Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need help with Google Hijack Virus


  • This topic is locked This topic is locked

#1
blocka

blocka

    New Member

  • Member
  • Pip
  • 5 posts
A few days ago my computer got infected with a Google hijack virus. It is present in Google, yahoo, and bing searches and just redirects me to random advertisement sites. It is also creating fake "Windows Vista Recovery" and "Malware Protection" programs that it tries to get me to buy. I've tried using Webroot Spy Sweeper and Malwarebytes to remove it but have been unsuccessful.
I just tried the fix in another topic on this board: http://www.geekstogo...ogle-redirects/
I got through all the steps until the TDSSkiller.exe which when I download, it will not run, I believe malware is preventing it.
So, anyone know how to get rid of this annoying virus? By the way I am running Windows Vista.

Heres my OTL Log:

OTL logfile created on: 6/9/2011 1:26:38 PM - Run 1
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Users\Owner\Downloads
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19048)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.38 Mb Total Physical Memory | 146.15 Mb Available Physical Memory | 14.42% Memory free
2.23 Gb Paging File | 1.11 Gb Available in Paging File | 49.73% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 110.32 Gb Total Space | 75.27 Gb Free Space | 68.22% Space Free | Partition Type: NTFS

Computer Name: OWNER-PC | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/06/09 13:26:02 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\Owner\Downloads\OTL.exe
PRC - [2011/05/19 02:13:55 | 001,201,656 | ---- | M] (Webroot Software, Inc. ) -- C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
PRC - [2011/04/20 09:33:48 | 006,515,800 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
PRC - [2011/04/14 12:25:41 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/03/22 10:14:12 | 004,048,256 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
PRC - [2011/03/22 10:14:10 | 000,165,248 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\Spy Sweeper\SSU.exe
PRC - [2008/10/29 02:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/07/30 12:34:12 | 000,566,592 | ---- | M] (Apple Inc.) -- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
PRC - [2008/04/24 13:26:18 | 000,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
PRC - [2008/04/24 13:25:22 | 000,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
PRC - [2008/03/18 14:50:54 | 000,984,616 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
PRC - [2008/01/19 03:38:38 | 001,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2007/01/25 20:50:26 | 000,063,096 | ---- | M] () -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
PRC - [2007/01/25 20:47:50 | 000,136,816 | ---- | M] () -- C:\TOSHIBA\IVP\ISM\pinger.exe
PRC - [2006/12/20 02:16:44 | 000,411,768 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
PRC - [2006/12/20 02:15:44 | 000,428,152 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
PRC - [2006/12/15 18:59:04 | 000,530,552 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
PRC - [2006/12/11 20:45:16 | 000,448,632 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\SmoothView\SmoothView.exe
PRC - [2006/11/14 23:33:10 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
PRC - [2006/11/10 17:22:26 | 000,417,792 | ---- | M] (TOSHIBA) -- C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
PRC - [2006/11/09 13:57:52 | 003,784,704 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2006/11/06 20:14:44 | 000,034,352 | ---- | M] () -- C:\Program Files\Toshiba\Utilities\KeNotify.exe
PRC - [2006/11/01 01:40:16 | 000,077,824 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
PRC - [2006/10/27 16:11:02 | 000,192,512 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynToshiba.exe
PRC - [2006/09/12 11:03:20 | 000,009,216 | ---- | M] (Agere Systems) -- C:\Windows\System32\agrsmsvc.exe
PRC - [2006/08/23 19:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
PRC - [2006/05/25 21:30:16 | 000,114,688 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\TODDSrv.exe
PRC - [2005/12/16 05:41:28 | 000,188,416 | ---- | M] (Agere Systems) -- C:\Program Files\ltmoh\ltmoh.exe


========== Modules (SafeList) ==========

MOD - [2011/06/09 13:26:02 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\Owner\Downloads\OTL.exe
MOD - [2010/08/31 11:39:57 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18523_none_5cdd65e20837faf2\comctl32.dll
MOD - [2007/04/19 14:21:40 | 000,116,264 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprthook.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/05/29 09:11:28 | 000,366,640 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/05/19 02:13:55 | 001,201,656 | ---- | M] (Webroot Software, Inc. ) [Auto | Running] -- C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe -- (WRConsumerService)
SRV - [2011/03/22 10:14:12 | 004,048,256 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Auto | Running] -- C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe -- (WebrootSpySweeperService)
SRV - [2008/04/24 13:26:18 | 000,202,560 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe -- (sprtsvc_ddoctorv2) SupportSoft Sprocket Service (ddoctorv2)
SRV - [2008/01/19 03:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/01/25 20:50:26 | 000,063,096 | ---- | M] () [Auto | Running] -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2007/01/25 20:47:50 | 000,136,816 | ---- | M] () [Auto | Running] -- C:\TOSHIBA\IVP\ISM\pinger.exe -- (pinger)
SRV - [2006/12/20 02:15:44 | 000,428,152 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV - [2006/11/14 23:33:10 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe -- (CFSvcs)
SRV - [2006/11/01 01:40:16 | 000,077,824 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service)
SRV - [2006/09/12 11:03:20 | 000,009,216 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2006/08/23 19:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)
SRV - [2006/05/25 21:30:16 | 000,114,688 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)


========== Driver Services (SafeList) ==========

DRV - [2011/03/22 10:14:22 | 000,176,776 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- C:\Windows\SYSTEM32\Drivers\SSIDRV.SYS -- (SSIDRV)
DRV - [2011/03/22 10:14:22 | 000,029,832 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\ssfs0bbc.sys -- (ssfs0bbc)
DRV - [2011/03/22 10:14:22 | 000,023,176 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- C:\Windows\SYSTEM32\Drivers\SSHRMD.SYS -- (SSHRMD)
DRV - [2007/10/12 02:00:56 | 003,647,384 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lvuvc.sys -- (LVUVC) QuickCam Pro for Notebooks(UVC)
DRV - [2007/10/12 02:00:44 | 000,041,752 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2007/10/01 16:24:36 | 000,023,864 | ---- | M] (Webroot Software Inc (www.webroot.com)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sskbfd.sys -- (SSKBFD)
DRV - [2007/02/28 21:04:58 | 000,694,784 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2007/02/19 22:13:24 | 000,211,072 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr10n.sys -- (KR10N)
DRV - [2007/02/19 22:12:46 | 000,219,520 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr10i.sys -- (KR10I)
DRV - [2006/11/04 12:35:50 | 000,059,392 | ---- | M] (Realtek Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2006/11/02 03:30:54 | 001,781,760 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32) Intel®
DRV - [2006/10/23 19:32:20 | 000,009,216 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tosrfec.sys -- (tosrfec)
DRV - [2006/10/18 14:50:04 | 000,016,128 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV - [2006/10/06 01:22:14 | 000,016,768 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\TVALZ_O.SYS -- (TVALZ)
DRV - [2006/09/27 23:06:56 | 000,479,488 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr3npxp.sys -- (KR3NPXP)
DRV - [2006/08/31 09:53:00 | 001,161,152 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006/07/28 19:25:26 | 000,019,456 | ---- | M] (COMPAL ELECTRONIC INC.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\LPCFilter.sys -- (LPCFilter)
DRV - [2006/07/06 16:44:00 | 000,168,448 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tifm21.sys -- (tifm21)
DRV - [2005/08/01 19:45:08 | 000,064,896 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\tosrfcom.sys -- (Tosrfcom)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL (Ask.com)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;*.local
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 168.94.74.68:8080

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.bing.com/"

FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/06/04 12:37:13 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/20 15:29:58 | 000,000,000 | ---D | M]

[2011/06/04 12:39:08 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Owner\AppData\Roaming\Mozilla\Extensions
[2011/06/04 12:37:12 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/04/23 13:59:38 | 000,000,000 | ---D | M] (DesktopSync) -- C:\Program Files\Mozilla Firefox\extensions\{C8FEEBE8-43E8-11E0-AA39-0786DFD72085}
File not found (No name found) --
[2009/09/02 03:01:33 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2011/04/14 12:26:02 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2009/07/17 04:40:12 | 000,704,512 | ---- | M] (BitComet) -- C:\Program Files\Mozilla Firefox\plugins\npBitCometAgent.dll
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/06/09 12:47:45 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Ask Search Assistant BHO) - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL (Ask.com)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (BitComet Helper) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.4.1.10.dll (BitComet)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - File not found
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [00TCrdMain] C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [ddoctorv2] C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [HSON] C:\Program Files\TOSHIBA\TBS\HSON.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe (TOSHIBA Electronics, Inc.)
O4 - HKLM..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe ()
O4 - HKLM..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe (Agere Systems)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SmoothView] C:\Program Files\Toshiba\SmoothView\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe (Webroot Software, Inc.)
O4 - HKLM..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe (TOSHIBA)
O4 - HKLM..\Run: [TPwrMain] C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE (TOSHIBA Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Desktop Software] C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe (SupportSoft, Inc.)
O4 - HKCU..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe (TOSHIBA)
O4 - HKCU..\Run: [Universal Installer] C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe (SupportSoft, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O8 - Extra context menu item: &D&ownload &with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all video with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - C:\Program Files\BitComet\tools\BitCometBHO_1.4.1.10.dll (BitComet)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.64.150 68.87.75.198
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img19.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img19.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/09 13:20:26 | 001,437,488 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Owner\Desktop\TDSSKiller.exe
[2011/06/09 13:01:42 | 000,000,000 | ---D | C] -- C:\Users\Owner\Desktop\GooredFix Backups
[2011/06/09 12:46:08 | 000,000,000 | ---D | C] -- C:\_OTM
[2011/06/09 12:40:21 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/06/09 12:39:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
[2011/06/09 12:39:43 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/06/07 03:01:20 | 000,000,000 | ---D | C] -- C:\068acb5e9439ab3f46a9743a35050d
[2011/06/05 03:06:21 | 000,000,000 | ---D | C] -- C:\Windows\System32\WindowsPowerShell
[2011/06/04 13:07:56 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Roaming\Malwarebytes
[2011/06/04 13:07:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/06/04 13:07:14 | 000,039,984 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/06/04 13:07:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/06/04 13:07:02 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/06/04 12:18:57 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2011/06/03 22:31:46 | 000,000,000 | ---D | C] -- C:\PerfLogs
[2011/06/03 18:09:33 | 000,000,000 | ---D | C] -- C:\test
[2011/05/27 15:55:41 | 000,000,000 | ---D | C] -- C:\Users\Owner\Desktop\New Folder

========== Files - Modified Within 30 Days ==========

[2011/06/09 13:21:07 | 000,604,502 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/06/09 13:21:07 | 000,104,170 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/06/09 13:15:35 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/06/09 13:15:35 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/06/09 13:15:33 | 000,001,618 | ---- | M] () -- C:\Windows\tasks\wrSpySweeper_L98751698DECD45F5944B2071C0D5E8EA.job
[2011/06/09 13:15:33 | 000,001,594 | ---- | M] () -- C:\Windows\tasks\wrSpySweeper_LB5E73D921384425CBB8C5166DFC871B8.job
[2011/06/09 13:15:25 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/06/09 13:15:21 | 1063,358,464 | -HS- | M] () -- C:\hiberfil.sys
[2011/06/09 12:47:45 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\Hosts
[2011/06/09 12:39:46 | 000,000,744 | ---- | M] () -- C:\Users\Owner\Desktop\NTREGOPT.lnk
[2011/06/09 12:39:46 | 000,000,725 | ---- | M] () -- C:\Users\Owner\Desktop\ERUNT.lnk
[2011/06/09 11:39:59 | 000,001,356 | ---- | M] () -- C:\Users\Owner\AppData\Local\d3d9caps.dat
[2011/06/07 21:32:08 | 000,000,598 | ---- | M] () -- C:\Users\Public\Desktop\Malware Protection.lnk
[2011/06/07 17:32:48 | 001,437,488 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Owner\Desktop\TDSSKiller.exe
[2011/06/07 11:36:57 | 000,002,231 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2011/06/07 11:35:05 | 001,027,478 | ---- | M] () -- C:\Users\Owner\Desktop\New Riff 6-7-11.mp3
[2011/06/05 04:12:29 | 000,326,088 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/06/04 13:07:16 | 000,000,917 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/04 12:37:15 | 000,000,881 | ---- | M] () -- C:\Users\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/06/04 12:37:15 | 000,000,857 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2011/06/04 12:11:04 | 000,053,467 | ---- | M] () -- C:\logfile
[2011/06/03 22:06:27 | 000,101,888 | ---- | M] (Infineon Technologies AG) -- C:\Windows\System32\ifxcardm.dll
[2011/06/03 22:06:08 | 000,082,432 | ---- | M] (Gemalto, Inc.) -- C:\Windows\System32\axaltocm.dll
[2011/06/03 20:18:45 | 000,805,122 | ---- | M] () -- C:\Users\Owner\Desktop\New Riff 6-3-11.mp3
[2011/06/03 18:33:14 | 000,000,152 | ---- | M] () -- C:\ProgramData\~22339344r
[2011/06/03 18:33:14 | 000,000,136 | ---- | M] () -- C:\ProgramData\~22339344
[2011/06/03 18:13:02 | 000,000,392 | ---- | M] () -- C:\ProgramData\22339344
[2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/05/19 02:13:49 | 000,001,792 | ---- | M] () -- C:\Users\Public\Desktop\Spy Sweeper.lnk
[2011/05/19 02:12:14 | 000,000,164 | ---- | M] () -- C:\Windows\install.dat

========== Files Created - No Company Name ==========

[2011/06/09 13:15:21 | 1063,358,464 | -HS- | C] () -- C:\hiberfil.sys
[2011/06/09 13:10:27 | 000,000,727 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\tavmsi.lnk
[2011/06/09 12:39:46 | 000,000,744 | ---- | C] () -- C:\Users\Owner\Desktop\NTREGOPT.lnk
[2011/06/09 12:39:46 | 000,000,725 | ---- | C] () -- C:\Users\Owner\Desktop\ERUNT.lnk
[2011/06/07 21:32:08 | 000,000,598 | ---- | C] () -- C:\Users\Public\Desktop\Malware Protection.lnk
[2011/06/07 11:34:59 | 001,027,478 | ---- | C] () -- C:\Users\Owner\Desktop\New Riff 6-7-11.mp3
[2011/06/05 03:29:08 | 000,106,605 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2011/06/05 03:29:08 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2011/06/05 03:29:02 | 011,967,524 | ---- | C] () -- C:\Windows\System32\korwbrkr.lex
[2011/06/05 03:02:15 | 000,201,184 | ---- | C] () -- C:\Windows\System32\winrm.vbs
[2011/06/05 03:02:15 | 000,002,426 | ---- | C] () -- C:\Windows\System32\WsmTxt.xsl
[2011/06/05 03:02:14 | 000,004,675 | ---- | C] () -- C:\Windows\System32\wsmanconfig_schema.xml
[2011/06/04 13:07:16 | 000,000,917 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/06/04 12:37:15 | 000,000,881 | ---- | C] () -- C:\Users\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/06/04 12:37:15 | 000,000,869 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2011/06/04 12:37:15 | 000,000,857 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2011/06/03 20:17:40 | 000,805,122 | ---- | C] () -- C:\Users\Owner\Desktop\New Riff 6-3-11.mp3
[2011/06/03 18:33:14 | 000,000,152 | ---- | C] () -- C:\ProgramData\~22339344r
[2011/06/03 18:33:11 | 000,000,136 | ---- | C] () -- C:\ProgramData\~22339344
[2011/06/03 18:09:53 | 000,000,392 | ---- | C] () -- C:\ProgramData\22339344
[2011/05/19 02:13:49 | 000,001,792 | ---- | C] () -- C:\Users\Public\Desktop\Spy Sweeper.lnk
[2011/03/22 10:14:16 | 000,031,104 | ---- | C] () -- C:\Windows\System32\wrLZMA.dll
[2011/03/22 10:14:10 | 000,016,256 | ---- | C] () -- C:\Windows\System32\SsiEfr.exe
[2009/06/23 12:05:52 | 000,000,164 | ---- | C] () -- C:\Windows\install.dat
[2009/03/25 16:43:54 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2008/06/01 00:10:25 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2008/04/03 00:26:09 | 000,000,032 | ---- | C] () -- C:\ProgramData\ezsid.dat
[2008/03/18 12:05:00 | 000,001,356 | ---- | C] () -- C:\Users\Owner\AppData\Local\d3d9caps.dat
[2008/03/12 10:29:23 | 000,000,446 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\wklnhst.dat
[2008/02/11 19:55:18 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1437.dll
[2007/10/12 01:11:58 | 000,059,500 | ---- | C] () -- C:\Windows\System32\lvcoinst.ini
[2007/08/09 21:31:24 | 000,026,112 | ---- | C] () -- C:\Users\Owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/05/22 18:57:04 | 000,000,000 | ---- | C] () -- C:\Windows\NDSTray.INI
[2007/05/22 18:14:52 | 000,204,800 | ---- | C] () -- C:\Windows\System32\IVIresizeW7.dll
[2007/05/22 18:14:52 | 000,200,704 | ---- | C] () -- C:\Windows\System32\IVIresizeA6.dll
[2007/05/22 18:14:52 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeP6.dll
[2007/05/22 18:14:52 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeM6.dll
[2007/05/22 18:14:52 | 000,188,416 | ---- | C] () -- C:\Windows\System32\IVIresizePX.dll
[2007/05/22 18:14:52 | 000,020,480 | ---- | C] () -- C:\Windows\System32\IVIresize.dll
[2007/05/22 17:51:29 | 000,128,113 | ---- | C] () -- C:\Windows\System32\csellang.ini
[2007/05/22 17:51:29 | 000,045,056 | ---- | C] () -- C:\Windows\System32\csellang.dll
[2007/05/22 17:51:29 | 000,010,150 | ---- | C] () -- C:\Windows\System32\tosmreg.ini
[2007/05/22 17:51:29 | 000,007,671 | ---- | C] () -- C:\Windows\System32\cseltbl.ini
[2007/05/22 17:47:12 | 000,049,152 | ---- | C] () -- C:\Windows\System32\ChCfg.exe
[2007/05/22 17:47:12 | 000,000,176 | ---- | C] () -- C:\Windows\System32\drivers\RTHDAEQ1.dat
[2007/05/22 17:47:12 | 000,000,176 | ---- | C] () -- C:\Windows\System32\drivers\RTHDAEQ0.dat
[2006/11/29 01:12:18 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1132.dll
[2006/11/24 10:48:44 | 000,036,864 | ---- | C] () -- C:\Windows\System32\HWS_Ctrl.dll
[2006/11/02 08:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 08:47:37 | 000,326,088 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 06:33:01 | 000,604,502 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 06:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 06:33:01 | 000,104,170 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 06:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 06:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 04:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 04:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 03:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/10/31 20:37:00 | 000,114,688 | ---- | C] () -- C:\Windows\System32\TosBtAcc.dll
[2006/08/10 18:00:52 | 000,094,208 | ---- | C] () -- C:\Windows\System32\TosBtHcrpAPI.dll
[2006/03/09 13:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2005/12/15 07:17:00 | 000,159,744 | ---- | C] () -- C:\Windows\System32\EPSPTDV.DLL
[2005/11/23 17:55:42 | 000,024,576 | ---- | C] () -- C:\Windows\System32\SPCtl.dll
[2005/07/23 00:30:20 | 000,065,536 | ---- | C] () -- C:\Windows\System32\TosCommAPI.dll

========== LOP Check ==========

[2011/06/04 12:36:48 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\BitComet
[2008/09/16 15:53:22 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\FUJIFILM
[2008/06/11 23:19:29 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\LimeWire
[2010/10/06 02:57:27 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Passware
[2008/03/12 10:29:28 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Template
[2010/04/21 17:46:24 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\WildTangent
[2007/08/09 20:13:32 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\WinBatch
[2011/06/09 13:11:51 | 000,032,582 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2011/06/09 13:15:33 | 000,001,618 | ---- | M] () -- C:\Windows\Tasks\wrSpySweeper_L98751698DECD45F5944B2071C0D5E8EA.job
[2011/06/09 13:15:33 | 000,001,594 | ---- | M] () -- C:\Windows\Tasks\wrSpySweeper_LB5E73D921384425CBB8C5166DFC871B8.job

========== Purity Check ==========



< End of report >


Edited by blocka, 09 June 2011 - 11:47 AM.

  • 0

Advertisements


#2
patndoris

patndoris

    Trusted Helper

  • Malware Removal
  • 228 posts
Hello and :)

My name is patndoris. I will be glad to take a look at your log and help you with solving any malware problems. It will be very helpful if you follow these guidelines:
  • Malware logs are often lengthy and can take a lot of time to research and interpret. Please be patient while I review your logs.
  • Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
  • Please make sure to carefully read any instruction that I give you. If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • Please follow my instructions carefully and in the order they are posted. You may also find it helpful to print out the instructions you receive.
  • Please do not run any scans or install/uninstall any applications or delete anything without being directed to do so.
  • Remember, absence of symptoms does not mean the infection is all gone. Please stick with me till you're given the "all clear".
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • Please reply within 3 days. If I do not hear back from you in that time frame, I will post a reminder for you. Topics with no reply in 4 days are closed!


I apologize for the delay in responding to your post. The forums have been very busy.



Run OTL.exe by right-clicking and choosing Run as Administrator on the icon.
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :Services
    :OTL
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 168.94.74.68:8080
    
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]
    [createrestorepoint]
    
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post the resulting OTL log




Download and Run GMER

Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Right-click and choose Run as Administrator on GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that may have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one - make sure it is UNCHECKED)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

  • 0

#3
blocka

blocka

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hey don't worry I understand this forum is very busy, I'm just happy to have some help! Thank you!

Heres my OTL Log:

All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Owner
->Temp folder emptied: 394836 bytes
->Temporary Internet Files folder emptied: 434653033 bytes
->FireFox cache emptied: 44758864 bytes
->Flash cache emptied: 2115035 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 71874139 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 528.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Owner
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb



OTL by OldTimer - Version 3.2.23.0 log created on 06162011_110905

Files\Folders moved on Reboot...
File\Folder C:\Users\Owner\AppData\Local\Temp\~DF8C7F.tmp not found!
File\Folder C:\Users\Owner\AppData\Local\Temp\~DF8C99.tmp not found!
File\Folder C:\Users\Owner\AppData\Local\Temp\~DF8F15.tmp not found!
File\Folder C:\Users\Owner\AppData\Local\Temp\~DF8F26.tmp not found!
File\Folder C:\Users\Owner\AppData\Local\Temp\~DF8FAA.tmp not found!
File\Folder C:\Users\Owner\AppData\Local\Temp\~DF8FBF.tmp not found!
C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\672WFMZF\ac3[8].htm moved successfully.
File\Folder C:\Windows\temp\TMP0000002B17AFE71EED7FB604 not found!

Registry entries deleted on Reboot...


  • 0

#4
blocka

blocka

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
And here is the log from the GMER.EXE. I eneded up having to run it in safe mode, every time I tried it regularly it crashed with a BSoD. Looking forward to the next step, thanks again for your help!

Attached File  gmer.txt   6.46KB   164 downloads

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-16 12:39:37
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS541612J9SA00 rev.SBDOC7DP
Running: gmer.exe; Driver: C:\Users\Owner\AppData\Local\Temp\uwloapow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text kdcom.dll!KdSendPacket 82003041 37 Bytes [0B, B8, FF, FF, 00, 00, 66, ...]
.text kdcom.dll!KdSendPacket 82003067 130 Bytes [81, EC, 6C, 01, 00, 00, 53, ...]
.text kdcom.dll!KdDebuggerInitialize0 + 5E 820030EA 99 Bytes [00, 6A, 2E, 56, FF, 15, B4, ...]
.text kdcom.dll!KdSave + 2 8200314E 62 Bytes [C7, 8D, 50, 02, 66, 8B, 08, ...]
.text kdcom.dll!KdRestore + 31 8200318D 17 Bytes [00, 8B, B4, 1E, E0, 00, 00, ...]
.text kdcom.dll!KdRestore + 43 8200319F 62 Bytes [FC, 50, FF, 75, 0C, 56, E8, ...]
.text kdcom.dll!KdRestore + 82 820031DE 60 Bytes [83, FE, 14, 0F, 8C, 66, FF, ...]
.text kdcom.dll!KdRestore + BF 8200321B 129 Bytes CALL 82003505 \SystemRoot\system32\kdcom.dll (Kernel Debugger HW Extension DLL/Microsoft Corporation)
.text kdcom.dll!KdRestore + 141 8200329D 66 Bytes [55, 8B, EC, 83, EC, 14, 83, ...]
.text ...
PAGEKD kdcom.dll!KdReceivePacket + 25 82005199 6 Bytes [00, 00, 00, 00, 00, 00] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
PAGEKD kdcom.dll!KdReceivePacket + 2D 820051A1 36 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
PAGEKD kdcom.dll!KdReceivePacket + 52 820051C6 3 Bytes [00, 00, 00]
PAGEKD kdcom.dll!KdReceivePacket + 56 820051CA 1 Byte [00]
PAGEKD kdcom.dll!KdReceivePacket + 56 820051CA 9 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
PAGEKD ...
PAGEKD kdcom.dll!KdSendPacket + 41 8200542D 22 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
PAGEKD kdcom.dll!KdSendPacket + 58 82005444 1 Byte [00]
PAGEKD kdcom.dll!KdSendPacket + 58 82005444 5 Bytes [00, 00, 00, 00, 00]
PAGEKD kdcom.dll!KdSendPacket + 5E 8200544A 1 Byte [00]
PAGEKD kdcom.dll!KdSendPacket + 5E 8200544A 3 Bytes [00, 00, 00]
PAGEKD ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[1400] USER32.dll!DialogBoxParamW 75FA1FD5 5 Bytes JMP 723854BD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1400] WININET.dll!HttpAddRequestHeadersA 758CCF4E 5 Bytes JMP 00406BA0
.text C:\Program Files\Internet Explorer\iexplore.exe[1400] WININET.dll!HttpAddRequestHeadersW 758CFE49 5 Bytes JMP 00406DA0
.text C:\Program Files\Internet Explorer\iexplore.exe[1520] USER32.dll!DialogBoxParamW 75FA1FD5 5 Bytes JMP 723854BD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1520] WS2_32.dll!closesocket 7602330C 5 Bytes JMP 006E000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1520] WS2_32.dll!recv 7602343A 5 Bytes JMP 006C000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1520] WS2_32.dll!connect 760240D9 5 Bytes JMP 006D000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1520] WS2_32.dll!getaddrinfo 7602418A 5 Bytes JMP 0071000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1520] WS2_32.dll!send 7602659B 5 Bytes JMP 006F000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1520] WS2_32.dll!gethostbyname 760362D4 5 Bytes JMP 0070000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1520] WININET.dll!HttpAddRequestHeadersA 758CCF4E 5 Bytes JMP 008A6BA0
.text C:\Program Files\Internet Explorer\iexplore.exe[1520] WININET.dll!HttpAddRequestHeadersW 758CFE49 5 Bytes JMP 008A6DA0

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 845ADE7A
Device \Driver\atapi \Device\Ide\IdePort0 845ADE7A
Device \Driver\atapi \Device\Ide\IdePort1 845ADE7A
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-2 845ADE7A

---- Threads - GMER 1.0.15 ----

Thread System [4:208] 845AF32C
Thread System [4:216] 845AF78A

---- EOF - GMER 1.0.15 ----


Edited by blocka, 16 June 2011 - 11:00 AM.

  • 0

#5
patndoris

patndoris

    Trusted Helper

  • Malware Removal
  • 228 posts
Download and Run RKill

Please download and run the following tool to help allow other programs to run. (Thanks to Grinler of BleepingComputer.com)
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin

You only need to get one of these to run, not all of them.
Rkill.exe
Rkill.com
Rkill.scr


Once it is downloaded, right-click and choose Run as Administrator[/] on the rkill.com in order to automatically try to stop any processes associated with rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next steps.

If you get a message rkill is an infection, do not be concerned. The message is just a fake warning by some rogue programs when it terminates programs that may potentially remove it. The trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this should allow you to bypass the malware trying to protect itself so that rkill can terminate the rogue processes. Continue to try running Rkill until the malware is no longer running. You will then be able to proceed with the next steps.

Do not reboot your computer after running rkill as the malware programs will start again.

If for some reason the machine reboots, repeat the process. Again, try not to restart the machine.

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and right-click and choose [i]Run as Administrator on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


Let me know how the system is behaving now please. If you continue to have trouble running TDSSKiller please let me know.
  • 0

#6
patndoris

patndoris

    Trusted Helper

  • Malware Removal
  • 228 posts
Are you having any problems with the last set of instructions?

Reminder: Topics with no reply in 4 days are closed!
  • 0

#7
patndoris

patndoris

    Trusted Helper

  • Malware Removal
  • 228 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP