[Teima]

Hello! Welcome back. That's no worries at all.

Note: The log file can also be located C: >> _OTL >> MovedFiles >> DD/DD/DD TT/TT.txt <-- denotes date/time log created. Please let me know if have any luck with those instructions.

Also. We are almost in the clear. How does the machine appear to be running within its current state. Any slowdowns or other issues which are faced at the moment?

[Advertisements]

I found the OTL report!
The _ threw me!
========== OTL ==========
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-21-1287660353-1891574393-3237263245-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-21-1287660353-1891574393-3237263245-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
Registry value HKEY_USERS\S-1-5-21-1287660353-1891574393-3237263245-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
Registry value HKEY_USERS\S-1-5-21-1287660353-1891574393-3237263245-1001\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
Registry key HKEY_USERS\S-1-5-21-1287660353-1891574393-3237263245-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\localhost\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1287660353-1891574393-3237263245-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\GD\\http deleted successfully.
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.69.0 log created on 07282013_154044
I take it that the 154044 stands for the time 1540 hrs and 44 seconds?

The machine is running ok, I'm still having problems playing youtube videos, the problem is the video will suddenly stop playing and I will find that I am unable to load any webpages at all. The icon for my internet/wireless connection shows that I am still connected however only a restart will get me back online.

[GUBID]

I found the OTL report!
The _ threw me!
========== OTL ==========
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-21-1287660353-1891574393-3237263245-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-21-1287660353-1891574393-3237263245-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
Registry value HKEY_USERS\S-1-5-21-1287660353-1891574393-3237263245-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
Registry value HKEY_USERS\S-1-5-21-1287660353-1891574393-3237263245-1001\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C}\ not found.
Registry key HKEY_USERS\S-1-5-21-1287660353-1891574393-3237263245-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\localhost\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1287660353-1891574393-3237263245-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\GD\\http deleted successfully.
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.69.0 log created on 07282013_154044
I take it that the 154044 stands for the time 1540 hrs and 44 seconds?

The machine is running ok, I'm still having problems playing youtube videos, the problem is the video will suddenly stop playing and I will find that I am unable to load any webpages at all. The icon for my internet/wireless connection shows that I am still connected however only a restart will get me back online.

[Teima]

Hello GBUID,

I take it that the 154044 stands for the time 1540 hrs and 44 seconds?

Yes that would be correct.

The machine is running ok, I'm still having problems playing youtube videos, the problem is the video will suddenly stop playing and I will find that I am unable to load any webpages at all. The icon for my internet/wireless connection shows that I am still connected however only a restart will get me back online.

Very well. I'll try my best to resolve this issue. Has this issue being occurring for some period of time now? Also. Does it persist in just the one internet browser or all of them?

[Teima]

Hello GBUID. Are you still with me? Just thought I'd touch base as it has been 48 hours since your last response.

[GUBID]

I'm sorry Tiema again I've been very busy and was waiting for feedback on the logs I posted.
The issue is just in Firefox, I don't use any others.
It is a fairly recent issue too, maybe 2 months or so.

[Teima]

Hello GBUID,

No worries. Thanks for clarifying on that for me. For the moment we will attempt to re-install Firefox and see if that resolves the issue. If it doesn't work we'll turn to another alternative.

For the moment. Would you be able to follow these set of instructions? Once those are complete would it be possible to install Firefox from here and let me know if that resolves the current issue. I'd like to see how this works out.

[Dakeyras]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

[Dakeyras]

Topic re-opened per OP's request...

[GUBID]

Thanks for re-opening this thread.
My AVG is again detecting a rootkit, it is of the same format as the previous ones.
I have uninstalled and then re-installed Firefox using the links provided and have been able recreate the problem again.
It only seems to happen with the videos that I fast forward.

[Teima]

Thanks for re-opening this thread.

You're most welcome.

My AVG is again detecting a rootkit, it is of the same format as the previous ones.

I believe that AVG could be at fault here. So I have decided to look into this further and investigate the files which it has been reported as an infection.

It only seems to happen with the videos that I fast forward.

Thanks for the additional information. It is much appreciated. For the moment we'll draw our attention back to this possible rootkit infection and should that no longer be deemed as an issue we will move back to the issue within Mozilla Firefox. Thanks.

Step One

Run OTL

• Under the Custom Scans/Fixes box at the bottom, copy and paste in the following.

/md5start
i8042prt.sys
spdi.sys
spct.sys
/md5stop
CREATERESTOREPOINT

• Within OTL click the None button. Once complete click Run Scan. Do not change any settings unless otherwise told to do so. The scan wont take long.

• Once done a report will be displayed. Copy and paste the contents of that report within your next response for me to review.

[GUBID]

That sounds like a good plan!
Here is the output from OTL:

OTL logfile created on: 21/08/2013 23:04:28 - Run 7
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\GUB\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 1.98 Gb Available Physical Memory | 66.07% Memory free
6.19 Gb Paging File | 4.44 Gb Available in Paging File | 71.74% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 221.40 Gb Total Space | 34.51 Gb Free Space | 15.59% Space Free | Partition Type: NTFS

Computer Name: SHAUN-PC | User Name: Shaun | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Custom Scans ==========

< MD5 for: I8042PRT.SYS >
[2006/11/02 09:51:13 | 000,054,784 | ---- | M] (Microsoft Corporation) MD5=1060F1377F395A242E27719440ECE602 -- C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_93b1c41f\i8042prt.sys
[2006/11/02 09:51:13 | 000,054,784 | ---- | M] (Microsoft Corporation) MD5=1060F1377F395A242E27719440ECE602 -- C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_3dfa3917\i8042prt.sys
[2008/01/21 03:09:47 | 000,054,784 | ---- | M] (Microsoft Corporation) MD5=1C9EE072BAA3ABB460B91D7EE9152660 -- C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_a81145df\i8042prt.sys
[2008/01/21 03:09:47 | 000,054,784 | ---- | M] (Microsoft Corporation) MD5=1C9EE072BAA3ABB460B91D7EE9152660 -- C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_f4514c17\i8042prt.sys
[2008/01/21 03:09:47 | 000,054,784 | ---- | M] (Microsoft Corporation) MD5=1C9EE072BAA3ABB460B91D7EE9152660 -- C:\Windows\winsxs\x86_keyboard.inf_31bf3856ad364e35_6.0.6000.16609_none_957131ccdbca3f9c\i8042prt.sys
[2008/01/21 03:09:47 | 000,054,784 | ---- | M] (Microsoft Corporation) MD5=1C9EE072BAA3ABB460B91D7EE9152660 -- C:\Windows\winsxs\x86_msmouse.inf_31bf3856ad364e35_6.0.6000.16609_none_4c56cf70d52c8670\i8042prt.sys
[2008/01/21 03:23:20 | 000,054,784 | ---- | M] (Microsoft Corporation) MD5=22D56C8184586B7A1F6FA60BE5F5A2BD -- C:\Windows\System32\drivers\i8042prt.sys
[2008/01/21 03:23:23 | 000,054,784 | ---- | M] (Microsoft Corporation) MD5=22D56C8184586B7A1F6FA60BE5F5A2BD -- C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_da7e599e\i8042prt.sys
[2008/01/21 03:23:23 | 000,054,784 | ---- | M] (Microsoft Corporation) MD5=22D56C8184586B7A1F6FA60BE5F5A2BD -- C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_f55d5e51\i8042prt.sys
[2008/01/21 03:23:20 | 000,054,784 | ---- | M] (Microsoft Corporation) MD5=22D56C8184586B7A1F6FA60BE5F5A2BD -- C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_8b7c4328\i8042prt.sys
[2008/01/21 03:23:23 | 000,054,784 | ---- | M] (Microsoft Corporation) MD5=22D56C8184586B7A1F6FA60BE5F5A2BD -- C:\Windows\winsxs\x86_keyboard.inf_31bf3856ad364e35_6.0.6001.18000_none_974e6dd8d8f8ec7e\i8042prt.sys
[2008/01/21 03:23:23 | 000,054,784 | ---- | M] (Microsoft Corporation) MD5=22D56C8184586B7A1F6FA60BE5F5A2BD -- C:\Windows\winsxs\x86_keyboard.inf_31bf3856ad364e35_6.0.6002.18005_none_9939e6e4d61ab7ca\i8042prt.sys
[2008/01/21 03:23:20 | 000,054,784 | ---- | M] (Microsoft Corporation) MD5=22D56C8184586B7A1F6FA60BE5F5A2BD -- C:\Windows\winsxs\x86_msmouse.inf_31bf3856ad364e35_6.0.6001.18000_none_4e340b7cd25b3352\i8042prt.sys
[2008/01/21 03:09:47 | 000,054,784 | ---- | M] (Microsoft Corporation) MD5=BEA9838CD25D36BEBA3F94386A761D60 -- C:\Windows\winsxs\x86_keyboard.inf_31bf3856ad364e35_6.0.6000.20734_none_95d55d61f504b486\i8042prt.sys
[2008/01/21 03:09:47 | 000,054,784 | ---- | M] (Microsoft Corporation) MD5=BEA9838CD25D36BEBA3F94386A761D60 -- C:\Windows\winsxs\x86_msmouse.inf_31bf3856ad364e35_6.0.6000.20734_none_4cbafb05ee66fb5a\i8042prt.sys

< End of report >

[Teima]

• Please navigate and run AVG which is present on the machine.
• On the History menu, click scan results.
• Double-click the scan result you want to export (a recent scan where malicious code was detected - it will have a blue or red icon).
• Click the Export overview to file.
• Type a name for the file and save it to your computer (we recommend saving it to your Desktop).
• Once complete. Open this file within Notepad and copy and paste the documents of this file within your next response.

[GUBID]

That AVG takes some navigating! It doesn't help when the Scan results aren't in chronological order!
Here's the output you wanted:

Scheduled Scan
Medium priority;"1";"1";"0"
Folders selected for scanning:;"Scan Whole Computer"
Started:;"19/08/2013, 12:00:02"
Finished:;"19/08/2013, 12:41:58"
Total object scanned:;"3092321"
User who launched the scan:;"SYSTEM"

Status;"Priority";"Name";"Description";"Result"
Healed;"Medium";"i8042prt.sys, hooked import HAL.dll READ_PORT_UCHAR -> spdi.sys +0x11E9C";"C:\Windows\System32\Drivers\spdi.sys";"Secured"

The "healing" required a restart, following the restart AVG again detected the rootkit only this time the name was slightly different as you can see from the examples in my email to you.

[Teima]

Hello GBUID,

Thanks for your patience. We've looked into this issue and it appears to be a False Alert from AVG which isn't very convenient. We were wondering if you'd consider switching to another alternative where this issue isn't likely to occur a second time. Please let me know and I'll present some further instructions within my next response.

In regards to the video. Would you be able to inform me as to which content you're attempting to view at the moment? Also. Does the same issue persist with Internet Explorer?

[GUBID]

That's cool to know that it is a false positive on AVGs part.
Why would AVG "find" an infection then not find it and then later find it again?
That's what puzzles me!
I would be interested in considering a switch to something more reliable.
On the video front it's pretty much any Youtube video I decide to fast forward!