start time 0xiexplore.exe0.

Error: (10/02/2011 03:37:06 PM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 7.0.6002.18005, time stamp 0x49e01e78,

faulting module mshtml.dll, version 7.0.6002.18457, time stamp 0x4db05548, exception code

0xc0000096, fault offset 0x000b044a,
process id 0x1470, application start time 0xiexplore.exe0.


System errors:
=============
Error: (10/02/2011 03:47:25 PM) (Source: Service Control Manager) (User: )
Description: MCSTRM%%2

Error: (10/02/2011 03:47:25 PM) (Source: Service Control Manager) (User: )
Description: Oki Application Parallel DeviceParallel arbitrator

Error: (10/02/2011 03:16:31 PM) (Source: Service Control Manager) (User: )
Description: MCSTRM%%2

Error: (10/02/2011 03:16:31 PM) (Source: Service Control Manager) (User: )
Description: Oki Application Parallel DeviceParallel arbitrator

Error: (10/02/2011 02:50:28 PM) (Source: cdrom) (User: )
Description: The device, \Device\CdRom1, has a bad block.

Error: (10/02/2011 02:46:15 PM) (Source: Service Control Manager) (User: )
Description: PC Tools Security Service1

Error: (10/02/2011 02:43:44 PM) (Source: PCTCore) (User: )
Description: @5255

Error: (10/02/2011 02:20:21 PM) (Source: Service Control Manager) (User: )
Description: MCSTRM%%2

Error: (10/02/2011 02:20:21 PM) (Source: Service Control Manager) (User: )
Description: Oki Application Parallel DeviceParallel arbitrator

Error: (10/02/2011 02:18:46 PM) (Source: Print) (User: SYSTEM)
Description: The print spooler failed to share printer EPSON Stylus Photo 1400 Series with shared

resource name EPSON Stylus Photo 1400 Series. Error 2114. The printer cannot be used by others on

the network.


Microsoft Office Sessions:
=========================

=========================== Installed Programs ============================

32 Bit HP CIO Components Installer (Version: 6.1.2)
3D Shadow by Lokas Software
7-Zip 4.65
Acrobat.com (Version: 0.0.0)
Acrobat.com (Version: 1.2.443)
ActiveCheck component for HP Active Support Library (Version: 3.0.0.2)
Adobe Acrobat 9 Pro - English, Franšais, Deutsch (Version: 9.0.0)
Adobe AIR (Version: 1.5.3.9120)
Adobe Anchor Service CS4 (Version: 2.0)
Adobe Bridge CS4 (Version: 3)
Adobe CMaps CS4 (Version: 2.0)
Adobe Color - Photoshop Specific CS4 (Version: 2.0)
Adobe Color EU Recommended Settings CS4 (Version: 2.0)
Adobe Color JA Extra Settings CS4 (Version: 2.0)
Adobe Color NA Extra Settings CS4 (Version: 2.0)
Adobe Color Video Profiles CS CS4 (Version: 2.0)
Adobe Community Help (Version: 3.0.0)
Adobe Community Help (Version: 3.0.0.400)
Adobe Creative Suite 4 Master Collection (Version: 4.0)
Adobe CSI CS4 (Version: 1)
Adobe Default Language CS4 (Version: 2.0)
Adobe Dreamweaver CS4 (Version: 10.0)
Adobe Drive CS4 (Version: 1)
Adobe Dynamiclink Support (Version: 1)
Adobe Encore CS4 Codecs (Version: 4)
Adobe ExtendScript Toolkit CS4 (Version: 3.0.0)
Adobe Extension Manager CS4 (Version: 2.0)
Adobe Flash Player 10 ActiveX (Version: 10.0.32.18)
Adobe Flash Player 10 Plugin (Version: 10.3.181.26)
Adobe Fonts All (Version: 2.0)
Adobe Illustrator CS4 (Version: 14.0)
Adobe InDesign CS4 (Version: 6.0)
Adobe InDesign CS4 Application Feature Set Files (Roman) (Version: 6.0)
Adobe InDesign CS4 Common Base Files (Version: 6.0)
Adobe InDesign CS4 Icon Handler (Version: 6.0)
Adobe Linguistics CS4 (Version: 4.0.0)
Adobe Media Encoder CS4 (Version: 1.0)
Adobe Media Encoder CS4 Additional Exporter (Version: 1.0)
Adobe Media Encoder CS4 Dolby (Version: 1.0)
Adobe Media Encoder CS4 Exporter (Version: 1.0)
Adobe Media Encoder CS4 Importer (Version: 1.0)
Adobe Media Player (Version: 1.1)
Adobe Output Module (Version: 2.0)
Adobe PDF Library Files CS4 (Version: 9.0)
Adobe Photoshop CS4 (Version: 11.0)
Adobe Photoshop CS4 Support (Version: 11.0)
Adobe Premiere Pro CS4 (Version: 4)
Adobe Premiere Pro CS4 Functional Content (Version: 4)
Adobe Premiere Pro CS4 Third Party Content (Version: 4)
Adobe Reader 9 (Version: 9.0.0)
Adobe Search for Help (Version: 1.0)
Adobe Service Manager Extension (Version: 1.0)
Adobe Setup (Version: 2.0)
Adobe SGM CS4 (Version: 3.0)
Adobe SING CS4 (Version: 2.0)
Adobe Soundbooth CS4 Codecs (Version: 2)
Adobe Type Support CS4 (Version: 9.0)
Adobe Update Manager CS4 (Version: 6.0.0)
Adobe WinSoft Linguistics Plugin (Version: 1.1)
Adobe XMP Panels CS4 (Version: 2.0)
AdobeColorCommonSetCMYK (Version: 2.0)
AdobeColorCommonSetRGB (Version: 2.0)
Akamai NetSession Interface
Apple Application Support (Version: 1.4.1)
Apple Mobile Device Support (Version: 3.3.1.3)
Apple Software Update (Version: 2.1.2.120)
avast! Free Antivirus (Version: 6.0.1289.0)
Bonjour (Version: 2.0.4.0)
bpd_scan_Carrier (Version: 3.00.0000)
BPDSoftware (Version: 140.0.000.000)
BPDSoftware_Ini (Version: 1.00.0000)
BufferChm (Version: 140.0.213.000)
C5150n - C5200n Series GDI Driver from OKI« Printing Solutions for Windows (Version: 210)
C6100n from OKI« Printing Solutions PCL Printer Driver Version 2.0.2.0 for Windows Vista

(Version: 2.0.2.0)
C6100n from OKI« Printing Solutions PS Printer Driver Version PPD 1.0 for Windows Vista (Version:

PPD 1.0)
Camtasia Studio 7 (Version: 7.0.0)
CCleaner (Version: 3.10)
Compatibility Pack for the 2007 Office system (Version: 12.0.6425.1000)
Connect (Version: 1.0.0.1)
Corel Graphics - Windows Shell Extension (Version: 15.1.0.588)
Corel Graphics - Windows Shell Extension (Version: 15.1.588)
Corel VideoStudio 12 (Version: 12.0.0.0000)
CorelDRAW Graphics Suite X4 - Capture (Version: 14.2)
CorelDRAW Graphics Suite X4 - Content (Version: 14.2)
CorelDRAW Graphics Suite X4 - Draw (Version: 14.2)
CorelDRAW Graphics Suite X4 - Filters (Version: 14.2)
CorelDRAW Graphics Suite X4 - FontNav (Version: 14.2)
CorelDRAW Graphics SUite X4 - ICA (Version: 14.2)
CorelDRAW Graphics Suite X4 - IPM (Version: 14.2)
CorelDRAW Graphics Suite X4 - Lang EN (Version: 14.2)
CorelDRAW Graphics Suite X4 - PP (Version: 14.2)
CorelDRAW Graphics Suite X4 - VBA (Version: 14.2)
CorelDRAW Graphics Suite X4 (Version: 14.2)
CorelDRAW® Graphics Suite X4
CyberLink DVD Suite Deluxe (Version: 6.0.2111)
DesignPro 5 (Version: 5.5.708)
Destinations (Version: 130.0.0.0)
DeviceDiscovery (Version: 140.0.213.000)
DHTML Editing Component (Version: 6.02.0001)
EPSON Print CD (Version: 1.50.000)
EPSON Printer Software
EPSON SP1400 Reference Guide
Fax (Version: 140.0.213.000)
FileZilla Client 3.5.1 (Version: 3.5.1)
Funtime Rhinestone (Version: 14.00.0000)
Google Chrome (Version: 14.0.835.187)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.1.2003.1856)
Google Update Helper (Version: 1.3.21.69)
GPBaseService2 (Version: 140.0.212.000)
Hardware Diagnostic Tools (Version: 5.1.4976.17)
HiJackThis (Version: 1.0.0)
HP Active Support Library (Version: 3.1.9.1)
HP Imaging Device Functions 14.0 (Version: 14.0)
HP Recovery Manager RSS (Version: 91.0.0.10)
HP Solution Center 14.0 (Version: 14.0)
HP Total Care Advisor (Version: 2.4.5106.2815)
HP Total Care Setup (Version: 1.1.1983.2818)
HPAsset component for HP Active Support Library (Version: 3.0.0.3)
HPProductAssistant (Version: 140.0.213.000)
HTML and XHTML Step by Step (Version: 2.00.10)
iTunes (Version: 10.1.2.17)
Java Auto Updater (Version: 2.0.5.1)
Java™ 6 Update 26 (Version: 6.0.260)
Java™ 6 Update 7 (Version: 1.6.0.70)
Job Accounting SERVER from OKI« Printing Solutions for Windows Operating Systems (Version: JAS)
kuler (Version: 2.0)
LabelPrint (Version: 2.5.0904)
LightScribe System Software 1.14.25.1 (Version: 1.14.25.1)
LightScribe Template Labeler (Version: 1.14.25.1)
Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Live Search Toolbar (Version: 3.0.541.0)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Enterprise 2007 (Version: 12.0.6425.1000)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Groove MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Groove Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office InfoPath MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Silverlight (Version: 4.0.60531.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version:

9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual Studio Tools for Applications 2.0 - ENU (Version: 9.0.30729)
Microsoft Visual Studio Tools for Applications 2.0 Runtime (Version: 9.0.30729)
Microsoft Works (Version: 9.7.0621)
Microsoft_VC80_ATL_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_CRT_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_MFC_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_MFCLOC_x86 (Version: 8.0.50727.4053)
Microsoft_VC90_ATL_x86 (Version: 1.00.0000)
Microsoft_VC90_CRT_x86 (Version: 1.00.0000)
Microsoft_VC90_MFC_x86 (Version: 1.00.0000)
MosChip Multi-IO Controller
MP3 Recorder Studio 6.0
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
neroxml (Version: 1.0.0)
Network (Version: 140.0.215.000)
Notepad++ (Version: 5.8.7)
NVIDIA Drivers
OKI Print Job Accounting (Version: 1.00.000)
OKI Print Job Accounting Client (Version: 1.00.000)
PDF Settings CS4 (Version: 9.0)
Photoshop Camera Raw (Version: 5.0)
PIXresizer (Version: 2.0.5)
Power2Go (Version: 6.0.2112)
PowerDirector (Version: 7.0.2202)
ProductContext (Version: 140.0.000.000)
Python 2.5.2 (Version: 2.5.2150)
QuickTime (Version: 7.69.80.9)
Realtek High Definition Audio Driver (Version: 6.0.1.5910)
rStones for CorelDraw
Scan (Version: 140.0.167.000)
SignCut (remove only)
Soft Data Fax Modem with SmartCP (Version: 7.80.0.0)
SolutionCenter (Version: 140.0.214.000)
Spybot - Search & Destroy (Version: 1.6.2)
Status (Version: 140.0.256.000)
Suite Shared Configuration CS4 (Version: 1.0)
The Rosetta Stone
Toolbox (Version: 140.0.428.000)
TrayApp (Version: 140.0.213.000)
UnloadSupport (Version: 1.00.0000)
Update Manager (Version: 4.60)
Vegas Movie Studio HD Platinum 10.0 (Version: 10.0.179)
VideoStudio (Version: 12.0.0.0000)
Visual Basic for Applications ® Core - English (Version: 6.4.99.69)
Visual Basic for Applications ® Core (Version: 6.4.99.69)
WampServer 2.1
Web-Based Email Tools (Version: 1.0.14)
WebReg (Version: 140.0.213.017)
Windows Installer Clean Up (Version: 3.00.00.0000)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series (Version: 9.00.3374)
Windows Media Player Firefox Plugin (Version: 1.0.0.8)
Windows Movie Maker 2.6 (Version: 2.6.4040.0)
WinPCSIGN Pro 2010 (Version: 14.00.0000)

========================= Memory info: ===================================

Percentage of memory in use: 39%
Total physical RAM: 3005.76 MB
Available physical RAM: 1808.89 MB
Total Pagefile: 6222.02 MB
Available Pagefile: 5134.59 MB
Total Virtual: 2047.88 MB
Available Virtual: 1961.31 MB

========================= Partitions: =====================================

1 Drive c: (COMPAQ) (Fixed) (Total:221.63 GB) (Free:134.36 GB) NTFS
2 Drive d: (FACTORY_IMAGE) (Fixed) (Total:11.25 GB) (Free:1.58 GB) NTFS
3 Drive e: (Corel.Ultimate20) (CDROM) (Total:4.04 GB) (Free:0 GB) CDFS

========================= Users: ========================================

User accounts for \\MOGUL-PC

Administrator Guest Mogul

========================= Minidump Files ==================================

No minidump file found

**** End of log ****




gmer.log
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-02 17:48:58
Windows 6.0.6002 Service Pack 2
Running: 0gkbod14.exe; Driver: C:\Users\Mogul\AppData\Local\Temp\uwloypog.sys


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1

771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2

285507792
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32


Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}

\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@

C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}

\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32


Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}

\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@

C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}

\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x46 0x47 0x15 0xB0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32


Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}

\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@

C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}

\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32


Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}

\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@

C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}

\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32


Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}

\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@

C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}

\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32


Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}

\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@

C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}

\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32


Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}

\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@

C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}

\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32


Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}

\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@

C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}

\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32


Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}

\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@

C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}

\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32


Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}

\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@

C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}

\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32


Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}

\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@

C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}

\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32


Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}

\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@

C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}

\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DEC91F93-CBEB-

6130-3ED4-53B5FAEA9CB3}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DEC91F93-CBEB-

6130-3ED4-53B5FAEA9CB3}@gajicekkhomamg 0x61 0x63 0x6B 0x6E ...

---- Files - GMER 1.0.15 ----

File C:\Users\Mogul\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5

\3MBWEIQI\navcancl[1] 0 bytes

---- EOF - GMER 1.0.15 ----

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:23 PM

Posted 02 October 2011 - 09:21 PM

Hello, I will say your infections are coming thru a cracked software.

IMPORTANT NOTE: The practice of using cracking tools, keygens, warez or any pirated software is not only considered illegal activity but it is a serious security risk.

Cracking applications are used for illegally breaking (cracking) various copy-protection and registration techniques used in commercial software. These programs may be distributed via Web sites, Usenet, and P2P networks.

trendmicro.com/vinfo

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV


When you use these kind of programs, be forewarned that some of the worst types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. In many cases, those sites are infested with a smörgåsbord of malware and an increasing source of system infection. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

Before we can continue, I need you to remove all cracks and keygens immediately to reduce the risk of infection/reinfection. If not, then we are just wasting time trying to clean your system. Further, other tools used during the disinfection process may detect crack and keygens so we need to ensure they have been removed.



Reboot into Safe Mode with Networking
How to enter safe mode(XP/Vista)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Now reboot to Normal and run an ESET online scan
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.


How is it running now?

Edited by boopme, 02 October 2011 - 09:22 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 veedub3

veedub3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 03 October 2011 - 08:26 AM

I will do what you suggests later this morning but all of the software installed on my computer is legit to my knowledge. The computer came with most of these already installed and I have had this computer for 3 years now with no issues. The virus was download through an email I opened last Thursday. I was emailing back and forth with the US Post office and as soon as I sent them a reply I received a message in my spam box about the shipment from US Postal Service so naturally I was thinking it was a legit email even though it went to my spam box, I opened the email and as soon as I did I knew it was a virus. Since you think the issue is from pirated software can you let me know which ones as I can always take the computer back to the computer store I purchased it from to see if he can help but like I said the virus came from an email last Thursday.

I will repost after I follow your instructions.

#6 veedub3

veedub3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 03 October 2011 - 04:36 PM

So far I have removed all problem software from the computer. I cleaned the registry to remove any file left from removing the programs before starting the instructions you suggested. The only files that remain are files that I installed where I have the serial numbers.

Here is the SAS scan log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/03/2011 at 02:28 PM

Application Version : 5.0.1128

Core Rules Database Version : 7747
Trace Rules Database Version: 5559

Scan type : Complete Scan
Total Scan Time : 01:05:18

Operating System Information
Windows Vista Home Premium 32-bit, Service Pack 2 (Build 6.00.6002)
UAC Off - Administrator

Memory items scanned : 340
Memory threats detected : 0
Registry items scanned : 38114
Registry threats detected : 0
File items scanned : 179366
File threats detected : 44

Adware.Tracking Cookie
C:\Users\Mogul\AppData\Roaming\Microsoft\Windows\Cookies\mogul@ad.yieldmanager[1].txt [ /ad.yieldmanager ]
C:\Users\Mogul\AppData\Roaming\Microsoft\Windows\Cookies\mogul@ads.undertone[2].txt [ /ads.undertone ]
C:\Users\Mogul\AppData\Roaming\Microsoft\Windows\Cookies\mogul@advertising[2].txt [ /advertising ]
C:\Users\Mogul\AppData\Roaming\Microsoft\Windows\Cookies\mogul@apmebf[1].txt [ /apmebf ]
C:\Users\Mogul\AppData\Roaming\Microsoft\Windows\Cookies\mogul@atdmt[2].txt [ /atdmt ]
C:\Users\Mogul\AppData\Roaming\Microsoft\Windows\Cookies\mogul@dc.tremormedia[2].txt [ /dc.tremormedia ]
C:\Users\Mogul\AppData\Roaming\Microsoft\Windows\Cookies\mogul@doubleclick[1].txt [ /doubleclick ]
C:\Users\Mogul\AppData\Roaming\Microsoft\Windows\Cookies\mogul@fastclick[2].txt [ /fastclick ]
C:\Users\Mogul\AppData\Roaming\Microsoft\Windows\Cookies\mogul@imrworldwide[2].txt [ /imrworldwide ]
C:\Users\Mogul\AppData\Roaming\Microsoft\Windows\Cookies\mogul@invitemedia[1].txt [ /invitemedia ]
C:\Users\Mogul\AppData\Roaming\Microsoft\Windows\Cookies\mogul@media6degrees[2].txt [ /media6degrees ]
C:\Users\Mogul\AppData\Roaming\Microsoft\Windows\Cookies\mogul@questionmarket[1].txt [ /questionmarket ]
C:\Users\Mogul\AppData\Roaming\Microsoft\Windows\Cookies\mogul@r1-ads.ace.advertising[1].txt [ /r1-ads.ace.advertising ]
C:\Users\Mogul\AppData\Roaming\Microsoft\Windows\Cookies\mogul@realmedia[1].txt [ /realmedia ]
C:\Users\Mogul\AppData\Roaming\Microsoft\Windows\Cookies\mogul@revsci[1].txt [ /revsci ]
C:\Users\Mogul\AppData\Roaming\Microsoft\Windows\Cookies\mogul@ru4[2].txt [ /ru4 ]
C:\USERS\MOGUL\Cookies\mogul@revsci[1].txt [ Cookie:mogul@revsci.net/ ]
C:\USERS\MOGUL\Cookies\mogul@advertising[2].txt [ Cookie:mogul@advertising.com/ ]
C:\USERS\MOGUL\Cookies\mogul@ad.yieldmanager[1].txt [ Cookie:mogul@ad.yieldmanager.com/ ]
C:\USERS\MOGUL\Cookies\mogul@atdmt[2].txt [ Cookie:mogul@atdmt.com/ ]
C:\USERS\MOGUL\Cookies\mogul@ru4[2].txt [ Cookie:mogul@ru4.com/ ]
C:\USERS\MOGUL\Cookies\mogul@imrworldwide[2].txt [ Cookie:mogul@imrworldwide.com/cgi-bin ]
C:\USERS\MOGUL\Cookies\mogul@r1-ads.ace.advertising[1].txt [ Cookie:mogul@r1-ads.ace.advertising.com/ ]
C:\USERS\MOGUL\Cookies\mogul@dc.tremormedia[2].txt [ Cookie:mogul@dc.tremormedia.com/ ]
C:\USERS\MOGUL\Cookies\mogul@media6degrees[2].txt [ Cookie:mogul@media6degrees.com/ ]
C:\USERS\MOGUL\Cookies\mogul@fastclick[2].txt [ Cookie:mogul@fastclick.net/ ]
C:\USERS\MOGUL\Cookies\mogul@apmebf[1].txt [ Cookie:mogul@apmebf.com/ ]
.doubleclick.net [ C:\USERS\MOGUL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA(965)\DEFAULT\COOKIES ]
ad.insightexpressai.com [ C:\USERS\MOGUL\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\TSQK98GC ]
cdn.tremormedia.com [ C:\USERS\MOGUL\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\TSQK98GC ]
objects.tremormedia.com [ C:\USERS\MOGUL\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\TSQK98GC ]
C:\USERS\MOGUL\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\MOGUL@ADS.UNDERTONE[1].TXT [ /ADS.UNDERTONE ]
C:\USERS\MOGUL\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\MOGUL@ADVERTISING[1].TXT [ /ADVERTISING ]
C:\USERS\MOGUL\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\MOGUL@APMEBF[2].TXT [ /APMEBF ]
C:\USERS\MOGUL\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\MOGUL@AT.ATWOLA[1].TXT [ /AT.ATWOLA ]
C:\USERS\MOGUL\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\MOGUL@BURSTNET[1].TXT [ /BURSTNET ]
C:\USERS\MOGUL\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\MOGUL@CONTENT.YIELDMANAGER[1].TXT [ /CONTENT.YIELDMANAGER ]
C:\USERS\MOGUL\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\MOGUL@FASTCLICK[1].TXT [ /FASTCLICK ]
C:\USERS\MOGUL\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\MOGUL@MEDIAPLEX[2].TXT [ /MEDIAPLEX ]
C:\USERS\MOGUL\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\MOGUL@NETWORK.REALMEDIA[1].TXT [ /NETWORK.REALMEDIA ]
C:\USERS\MOGUL\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\MOGUL@REALMEDIA[2].TXT [ /REALMEDIA ]
C:\USERS\MOGUL\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\MOGUL@SERVING-SYS[2].TXT [ /SERVING-SYS ]
C:\USERS\MOGUL\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\MOGUL@WWW.BURSTNET[1].TXT [ /WWW.BURSTNET ]

Trojan.Agent/Gen-FraudPack
C:\WINDOWS\FASHIONFACTORY-UNINSTALL.EXE (FYI: Fashion Factory is a legit add-on from a Corel Delevoper)

The ESET is still running. Has been for the last 3 hours and is still at 45%. May be tomorrow before I get the results for this one.

Currently: ieuser.exe and iexplorer.exe, is still opening by itself, still redirecting my browser, and still crashing. CPU Usage stays at 100%.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:23 PM

Posted 03 October 2011 - 05:15 PM

OK. let the ESET finish. If running other apps you should close them to speed things up.

I said that as MBAM found
camtasia_studio_7_keygen.exe

possibly a crack and you have the usual symtems of that.
It also found a malware that has stolen any passwords. they will need to be changed.

Let me look into FASHIONFACTORY. I believe you.

Edited by boopme, 03 October 2011 - 07:01 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 veedub3

veedub3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 03 October 2011 - 06:13 PM

No programs are running on the infected computer, I am using my laptop to communicate in the meantime until I get the desktop cleaned. I don't even see camtasia installed on the computer? I will look again. As soon as ESET finishes, I will post the results.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:23 PM

Posted 03 October 2011 - 08:15 PM

OK
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 veedub3

veedub3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 04 October 2011 - 08:57 AM

The ESET finished, NO threats found. iexlorer.exe still opening by itself and redirecting my browser

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:23 PM

Posted 04 October 2011 - 07:24 PM

I guess we need a deeper look as we will need stronger tools.

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 veedub3

veedub3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 05 October 2011 - 08:22 AM

Thanks I will post in the other section once complete but can I ask one question.....after doing the DDS scan how long should it take for the two notepad files to pop up? The DDS scan is complete but no files.

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:23 PM

Posted 05 October 2011 - 01:52 PM

If you cannot get DDS to work, please try this instead.

Please download OTL by OldTimer and save it to your Desktop.
  • Close all other applications and windows so that you have nothing open and are at your Desktop.
  • Double click on the OTL Posted Image icon on your desktop.
  • Select 30 days from the File Age: drop down menu.
  • Click the "Scan All Users" checkbox.
  • Click the Posted Image button to start.
  • Do not use the computer while the scan is in progress.
  • When the scan is complete, two log files will open in Notepad:
    • OTL.txt <- (will be maximized)
    • Extras.txt <- (will be minimized in the Task Bar).
  • Both logs are automatically saved to the Desktop.
  • Please copy the contents of OTL.txt to the clipboard by highlighting everything and pressing Ctrl+C or after highlighting, right-click and choose Copy and then paste it into a new topic in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here.
  • Also copy and paste the contents of Extras.Txt in your next reply as well. If the Extras.Txt log is too long, you may need to add a second reply to your thread.
  • Click the red X in the upper right corner to exit OTL.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run. If OTL did not work, then reply back here.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,046 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:23 PM

Posted 06 October 2011 - 01:43 AM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic421988.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users