Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Click.Giftload, Google Redirects & Windows Host Service issues

Started by OlivierL , Mar 26 2011 08:58 PM

  • Please log in to reply

#1
OlivierL
Posted 26 March 2011 - 08:58 PM

OlivierL

    New Member

  • Member
  • Pip
  • 2 posts
Hello,

I fell victim to a malware attack today while surfing the web. First I got an Avira AntiVir warning that it had detected malware and would delete it. I confirmed, then ran Malwarebyte's Anti-Malware and it detected 18 infections. I allowed Anti-Malware to remove the malware but unfortunately forgot to save the protocol. Now I remember only vaguely what the infections were about; all I know is they were listed as trojans with "Fake" in the name (maybe "FakeAlert"?) and one of the infected files was called wninit.exe, I think. When I run Anti-Malware again now, it doesn't detect anything anymore and says everything is fine.

I also ran Spybot Search & Destroy, and it found Click.Giftload but was unable to delete it.

The symptoms I'm still experiencing are:

- occasional Google redirects
- occasional alerts that the Windows Host Service has stopped working (after that, I can't connect to the Internet anymore until I've restarted Windows)
- Windows Vista update fails: I get an error 80072EFE (apparantly Windows fails to make the connection, maybe because of the redirects or troubles with the host service?)

Thanks in advance for any help you can offer!

Here's the OTL protocol:



OTL logfile created on: 27.03.2011 04:09:09 - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\MyUserName\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19019)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 60,00% Memory free
7,00 Gb Paging File | 6,00 Gb Available in Paging File | 84,00% Paging File free
Paging file location(s): c:\pagefile.sys 4219 4219 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 228,00 Gb Total Space | 33,88 Gb Free Space | 14,86% Space Free | Partition Type: NTFS
Drive D: | 4,88 Gb Total Space | 1,46 Gb Free Space | 29,96% Space Free | Partition Type: NTFS
Drive E: | 177,30 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
Drive J: | 465,76 Gb Total Space | 379,57 Gb Free Space | 81,50% Space Free | Partition Type: NTFS

Computer Name: COMP | User Name: MyUserName | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\MyUserName\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Programme\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Programme\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Programme\NVIDIA Corporation\Display\NvXDSync.exe (NVIDIA Corporation)
PRC - C:\Programme\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\Programme\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - C:\Programme\TortoiseSVN\bin\TSVNCache.exe (http://tortoisesvn.net)
PRC - C:\Windows\System32\FsUsbExService.Exe (Teruten)
PRC - C:\Programme\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
PRC - C:\Programme\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Programme\PaperCut Print Logger\pcpl.exe (PaperCut Software International Pty Ltd)
PRC - C:\Programme\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - C:\Programme\Windows Defender\MSASCui.exe (Microsoft Corporation)
PRC - C:\Programme\Common Files\NMSAccessU.exe ()


========== Modules (SafeList) ==========

MOD - C:\Users\MyUserName\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (Automatisches LiveUpdate - Scheduler) -- File not found
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (FsUsbExService) -- C:\Windows\System32\FsUsbExService.Exe (Teruten)
SRV - (getPlusHelper) getPlus® -- C:\Programme\NOS\bin\getPlus_Helper.dll (NOS Microsystems Ltd.)
SRV - (ACDaemon) -- C:\Programme\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
SRV - (PCPrintLogger) -- C:\Program Files\PaperCut Print Logger\pcpl.exe (PaperCut Software International Pty Ltd)
SRV - (WinDefend) -- C:\Programme\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (NMSAccessU) -- C:\Programme\Common Files\NMSAccessU.exe ()


========== Driver Services (SafeList) ==========

DRV - (avipbb) -- C:\Windows\System32\drivers\avipbb.sys (Avira GmbH)
DRV - (sptd) -- C:\Windows\System32\Drivers\sptd.sys ()
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (avgntflt) -- C:\Windows\System32\drivers\avgntflt.sys (Avira GmbH)
DRV - (ssmdrv) -- C:\Windows\System32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (FsUsbExDisk) -- C:\Windows\System32\FsUsbExDisk.Sys ()
DRV - (ss_mdm) -- C:\Windows\System32\drivers\ss_mdm.sys (MCCI Corporation)
DRV - (ss_bus) SAMSUNG Mobile USB Device 1.0 driver (WDM) -- C:\Windows\System32\drivers\ss_bus.sys (MCCI Corporation)
DRV - (ss_mdfl) -- C:\Windows\System32\drivers\ss_mdfl.sys (MCCI Corporation)
DRV - (atksgt) -- C:\Windows\System32\drivers\atksgt.sys ()
DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvmfdx32.sys (NVIDIA Corporation)
DRV - (lirsgt) -- C:\Windows\System32\drivers\lirsgt.sys ()
DRV - (hwpsgt) -- C:\Windows\System32\drivers\hwpsgt.sys ()
DRV - (lemsgt) -- C:\Windows\System32\drivers\lemsgt.sys ()
DRV - (nvstor32) -- C:\Windows\system32\DRIVERS\nvstor32.sys (NVIDIA Corporation)
DRV - (wanatw) WAN Miniport (ATW) -- C:\Windows\System32\drivers\wanatw4.sys (America Online, Inc.)
DRV - (O2SDRDR) -- C:\Windows\system32\drivers\o2sd.sys (O2Micro )
DRV - (O2MDRDR) -- C:\Windows\system32\drivers\o2media.sys (O2Micro )


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = https://login.yahoo....g/mail?.intl=us [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.perlentaucher.de/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "ICQ Search"
FF - prefs.js..browser.search.defaulturl: "http://search.condui...rchSource=3&q="
FF - prefs.js..browser.search.selectedEngine: "ICQ Search"
FF - prefs.js..browser.startup.homepage: "http://www.google.de/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.3
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.8.4
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:2.0.2
FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.10
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1.6.2.63
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: bug489729@alice0775:1.3
FF - prefs.js..network.proxy.http: "http-proxy.fu-berlin.de"
FF - prefs.js..network.proxy.http_port: 80

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011.03.24 11:36:39 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011.03.24 11:36:39 | 000,000,000 | ---D | M]

[2008.09.07 01:20:26 | 000,000,000 | ---D | M] (No name found) -- C:\Users\MyUserName\AppData\Roaming\mozilla\Extensions
[2011.03.27 00:21:56 | 000,000,000 | ---D | M] (No name found) -- C:\Users\MyUserName\AppData\Roaming\mozilla\Firefox\Profiles\n1h1j8l6.default\extensions
[2010.12.03 15:56:40 | 000,000,000 | ---D | M] (FireFTP) -- C:\Users\MyUserName\AppData\Roaming\mozilla\Firefox\Profiles\n1h1j8l6.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
[2011.03.22 11:01:46 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\MyUserName\AppData\Roaming\mozilla\Firefox\Profiles\n1h1j8l6.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011.01.11 18:54:45 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\MyUserName\AppData\Roaming\mozilla\Firefox\Profiles\n1h1j8l6.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2011.03.22 11:01:43 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Users\MyUserName\AppData\Roaming\mozilla\Firefox\Profiles\n1h1j8l6.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2010.06.28 00:50:36 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Users\MyUserName\AppData\Roaming\mozilla\Firefox\Profiles\n1h1j8l6.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010.11.04 22:40:18 | 000,000,000 | ---D | M] ("bug489729") -- C:\Users\MyUserName\AppData\Roaming\mozilla\Firefox\Profiles\n1h1j8l6.default\extensions\bug489729@alice0775
[2011.03.21 18:29:26 | 000,000,950 | ---- | M] () -- C:\Users\MyUserName\AppData\Roaming\Mozilla\Firefox\Profiles\n1h1j8l6.default\searchplugins\icqplugin-1.xml
[2010.12.10 07:11:39 | 000,000,950 | ---- | M] () -- C:\Users\MyUserName\AppData\Roaming\Mozilla\Firefox\Profiles\n1h1j8l6.default\searchplugins\icqplugin-2.xml
[2010.06.21 17:35:24 | 000,001,042 | ---- | M] () -- C:\Users\MyUserName\AppData\Roaming\Mozilla\Firefox\Profiles\n1h1j8l6.default\searchplugins\icqplugin.xml
[2011.01.13 00:09:55 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions
[2010.11.04 18:33:51 | 000,000,000 | ---D | M] (Java Console) -- C:\Programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2008.09.07 01:20:21 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions\[email protected]
[2010.11.04 18:33:51 | 000,000,000 | ---D | M] (Java Console) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2010.09.15 05:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Mozilla Firefox\plugins\npdeployJava1.dll
[2009.08.22 12:16:53 | 000,072,960 | ---- | M] (Foxit Software Company) -- C:\Programme\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
[2011.03.05 23:49:37 | 000,001,392 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\amazondotcom-de.xml
[2011.03.05 23:49:37 | 000,002,344 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\eBay-de.xml
[2011.03.05 23:49:37 | 000,006,805 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\leo_ende_de.xml
[2011.03.05 23:49:37 | 000,001,178 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\wikipedia-de.xml
[2011.03.05 23:49:37 | 000,001,105 | ---- | M] () -- C:\Programme\Mozilla Firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2010.11.08 00:26:26 | 000,066,030 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 127.0.0.1 babe.the-killer.bz
O1 - Hosts: 127.0.0.1 www.babe.the-killer.bz
O1 - Hosts: 127.0.0.1 babe.k-lined.com
O1 - Hosts: 127.0.0.1 www.babe.k-lined.com
O1 - Hosts: 127.0.0.1 did.i-used.cc
O1 - Hosts: 127.0.0.1 www.did.i-used.cc
O1 - Hosts: 127.0.0.1 coolwwwsearch.com
O1 - Hosts: 127.0.0.1 www.coolwwwsearch.com
O1 - Hosts: 127.0.0.1 coolwebsearch.com
O1 - Hosts: 127.0.0.1 www.coolwebsearch.com
O1 - Hosts: 127.0.0.1 hi.studioaperto.net
O1 - Hosts: 127.0.0.1 www.hi.studioaperto.net
O1 - Hosts: 127.0.0.1 webbrowser.tv
O1 - Hosts: 127.0.0.1 www.webbrowser.tv
O1 - Hosts: 127.0.0.1 wazzupnet.com
O1 - Hosts: 127.0.0.1 www.wazzupnet.com
O1 - Hosts: 127.0.0.1 gueb.com
O1 - Hosts: 127.0.0.1 www.gueb.com
O1 - Hosts: 127.0.0.1 kabex.com
O1 - Hosts: 127.0.0.1 www.kabex.com
O1 - Hosts: 127.0.0.1 hityou.com
O1 - Hosts: 127.0.0.1 www.hityou.com
O1 - Hosts: 127.0.0.1 miosearch.com
O1 - Hosts: 2308 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (ICQToolBar) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQ6Toolbar\ICQToolBar.dll (ICQ)
O3 - HKCU\..\Toolbar\WebBrowser: (ICQToolBar) - {855F3B16-6D32-4FE6-8A56-BBB695989046} - C:\Programme\ICQ6Toolbar\ICQToolBar.dll (ICQ)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NPSStartup] File not found
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O9 - Extra Button: ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Programme\ICQ7.2\ICQ.exe (ICQ, LLC.)
O9 - Extra 'Tools' menuitem : ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Programme\ICQ7.2\ICQ.exe (ICQ, LLC.)
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} Reg Error: Key error. (Java Plug-in 1.4.1_07)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Programme\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programme\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Programme\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\MyUserName\Pictures\wallpaper\Music-Headphones-61581.jpg
O24 - Desktop BackupWallPaper: C:\Users\MyUserName\Pictures\wallpaper\Music-Headphones-61581.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{497df8fb-4f59-11dc-831a-00038a000015}\Shell\AutoRun\command - "" = J:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe
O33 - MountPoints2\{50f71ed2-201c-11e0-8215-cefe45721468}\Shell - "" = AutoRun
O33 - MountPoints2\{50f71ed2-201c-11e0-8215-cefe45721468}\Shell\AutoRun\command - "" = K:\Setup.exe
O33 - MountPoints2\{eb36ffb5-a147-11df-b4f5-999700f9f53d}\Shell\AutoRun\command - "" = J:\Get_Started_for_Win.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011.03.27 03:48:15 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\MyUserName\Desktop\OTL.exe
[2011.03.27 02:25:30 | 016,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Users\MyUserName\Desktop\setup-spybotsd162.exe
[2011.03.27 00:12:05 | 000,000,000 | ---D | C] -- C:\Users\MyUserName\AppData\Roaming\GetRightToGo
[2011.03.27 00:12:05 | 000,000,000 | ---D | C] -- C:\Users\MyUserName\Documents\Downloads
[2011.03.23 03:42:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Silver
[2011.03.23 02:05:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Core Design
[2011.03.23 01:10:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Monolith Games
[2011.03.21 18:31:41 | 000,000,000 | ---D | C] -- C:\Users\MyUserName\AppData\Roaming\skypePM
[2011.03.21 18:31:25 | 000,000,000 | ---D | C] -- C:\Programme\Common Files\Skype
[2011.03.21 18:31:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
[2008.06.14 10:59:29 | 001,399,808 | ---- | C] (PiX-ART.com) -- C:\Programme\DIManager6.exe
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011.03.27 03:48:19 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\MyUserName\Desktop\OTL.exe
[2011.03.27 03:43:00 | 000,001,096 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011.03.27 03:22:28 | 000,638,510 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2011.03.27 03:22:28 | 000,604,126 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011.03.27 03:22:28 | 000,130,462 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2011.03.27 03:22:28 | 000,107,562 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011.03.27 03:18:13 | 000,001,092 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011.03.27 03:18:11 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011.03.27 03:18:11 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011.03.27 03:17:19 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011.03.27 03:17:09 | 2949,218,304 | -HS- | M] () -- C:\hiberfil.sys
[2011.03.27 02:27:55 | 000,001,080 | ---- | M] () -- C:\Users\MyUserName\Desktop\Spybot - Search & Destroy (for blind users).lnk
[2011.03.27 02:27:55 | 000,001,058 | ---- | M] () -- C:\Users\MyUserName\Desktop\Spybot - Search & Destroy.lnk
[2011.03.27 02:26:16 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Users\MyUserName\Desktop\setup-spybotsd162.exe
[2011.03.27 02:00:38 | 000,000,909 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011.03.21 19:52:53 | 000,137,656 | ---- | M] (Avira GmbH) -- C:\Windows\System32\drivers\avipbb.sys
[2011.03.21 18:31:49 | 000,000,056 | -H-- | M] () -- C:\ProgramData\ezsidmv.dat
[2011.02.26 02:18:20 | 000,001,658 | ---- | M] () -- C:\Users\Public\Desktop\Syberia 2.lnk
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011.03.27 02:27:55 | 000,001,080 | ---- | C] () -- C:\Users\MyUserName\Desktop\Spybot - Search & Destroy (for blind users).lnk
[2011.03.21 18:31:49 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2011.02.26 02:18:20 | 000,001,658 | ---- | C] () -- C:\Users\Public\Desktop\Syberia 2.lnk
[2010.09.26 01:54:10 | 000,000,145 | ---- | C] () -- C:\Windows\game.INI
[2010.05.13 15:31:27 | 000,000,000 | ---- | C] () -- C:\Windows\PROTOCOL.INI
[2010.04.26 18:59:44 | 000,110,592 | ---- | C] () -- C:\Windows\System32\FsUsbExDevice.Dll
[2010.04.26 18:59:44 | 000,036,640 | ---- | C] () -- C:\Windows\System32\FsUsbExDisk.Sys
[2010.03.23 04:09:16 | 000,000,892 | ---- | C] () -- C:\Windows\ODBCINST.INI
[2010.03.20 16:21:33 | 000,059,952 | ---- | C] () -- C:\Windows\UNWISE.EXE
[2010.03.08 05:14:01 | 000,027,136 | ---- | C] () -- C:\Windows\System32\QTUninst.dll
[2010.03.08 05:06:57 | 000,000,298 | ---- | C] () -- C:\Windows\SIERRA.INI
[2010.03.08 04:56:27 | 000,009,136 | ---- | C] () -- C:\Windows\System32\INETWH16.DLL
[2010.03.08 04:56:27 | 000,004,528 | ---- | C] () -- C:\Windows\System32\SETBROWS.EXE
[2009.06.11 13:43:37 | 000,406,528 | ---- | C] () -- C:\Windows\System32\msvcp60.dll
[2009.06.11 13:43:21 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009.06.11 13:43:20 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009.03.30 02:18:20 | 000,000,197 | ---- | C] () -- C:\Users\MyUserName\AppData\Roaming\burnaware.ini
[2009.03.18 01:56:50 | 000,001,356 | ---- | C] () -- C:\Users\MyUserName\AppData\Local\d3d9caps.dat
[2008.11.12 05:27:54 | 000,003,636 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin
[2008.09.09 03:01:38 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008.07.25 12:22:11 | 000,244,224 | ---- | C] () -- C:\Windows\System32\audiodev.dll
[2008.06.13 15:36:20 | 000,002,560 | ---- | C] () -- C:\Windows\_MSRSTRT.EXE
[2008.06.13 13:41:11 | 000,000,200 | ---- | C] () -- C:\Windows\Wininit.ini
[2008.01.31 18:43:09 | 000,000,145 | ---- | C] () -- C:\Windows\BRVIDEO.INI
[2008.01.31 18:43:09 | 000,000,023 | ---- | C] () -- C:\Windows\Brownie.ini
[2008.01.31 18:43:09 | 000,000,000 | ---- | C] () -- C:\Windows\brmx2001.ini
[2008.01.31 18:43:08 | 000,000,114 | ---- | C] () -- C:\Windows\System32\brlmw03a.ini
[2008.01.31 18:43:07 | 000,008,975 | ---- | C] () -- C:\Windows\HL-2030.INI
[2008.01.31 18:41:28 | 000,000,432 | ---- | C] () -- C:\Windows\BRWMARK.INI
[2008.01.31 18:41:28 | 000,000,034 | ---- | C] () -- C:\Windows\System32\BD2030.DAT
[2007.12.05 16:05:04 | 000,383,238 | ---- | C] () -- C:\Windows\System32\libmp3lame-0.dll
[2007.12.02 09:33:25 | 000,000,052 | ---- | C] () -- C:\Windows\Relax.ini
[2007.10.25 17:26:10 | 000,005,632 | ---- | C] () -- C:\Windows\System32\drivers\StarOpen.sys
[2007.09.16 03:24:51 | 000,278,728 | ---- | C] () -- C:\Windows\System32\drivers\atksgt.sys
[2007.09.16 03:24:50 | 000,018,048 | ---- | C] () -- C:\Windows\System32\drivers\lirsgt.sys
[2007.09.15 15:21:31 | 000,765,952 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2007.09.15 15:21:31 | 000,180,224 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2007.09.14 15:33:44 | 000,069,632 | ---- | C] () -- C:\Windows\System32\xmltok.dll
[2007.09.14 15:33:44 | 000,036,864 | ---- | C] () -- C:\Windows\System32\xmlparse.dll
[2007.09.13 16:11:38 | 000,010,240 | ---- | C] () -- C:\Windows\System32\vidx16.dll
[2007.09.02 20:28:01 | 000,137,344 | ---- | C] () -- C:\Windows\System32\drivers\hwpsgt.sys
[2007.09.02 20:28:01 | 000,009,472 | ---- | C] () -- C:\Windows\System32\drivers\lemsgt.sys
[2007.08.27 12:41:50 | 000,000,096 | ---- | C] () -- C:\Users\MyUserName\AppData\Local\fusioncache.dat
[2007.08.24 16:37:24 | 002,293,712 | ---- | C] () -- C:\Programme\FLV PlayerFCSetup.exe
[2007.08.24 11:14:58 | 000,000,305 | ---- | C] () -- C:\ProgramData\addr_file.html
[2007.08.23 20:21:32 | 000,000,970 | ---- | C] () -- C:\Users\MyUserName\AppData\Roaming\wklnhst.dat
[2007.08.23 11:28:46 | 000,036,219 | ---- | C] () -- C:\Windows\DIIUnin.dat
[2007.08.22 23:07:42 | 000,116,224 | ---- | C] () -- C:\Windows\System32\redmonnt.dll
[2007.08.22 23:07:42 | 000,045,056 | ---- | C] () -- C:\Windows\System32\unredmon.exe
[2007.08.21 20:25:01 | 000,000,002 | ---- | C] () -- C:\Windows\msoffice.ini
[2007.08.21 11:38:12 | 000,015,360 | ---- | C] () -- C:\Users\MyUserName\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007.08.21 00:04:46 | 000,021,840 | ---- | C] () -- C:\Windows\System32\SIntfNT.dll
[2007.08.21 00:04:46 | 000,017,212 | ---- | C] () -- C:\Windows\System32\SIntf32.dll
[2007.08.21 00:04:46 | 000,012,067 | ---- | C] () -- C:\Windows\System32\SIntf16.dll
[2007.08.20 23:34:59 | 000,000,951 | ---- | C] () -- C:\Windows\ODBC.INI
[2007.01.25 23:19:01 | 000,000,335 | ---- | C] () -- C:\Windows\nsreg.dat
[2007.01.25 04:52:26 | 000,065,536 | ---- | C] () -- C:\Programme\Common Files\NMSAccessU.exe
[2006.11.02 17:33:31 | 000,638,510 | ---- | C] () -- C:\Windows\System32\perfh007.dat
[2006.11.02 17:33:31 | 000,290,748 | ---- | C] () -- C:\Windows\System32\perfi007.dat
[2006.11.02 17:33:31 | 000,130,462 | ---- | C] () -- C:\Windows\System32\perfc007.dat
[2006.11.02 17:33:31 | 000,036,916 | ---- | C] () -- C:\Windows\System32\perfd007.dat
[2006.11.02 14:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006.11.02 14:47:37 | 000,305,240 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006.11.02 14:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006.11.02 12:33:01 | 000,604,126 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006.11.02 12:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006.11.02 12:33:01 | 000,107,562 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006.11.02 12:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006.11.02 12:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006.11.02 10:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006.11.02 10:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006.11.02 09:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006.11.02 09:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006.04.27 11:24:24 | 000,394,240 | ---- | C] () -- C:\Windows\System32\Smab.dll
[2005.10.24 12:13:58 | 000,066,560 | ---- | C] () -- C:\Windows\MOTA113.exe
[2005.10.13 22:27:00 | 000,502,784 | ---- | C] () -- C:\Windows\x2.64.exe
[2005.07.14 13:31:20 | 000,027,648 | RHS- | C] () -- C:\Windows\System32\AVSredirect.dll
[2005.06.21 23:37:42 | 000,045,568 | RHS- | C] () -- C:\Windows\System32\cygz.dll
[2005.05.13 18:12:00 | 000,217,073 | RHS- | C] () -- C:\Windows\meta4.exe
[2005.02.28 14:16:22 | 000,240,128 | RHS- | C] () -- C:\Windows\System32\x.264.exe
[2002.06.06 03:01:58 | 000,029,696 | ---- | C] () -- C:\Windows\System32\asutl8.dll
[1999.04.30 00:00:00 | 000,065,536 | ---- | C] () -- C:\Windows\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2010.07.26 11:23:01 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\acccore
[2010.03.04 15:57:31 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\Anvil Studio
[2010.03.12 01:07:05 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\ASCOMP Software
[2011.02.23 16:50:01 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\Braid
[2010.12.15 06:16:34 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\com.gog.downloader.87F90EC6C28C7E479115BE2E026DB87A08BC420D.1
[2007.09.16 02:36:42 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\CrystalSpace
[2010.04.23 01:45:03 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\cYo
[2007.09.13 00:14:36 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\DeepBurner
[2010.03.23 14:39:48 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\deluge
[2011.01.12 20:34:14 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\Dropbox
[2010.05.10 15:28:51 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\elsterformular
[2008.04.18 04:45:38 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\FLV Extract
[2009.08.22 12:17:14 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\Foxit
[2011.03.27 00:13:21 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\GetRightToGo
[2010.06.03 18:59:34 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\gtk-2.0
[2008.05.14 14:30:00 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\ICAClient
[2011.03.27 01:18:12 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\ICQ
[2008.04.27 20:24:03 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\ICQ Toolbar
[2008.01.30 19:41:19 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\ID3 renamer
[2011.02.24 03:11:59 | 000,000,000 | -H-D | M] -- C:\Users\MyUserName\AppData\Roaming\IFViewer
[2007.08.21 01:07:59 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\ImgBurn
[2007.08.21 00:21:57 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\Leadertech
[2010.04.26 19:48:47 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\ML
[2011.01.25 14:56:40 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\Noctua
[2010.09.10 23:04:34 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\Notepad++
[2008.06.14 11:17:47 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\PiX-ART.com
[2008.08.04 00:03:02 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\PoolSharks
[2008.11.14 17:26:25 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\REAPER
[2010.04.26 18:59:27 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\Samsung
[2007.09.30 20:27:51 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\ScummVM
[2007.08.22 21:46:13 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\Smart PC Solutions
[2007.08.27 12:41:52 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\Strokes 4.0
[2010.08.08 22:58:29 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\Subversion
[2009.06.17 13:59:44 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\Template
[2010.12.18 02:00:53 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\The Longest Journey
[2011.01.25 14:19:16 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\Voca
[2011.03.04 00:18:06 | 000,000,000 | ---D | M] -- C:\Users\MyUserName\AppData\Roaming\WordToPDF
[2011.03.27 03:15:52 | 000,032,538 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:CC9DD8FE

< End of report >
  • 0

Advertisements

#2
OlivierL
Posted 29 March 2011 - 12:24 PM

OlivierL

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Never mind. I ran Kaspersky's TDSS rootkit removal tool (TDSSKiller) and manually deleted the registry entry that Spybot had warned me about. After re-booting the computer Spybot didn't detect Click.Giftload anymore, neither did Antivir, Anti-Malware and the ESET Smart Online Scan find anything suspicious.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP