Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Being Redirected AND fake spyware tool popping up


  • This topic is locked This topic is locked
2 replies to this topic

#1 Paul99tmd

Paul99tmd

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 29 November 2011 - 11:25 PM

Hi,

Thanks in advance.

I am having a problem that I can't seem to fix with Malwarebytes + Spybot alone. When I go to google.com to search, I am being redirected to random sites.

Also, I keep getting a fake spyware program called Privacy Guard (process = privacy.exe) that is launching. It is also preventing me from opening applications (such as malwarebytes... I need to run it in safemode to open it), MSCONFIG, Task Manager, etc...

The tools I use (mentioned above) seem to temporarily fix the problem, and then it starts all over again the next day. I am at my wits end. Logs pasted below:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by Catie at 22:43:29 on 2011-11-29
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3835.2453 [GMT -5:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\atieclxx.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\system32\svchost.exe -k HsfXAudioService
C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\taskhost.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\SymcPCCULaunchSvc.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\windows\system32\wuauclt.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\windows\SysWOW64\ping.exe
C:\windows\system32\conhost.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Page_URL = hxxp://www.google.com/ig?brand=TSNA&bmod=TSNA
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {28387537-e3f9-4ed7-860c-11e69af4a8a0} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: TOSHIBA Media Controller Plug-in: {f3c88694-effa-4d78-b409-54b7b2535b14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - C:\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient.dll
TB: {28387537-e3f9-4ed7-860c-11e69af4a8a0} - No File
TB: {BA14329E-9550-4989-B3F2-9732E92D17CC} - No File
uRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe" UNATTENDED
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe" UNATTENDED
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~4\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~4\Office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{082C745E-A224-483F-A055-E7AF76EA6E61} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{082C745E-A224-483F-A055-E7AF76EA6E61}\4586F6D637F6E613 : DhcpNameServer = 68.87.64.150 68.87.75.198
TCP: Interfaces\{082C745E-A224-483F-A055-E7AF76EA6E61}\876696E696479777966696 : DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{082C745E-A224-483F-A055-E7AF76EA6E61}\F6074796D657D677966696 : DhcpNameServer = 75.75.75.75 75.75.76.76
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {28387537-e3f9-4ed7-860c-11e69af4a8a0} - No File
BHO-X64: MediaBar - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
BHO-X64: Yontoo Layers: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient.dll
BHO-X64: Yontoo Layers - No File
TB-X64: {28387537-e3f9-4ed7-860c-11e69af4a8a0} - No File
TB-X64: {BA14329E-9550-4989-B3F2-9732E92D17CC} - No File
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
mRun-x64: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun-x64: [NortonOnlineBackupReminder] "C:\Program Files (x86)\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe" UNATTENDED
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Catie\AppData\Roaming\Mozilla\Firefox\Profiles\kja1w4pw.default\
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(extentions.y2layers.installId, 4c679954-d0db-4f48-b158-899a7d591f78
FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,BuzzdockTease,DropDownDeals,DropDownDeals,
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\windows\system32\atiesrxx.exe --> C:\windows\system32\atiesrxx.exe [?]
R2 HsfXAudioService;HsfXAudioService;C:\windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]
R2 IHA_MessageCenter;IHA_MessageCenter;C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [2011-7-1 151552]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-9-25 366152]
R2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\SymcPCCULaunchSvc.exe [2010-10-26 135608]
R2 PCCUJobMgr;Common Client Job Manager Service;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.3.198\ccSvcHst.exe [2010-10-26 126392]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\TOSHIBA\TECO\TecoService.exe [2010-2-25 252928]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\system32\DRIVERS\TVALZFL.sys --> C:\windows\system32\DRIVERS\TVALZFL.sys [?]
R3 amdkmdag;amdkmdag;C:\windows\system32\DRIVERS\atipmdag.sys --> C:\windows\system32\DRIVERS\atipmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\windows\system32\DRIVERS\atikmpag.sys --> C:\windows\system32\DRIVERS\atikmpag.sys [?]
R3 CAXHWAZL;CAXHWAZL;C:\windows\system32\DRIVERS\CAXHWAZL.sys --> C:\windows\system32\DRIVERS\CAXHWAZL.sys [?]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\windows\system32\DRIVERS\L1C62x64.sys --> C:\windows\system32\DRIVERS\L1C62x64.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\windows\system32\drivers\mbam.sys --> C:\windows\system32\drivers\mbam.sys [?]
R3 PGEffect;Pangu effect driver;C:\windows\system32\DRIVERS\pgeffect.sys --> C:\windows\system32\DRIVERS\pgeffect.sys [?]
R3 QIOMem;Generic IO & Memory Access;C:\windows\system32\DRIVERS\QIOMem.sys --> C:\windows\system32\DRIVERS\QIOMem.sys [?]
R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;C:\windows\system32\DRIVERS\rtl8192se.sys --> C:\windows\system32\DRIVERS\rtl8192se.sys [?]
R3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2010-10-26 51512]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-2-5 137560]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2010-11-2 1153368]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\system32\Drivers\RtsUStor.sys --> C:\windows\system32\Drivers\RtsUStor.sys [?]
S3 SrvHsfHDA;SrvHsfHDA;C:\windows\system32\DRIVERS\VSTAZL6.SYS --> C:\windows\system32\DRIVERS\VSTAZL6.SYS [?]
S3 SrvHsfV92;SrvHsfV92;C:\windows\system32\DRIVERS\VSTDPV6.SYS --> C:\windows\system32\DRIVERS\VSTDPV6.SYS [?]
S3 SrvHsfWinac;SrvHsfWinac;C:\windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S3 TPCHSrv;TPCH Service;C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [2010-2-23 835952]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-11-30 02:39:47 388096 ----a-r- C:\Users\Catie\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-11-30 02:39:46 -------- d-----w- C:\Program Files (x86)\Trend Micro
2011-11-27 02:05:39 -------- d-----w- C:\Program Files (x86)\2CA5E
2011-11-27 02:04:55 -------- d-----w- C:\Program Files (x86)\LP
2011-11-27 02:00:44 -------- d-----w- C:\Users\Catie\AppData\Roaming\jBtzPNycAuDoFpG
2011-11-27 02:00:43 -------- d-----w- C:\Users\Catie\AppData\Roaming\ZQJ7dEK8gZhXjVl
2011-11-26 23:12:42 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F5473A7A-4E5A-446B-B7EB-E33DDAEC9438}\offreg.dll
2011-11-26 23:10:47 -------- d-----w- C:\Users\Catie\AppData\Roaming\C1uvS2obFpGaJdK
2011-11-26 17:19:01 -------- d-----w- C:\Users\Catie\AppData\Roaming\HYCwkIVrlNx0c1b
2011-11-26 17:19:01 -------- d-----w- C:\Users\Catie\AppData\Roaming\d3onG4amHsJfLgZ
2011-11-26 16:29:07 -------- d-----w- C:\Users\Catie\AppData\Roaming\VcS2ibD3pGaHs7E
2011-11-26 16:29:07 -------- d-----w- C:\Users\Catie\AppData\Roaming\P9gTZqjYCkVlNx
2011-11-26 13:01:40 -------- d-----w- C:\Users\Catie\AppData\Roaming\QRL9gTXqjCkrOtA
2011-11-26 13:01:40 -------- d-----w- C:\Users\Catie\AppData\Roaming\o2ibD3pnGaHsKfL
2011-11-26 08:00:03 -------- d-----w- C:\Users\Catie\AppData\Roaming\I9hYXwjUVlBzNc1
2011-11-26 08:00:02 -------- d-----w- C:\Users\Catie\AppData\Roaming\rpmH5sQJ7E8R
2011-11-26 06:30:41 -------- d-----w- C:\Users\Catie\AppData\Roaming\YaQH6sWK7E
2011-11-26 06:30:40 -------- d-----w- C:\Users\Catie\AppData\Roaming\HzONtxA0uSiDpG
2011-11-26 05:21:43 -------- d-----w- C:\Users\Catie\AppData\Roaming\YOBBttxP0ycSiv3
2011-11-26 05:21:43 -------- d-----w- C:\Users\Catie\AppData\Roaming\EqqqhYYCwkUVl
2011-11-26 05:21:40 -------- d-----w- C:\Users\Catie\AppData\Roaming\wKgR99hYXwjUe
2011-11-26 05:21:39 -------- d-----w- C:\Users\Catie\AppData\Roaming\ummHH5ssW7dE
2011-11-26 05:21:39 -------- d-----w- C:\Users\Catie\AppData\Roaming\qlllOBBtxP0c1iD
2011-11-25 23:26:14 8570192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F5473A7A-4E5A-446B-B7EB-E33DDAEC9438}\mpengine.dll
2011-11-25 23:20:50 111616 ----a-w- C:\windows\SysWow64\7XPfk7N.com_
2011-11-25 20:59:22 -------- d-----w- C:\Users\Catie\AppData\Roaming\GlarySoft
2011-11-25 20:57:26 -------- d-----w- C:\Program Files (x86)\Glary Utilities
2011-11-25 19:10:08 -------- d-----w- C:\windows\pss
2011-11-25 19:09:17 -------- d-----w- C:\Users\Catie\AppData\Roaming\oyxA0uvS2b3
2011-11-25 19:09:17 -------- d-----w- C:\Users\Catie\AppData\Roaming\kfRL9hTXqUeIrO
2011-11-25 18:46:46 -------- d-----w- C:\Users\Catie\AppData\Roaming\2CA5E
2011-11-25 18:46:34 -------- d-----w- C:\Users\Catie\AppData\Roaming\S666sWWJ7fELg
2011-11-25 18:46:34 -------- d-----w- C:\Users\Catie\AppData\Roaming\GTZZqqhYCwkUVlB
2011-11-25 18:46:34 -------- d-----w- C:\Users\Catie\AppData\Roaming\E8B2C
2011-11-25 18:46:30 -------- d-----w- C:\Users\Catie\AppData\Roaming\mJJ77dEL8gRZqYw
2011-11-25 18:46:29 -------- d-----w- C:\Users\Catie\AppData\Roaming\v666sWWJ7f
2011-11-25 18:46:28 -------- d-----w- C:\Users\Catie\AppData\Roaming\PlllONNtxP0
2011-11-25 18:46:20 -------- d-----we C:\windows\system64
2011-11-09 21:45:01 -------- d-----w- C:\Users\Catie\AppData\Roaming\wgTZqjYCwIrOtPu
2011-11-09 21:45:00 -------- d-----w- C:\Users\Catie\AppData\Roaming\Y2ibD3pnGaHsKfL
2011-11-09 21:44:54 -------- d-----w- C:\Users\Catie\AppData\Roaming\U1uvD2obFpGsJd
2011-11-09 21:44:52 -------- d-----w- C:\Users\Catie\AppData\Roaming\CvD3onF4aHsJdLg
2011-11-08 20:45:35 886784 ----a-w- C:\Program Files\Common Files\System\wab32.dll
2011-11-08 20:45:35 708608 ----a-w- C:\Program Files (x86)\Common Files\System\wab32.dll
2011-11-08 20:45:33 1897328 ----a-w- C:\windows\System32\drivers\tcpip.sys
2011-11-08 20:45:28 3141120 ----a-w- C:\windows\System32\win32k.sys
2011-11-07 00:03:10 8570192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-11-05 23:10:06 -------- d-----w- C:\Users\Catie\AppData\Roaming\W6sWJ7fELgZhCkV
2011-11-05 23:10:05 -------- d-----w- C:\Users\Catie\AppData\Roaming\GlONxP0uc1b3n4m
2011-11-05 20:57:22 -------- d-----w- C:\Users\Catie\AppData\Roaming\N444pmmH5sQJdE8
2011-11-05 20:57:22 -------- d-----w- C:\Users\Catie\AppData\Roaming\jPP00ycAA1vDo
2011-11-05 20:57:22 -------- d-----w- C:\Users\Catie\AppData\Roaming\jPP00ycA1ivDo
2011-11-05 20:57:22 -------- d-----w- C:\Users\Catie\AppData\Roaming\h444pmmH5sQJdE8
.
==================== Find3M ====================
.
2011-11-08 18:37:19 414368 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-03 00:22:44 96519 ----a-w- C:\Users\Catie\AppData\Roaming\fc0ici00i.exe
2011-10-01 03:21:20 1638912 ----a-w- C:\windows\System32\mshtml.tlb
2011-10-01 02:59:14 1638912 ----a-w- C:\windows\SysWow64\mshtml.tlb
2011-09-23 15:42:49 260 ----a-w- C:\windows\SysWow64\cmdVBS.vbs
2011-09-23 15:42:49 256 ----a-w- C:\windows\SysWow64\MSIevent.bat
.
============= FINISH: 22:44:35.49 ===============

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-29 23:25:13
Windows 6.1.7600
Running: 3m6esvt5[1].exe


---- Files - GMER 1.0.15 ----

File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0VIDUKRW\css_27eabe6e4365fbc2f5467ea271c57d02[1].css 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0VIDUKRW\kiCIJo655O8[1].jpg 4847 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0VIDUKRW\K_VLNt38WD4[1].jpg 4806 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0VIDUKRW\4d344c3b1585a6dcce9d969108b7a8d9[1].jpg 24136 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0VIDUKRW\ping[2].js 869 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0VIDUKRW\q4yUWcbPguc[1].jpg 4776 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0VIDUKRW\last-minute-new-year%E2%80%99s-eve-party-ideas[1].txt 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0VIDUKRW\sXwJlJjsvHY[1].jpg 4581 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0VIDUKRW\click[1].here 3995 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0VIDUKRW\login-all[1].png 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0VIDUKRW\f57e0a781cd7ddda3af22692ac570501[1].gif 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0VIDUKRW\TSRq[2].gif 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0VIDUKRW\t_c4ca4238a0b923820dcc509a6f75849b[1].js 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0VIDUKRW\uat_16955[1].js 24790 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0VIDUKRW\120x120__4df27a1f79eb2[1].jpg 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0VIDUKRW\p3RZazUQhoY[1].jpg 4410 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0VIDUKRW\freeform_1308735381[1].js 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0VIDUKRW\addurl[1].htm 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0VIDUKRW\netseerads[1].js 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0VIDUKRW\ODQoW8NMTt4[1].jpg 4843 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0VIDUKRW\jPc0JqmPGY8[1].jpg 4473 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5J27W66L\fb3_300x250[1].swf 40657 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5J27W66L\jsonrpc[1].js 5517 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5J27W66L\iframe!t=1209![6].txt 305 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5J27W66L\pc[1] 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5J27W66L\css_85630735ec4dcea745544443a46f95bc[1].css 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5J27W66L\companion[1].txt 1467 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5J27W66L\sparkel_300x250[1].swf 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5J27W66L\email[1].png 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5J27W66L\iStock_000007964127XSmall[1].jpg 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5J27W66L\_SBNbNAWW3c[1].jpg 4793 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5J27W66L\220228318_16_148_111[1].jpg 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5J27W66L\ros;sect=ros;sz=160x600;tile=1;ord=9986681012499896[1] 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5J27W66L\today_add[1].jpg 5734 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5J27W66L\-QA1Acrg6wo[1].jpg 4572 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5J27W66L\point_red[1].png 156 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5J27W66L\ros-middle;sect=ros-middle;sz=300x250,300x600;tile=4;ord=9986681012499896[1] 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5J27W66L\inputshadow[1].gif 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BN83664F\add-image[1].png 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BN83664F\xd_proxy[1].php 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BN83664F\plugin.sharecounter[1].js 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BN83664F\preloader_big[1].gif 5535 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BN83664F\2e35c0e4adcbb2995262286f128ff283[1].swf 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BN83664F\304759d8453e469b71c01ef4db037620[1].swf 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BN83664F\Conversion[1].aspx 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BN83664F\upload[1].htm 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BN83664F\8849a2c3b9a52042eb932c0a4c97d377[1].jpg 18084 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BN83664F\redirect_loading[1].gif 3533 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BN83664F\roi[1].js 1495 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BN83664F\16700[1].swf 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BN83664F\ad[2].js 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BN83664F\b_blue-square-media_comCANCON0U 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BN83664F\b_blue-square-media_comCASLAD7A 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BN83664F\ros;sect=ros;sz=300x250,300x600;tile=3;ord=9986681012499896[1] 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BN83664F\shares[1].json 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BN83664F\index_02[1].gif 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BN83664F\inpageGlobalTemplate_v2_64_08[1].js 47862 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BN83664F\s[1].htm 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BN83664F\thread[1].js 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BN83664F\parent[1].js 5856 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BN83664F\menu-leaf[1].png 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BN83664F\disqus[1].js 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HF6RS18M\log[2].txt 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HF6RS18M\planprescriber-medicare[1].html 13731 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HF6RS18M\s[1].htm 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HF6RS18M\b_blue-square-media_comCAAMHW57 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HF6RS18M\conversion[1].js 218 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HF6RS18M\ads[8].js 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HF6RS18M\blank[1].htm 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HF6RS18M\click[1].here 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HF6RS18M\redloading[1].gif 310 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HF6RS18M\roiCheck[1].gif 49 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HF6RS18M\tools[1].js 1616 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HF6RS18M\b_blue-square-media_comCAAREA9A 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HF6RS18M\get[1].png 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HF6RS18M\oo5z9jatzB8[1].jpg 3981 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HF6RS18M\6C2F7F3F83CB211B68E2AFC4BFADD7EB.cache[1].htm 61335 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N1H65R9X\;page=eatstaydrink_ros;tile=2;sz=300x250;ord=4378835703522053[1] 301 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N1H65R9X\original[1].jpg 308426 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N1H65R9X\application-124f9b827341cc08817338245c95765e[1].js 280795 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N1H65R9X\aT0yMzIwLHM9MzAweDI1MCxuPWlmcmFtZSxiPTA=[1].htm 806 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N1H65R9X\a[1].gif 43 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N1H65R9X\interstitial[1].js 4403 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N1H65R9X\ElfPomeranian_DroidRazrRev_15_640x480_11-27_to_12-10[1].flv 733282 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N1H65R9X\jquery.min[3].js 91668 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N1H65R9X\presspause-us-e[1].jpg 7154 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N1H65R9X\_pppt[1].gif 35 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N1H65R9X\1001920_DA_MjE3MzI4MjA=[1].mp4 21280993 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N1H65R9X\utm_source%253Dfiq-ussearch%2526utm_medium%253Dorganic%2526utm_campaign%253Da9%2526utm_term%253Da9%2526a%253Dfiq01%2526b%253D9358_233752[1] 9677 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N1H65R9X\PID_1837730_GoogleOffers_Mosaic_City_728x90[1].swf 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N1H65R9X\misc;pos=300b;adnt=1;tile=2;sz=300x250;exp=1;ord=6016245022584688[1].htm 567 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N1H65R9X\vt.dx;btg=vt.gh;btg=vt.ad;btg=vt.bx;btg=vt.by;btg=vt.gt;btg=vt.g;btg=vt.aj;btg=vt.gv;btg=vt.am;btg=vt.gw;btg=vt.bw;btg=vt[1].di;ord=2858666 8270 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N1H65R9X\log[8].txt 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N1H65R9X\log[9].txt 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N1H65R9X\300x250s[1].jsp 66758 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N1H65R9X\menu89[1].js 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N1H65R9X\misc;pos=160a;exp=1;adnt=1;tile=4;sz=160x600;ord=8087500565822308[1].htm 610 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N1H65R9X\misc;pos=728a;exp=1;adnt=1;dcopt=ist;tile=1;sz=728x90;ord=4947579277813835[1] 516 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N1H65R9X\logo88[1].gif 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OJNBEV1Z\;dcopt=ist;page=eatstaydrink_ros;tile=1;sz=728x90;ord=7548606108221582[1] 300 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OJNBEV1Z\;page=eatstaydrink_ros_btf;cat=;subcat=;tile=4;sz=300x250,160x600;ord=5455368430756848[1] 301 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OJNBEV1Z\jwplayer[1].js 140572 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OJNBEV1Z\original[1].jpg 240946 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OJNBEV1Z\300x250_middle[1].gif 43 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OJNBEV1Z\300x250_top[1].gif 43 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OJNBEV1Z\homemade-bungee-jump-insanity[1].txt 50738 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OJNBEV1Z\count[1].json 98 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OJNBEV1Z\x[1].gif 43 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OJNBEV1Z\crossdomain[1].xml 281 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCGY3TP8\728x90[1].swf 20441 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCGY3TP8\bg-body[1].jpg 1118 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCGY3TP8\privacy-policy[1].txt 14966 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCGY3TP8\CA[1].png 861 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCGY3TP8\x[1].gif 43 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCGY3TP8\image[1].png 41807 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCGY3TP8\546[1].js 1139 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCGY3TP8\546[2].js 1139 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCGY3TP8\TSRq[1].gif 35 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCGY3TP8\160x600_top[1].gif 43 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCGY3TP8\log;tx=cm-10118502777_1322625649;it=0;vt=0;ic=0;atf=1;pv=1;fv=0;seq=2;et=L;cid=12415ff8550addb;ord=312145[1].gif 43 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCGY3TP8\swfobject[1].js 10220 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCGY3TP8\the-other-guys_large[1].jpg 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCGY3TP8\GridMenu[1].swf 0 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCGY3TP8\vt.dx;btg=vt.gh;btg=vt.ad;btg=vt.bx;btg=vt.by;btg=vt.gt;btg=vt.g;btg=vt.aj;btg=vt.gv;btg=vt.am;btg=vt.gw;btg=vt.bw;btg=vt[1].di;ord=2857197 2730 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCGY3TP8\vt.dx;btg=vt.gh;btg=vt.ad;btg=vt.bx;btg=vt.by;btg=vt.gt;btg=vt.g;btg=vt.aj;btg=vt.gv;btg=vt.am;btg=vt.gw;btg=vt.bw;btg=vt[1].di;ord=2858651 1596 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZM7L236Q\4293[1].xml 14315 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZM7L236Q\log;tx=cm-10303802988_1322625645;it=0;vt=0;ic=0;atf=1;pv=1;fv=0;seq=2;et=L;cid=12415ff8550addb;ord=606995[1].gif 43 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZM7L236Q\MapPFM_300x250[1].swf 26041 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZM7L236Q\log[5].gif 43 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZM7L236Q\iframe!t=1209!CAFYP94V.txt 305 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZM7L236Q\fp[2] 20577 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZM7L236Q\andes_catcher[1].swf 1856 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZM7L236Q\surly[2].js 1702 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZM7L236Q\bg-menu[1].jpg 875 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZM7L236Q\viapi[2].xml 167 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZM7L236Q\video_insights[1].js 922 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZM7L236Q\ImageAdLoader[1].swf 11845 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZM7L236Q\b_blue-square-media_comCAUO7QWU 551 bytes
File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZM7L236Q\jquery.clearonfocus[1].js 301 bytes

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:01 AM

Posted 30 November 2011 - 04:34 AM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. :)

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:


  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

Running OTM

We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :Processes
    :Services
    :Reg
    :Files
    C:\windows\SysWow64\7XPfk7N.com_
    C:\Users\Catie\AppData\Roaming\fc0ici00i.exe
    C:\Users\Catie\AppData\Roaming\C1uvS2obFpGaJdK
    C:\Users\Catie\AppData\Roaming\HYCwkIVrlNx0c1b
    C:\Users\Catie\AppData\Roaming\d3onG4amHsJfLgZ
    C:\Users\Catie\AppData\Roaming\VcS2ibD3pGaHs7E
    C:\Users\Catie\AppData\Roaming\P9gTZqjYCkVlNx
    C:\Users\Catie\AppData\Roaming\QRL9gTXqjCkrOtA
    C:\Users\Catie\AppData\Roaming\o2ibD3pnGaHsKfL
    C:\Users\Catie\AppData\Roaming\I9hYXwjUVlBzNc1
    C:\Users\Catie\AppData\Roaming\rpmH5sQJ7E8R
    C:\Users\Catie\AppData\Roaming\YaQH6sWK7E
    C:\Users\Catie\AppData\Roaming\HzONtxA0uSiDpG
    C:\Users\Catie\AppData\Roaming\YOBBttxP0ycSiv3
    C:\Users\Catie\AppData\Roaming\EqqqhYYCwkUVl
    C:\Users\Catie\AppData\Roaming\wKgR99hYXwjUe
    C:\Users\Catie\AppData\Roaming\ummHH5ssW7dE
    C:\Users\Catie\AppData\Roaming\qlllOBBtxP0c1iD
    C:\Program Files (x86)\2CA5E
    C:\Users\Catie\AppData\Roaming\jBtzPNycAuDoFpG
    C:\Users\Catie\AppData\Roaming\ZQJ7dEK8gZhXjVl
    C:\Users\Catie\AppData\Roaming\oyxA0uvS2b3
    C:\Users\Catie\AppData\Roaming\kfRL9hTXqUeIrO
    C:\Users\Catie\AppData\Roaming\2CA5E
    C:\Users\Catie\AppData\Roaming\S666sWWJ7fELg
    C:\Users\Catie\AppData\Roaming\GTZZqqhYCwkUVlB
    C:\Users\Catie\AppData\Roaming\E8B2C
    C:\Users\Catie\AppData\Roaming\mJJ77dEL8gRZqYw
    C:\Users\Catie\AppData\Roaming\v666sWWJ7f
    C:\Users\Catie\AppData\Roaming\PlllONNtxP0
    C:\Users\Catie\AppData\Roaming\wgTZqjYCwIrOtPu
    C:\Users\Catie\AppData\Roaming\Y2ibD3pnGaHsKfL
    C:\Users\Catie\AppData\Roaming\U1uvD2obFpGsJd
    C:\Users\Catie\AppData\Roaming\CvD3onF4aHsJdLg
    C:\Users\Catie\AppData\Roaming\W6sWJ7fELgZhCkV
    C:\Users\Catie\AppData\Roaming\GlONxP0uc1b3n4m
    C:\Users\Catie\AppData\Roaming\N444pmmH5sQJdE8
    C:\Users\Catie\AppData\Roaming\jPP00ycAA1vDo
    C:\Users\Catie\AppData\Roaming\jPP00ycA1ivDo
    C:\Users\Catie\AppData\Roaming\h444pmmH5sQJdE8
    echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c
    ipconfig /flushdns /c
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [resethosts]
    [createrestorepoint]
    
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


NEXT:



Running TDSSKiller

Download the latest version of TDSSKiller from here and save it to your Desktop.


  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

    Posted Image
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.



NEXT:



Running ComboFix
Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Note: If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If for some reason these applications will not uninstall, try uninstalling with AppRemover by Opswat.
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:01 AM

Posted 04 December 2011 - 02:24 AM

Due to lack of feedback this thread will now be closed. If you still require assistance, and would like to have your thread re-opened, please feel free to send me a Private Message (PM) being sure to include a link to your topic, and I'd be happy to re-open it.


Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users