Alureon-AJI/Rootkit virus redirects search results and shuts down malwarebytes

View previous topic View next topic Go down

Alureon-AJI/Rootkit virus redirects search results and shuts down malwarebytes

Post by brokecomp on 23rd September 2011, 12:43 am

Please help, I've got what seems to be a pretty bad malware virus that redirects all search results on search engines. When I run Malwarebytes it shuts it down within a few seconds then doesn't give me access to the exe file for the program. It does this for other anti-malware programs too like HJThis, aswMBR and Security Check. On aswMBR just before it shut it down I was able to see that it found something called Alureon-AJI or something.

I then used TDSSKiller and it found a virus called Rootkit.win32.ZAccess.e and a suspicious file at C:\windows\2572840512:3213993319.exe (this file shows up at the end of the OTL below) TDSSKiller tried to fix both but at reboot they were there argain.

Here is my OTL:
OTL logfile created on: 9/21/2011 4:53:19 PM - Run 1
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Documents and Settings\RAMON\My Documents\Downloads
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1007.48 Mb Total Physical Memory | 254.36 Mb Available Physical Memory | 25.25% Memory free
3.85 Gb Paging File | 3.23 Gb Available in Paging File | 83.89% Paging File free
Paging file location(s): C:\pagefile.sys 3024 3024 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 55.65 Gb Free Space | 37.34% Space Free | Partition Type: NTFS
Drive G: | 279.47 Gb Total Space | 161.21 Gb Free Space | 57.68% Space Free | Partition Type: NTFS

Computer Name: RAMON-2193E6164 | User Name: RAMON | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - File not found -- C:\WINDOWS\2572840512:3213993318.exe
PRC - [2011/09/21 16:10:05 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\RAMON\My Documents\Downloads\OTL.com
PRC - [2011/08/31 14:35:38 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/07/06 19:52:38 | 000,449,584 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Mali\mbamgui.exe
PRC - [2011/07/06 19:52:38 | 000,366,640 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Mali\mbamservice.exe
PRC - [2010/08/23 21:21:40 | 000,013,672 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2010/02/05 09:37:21 | 003,179,952 | ---- | M] (Tonec Inc.) -- C:\Program Files\Internet Download Manager\IDMan.exe
PRC - [2009/10/15 02:51:51 | 000,263,600 | ---- | M] (Tonec Inc.) -- C:\Program Files\Internet Download Manager\IEMonitor.exe
PRC - [2008/11/09 13:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2007/06/15 16:15:02 | 000,366,400 | ---- | M] (Google Inc.) -- C:\Program Files\Picasa2\PicasaMediaDetector.exe
PRC - [2007/06/13 03:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/06/06 23:46:24 | 000,057,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
PRC - [2004/11/15 03:20:20 | 000,077,824 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2004/10/04 05:47:04 | 000,098,304 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
PRC - [2004/07/27 16:50:04 | 000,503,808 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
PRC - [2003/03/11 17:24:40 | 000,086,016 | ---- | M] (Intel(R) Corporation) -- C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe


========== Modules (No Company Name) ==========

MOD - [2011/08/31 14:35:41 | 001,001,432 | ---- | M] () -- C:\Program Files\Mozilla Firefox\js3250.dll
MOD - [2011/08/13 10:09:57 | 006,277,280 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
MOD - [2011/05/18 11:53:42 | 001,496,576 | ---- | M] () -- C:\Documents and Settings\RAMON\Application Data\Mozilla\Firefox\Profiles\kctzac7p.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
MOD - [2011/05/18 11:53:42 | 000,346,112 | ---- | M] () -- C:\Documents and Settings\RAMON\Application Data\Mozilla\Firefox\Profiles\kctzac7p.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
MOD - [2011/02/21 11:42:06 | 000,409,960 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.WindowsFirewallUtilities\5.0.136.0__7ce6deabcb36a8ea\Intuit.Spc.Map.WindowsFirewallUtilities.dll
MOD - [2011/02/21 11:42:05 | 000,476,520 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.Reporter\5.0.136.0__7ce6deabcb36a8ea\Intuit.Spc.Map.Reporter.dll
MOD - [2011/02/21 11:42:03 | 000,421,224 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Api.Net\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Api.Net.dll
MOD - [2011/02/21 11:42:03 | 000,046,952 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.UpdateServicePlugin\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Application.UpdateServicePlugin.dll
MOD - [2011/02/21 11:42:03 | 000,023,912 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.UpdateService\1.0.0.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Application.UpdateService.dll
MOD - [2011/02/21 11:42:03 | 000,018,792 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateServiceWorker\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateServiceWorker.dll
MOD - [2011/02/21 11:42:03 | 000,012,136 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.UpdateService.PluginContract\1.0.0.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Application.UpdateService.PluginContract.dll
MOD - [2011/02/21 11:42:02 | 000,269,672 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Core\3.1.26.0__540d4816ead86321\Intuit.Spc.Esd.Core.dll
MOD - [2011/02/21 11:42:02 | 000,121,704 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.BusinessLogic\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.Client.BusinessLogic.dll
MOD - [2011/02/21 11:42:02 | 000,120,168 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.DataAccess\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.Client.DataAccess.dll
MOD - [2011/02/21 11:42:02 | 000,070,504 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.Common\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.Client.Common.dll
MOD - [2010/11/21 07:54:34 | 000,094,208 | ---- | M] () -- C:\Program Files\FileZilla FTP Client\fzshellext.dll
MOD - [2010/10/15 13:36:03 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\5adb0f89d469632511aed9d88cfe05c4\System.ServiceProcess.ni.dll
MOD - [2010/10/15 13:14:32 | 002,048,000 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.dll
MOD - [2010/10/15 13:14:30 | 003,182,592 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
MOD - [2010/10/15 13:14:24 | 002,933,248 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2010/10/15 13:14:20 | 000,425,984 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
MOD - [2010/10/15 13:14:01 | 000,626,688 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
MOD - [2010/10/15 13:13:59 | 000,303,104 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
MOD - [2010/10/15 13:13:52 | 000,258,048 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
MOD - [2010/10/15 13:13:48 | 000,261,632 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
MOD - [2010/10/15 13:13:29 | 000,114,688 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
MOD - [2010/10/15 13:12:45 | 005,025,792 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
MOD - [2010/10/15 12:48:57 | 007,949,824 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\37217abe2c5164e59aba251860f4c79e\System.ni.dll
MOD - [2010/02/03 21:56:04 | 000,854,016 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Data.SQLite\1.0.61.0__db937bc2d44ff139\System.Data.SQLite.dll
MOD - [2010/02/03 21:56:00 | 000,403,456 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.WindowsFirewallUtilities\5.0.104.0__7ce6deabcb36a8ea\Intuit.Spc.Map.WindowsFirewallUtilities.dll
MOD - [2010/02/03 21:55:58 | 000,471,040 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.Reporter\5.0.104.0__7ce6deabcb36a8ea\Intuit.Spc.Map.Reporter.dll
MOD - [2010/02/03 21:55:49 | 000,046,880 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.UpdateServicePlugin\3.0.335.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Application.UpdateServicePlugin.dll
MOD - [2010/02/03 21:55:48 | 000,018,720 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateServiceWorker\3.0.335.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateServiceWorker.dll
MOD - [2010/02/03 21:55:47 | 000,419,616 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Api.Net\3.0.335.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Api.Net.dll
MOD - [2010/02/03 21:55:45 | 000,270,112 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Core\2.0.445.0__540d4816ead86321\Intuit.Spc.Esd.Core.dll
MOD - [2010/02/03 21:55:44 | 000,120,096 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.DataAccess\3.0.335.0__540d4816ead86321\Intuit.Spc.Esd.Client.DataAccess.dll
MOD - [2010/02/03 21:55:43 | 000,070,432 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.Common\3.0.335.0__540d4816ead86321\Intuit.Spc.Esd.Client.Common.dll
MOD - [2010/02/03 21:55:42 | 000,121,632 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.BusinessLogic\3.0.335.0__540d4816ead86321\Intuit.Spc.Esd.Client.BusinessLogic.dll
MOD - [2010/01/08 14:30:27 | 011,486,720 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\7124a40b9998f7b63c86bd1a2125ce26\mscorlib.ni.dll
MOD - [2009/11/10 16:39:24 | 000,929,792 | ---- | M] () -- C:\Program Files\Yahoo!\Messenger\yui.dll
MOD - [2009/02/15 19:22:19 | 001,058,304 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.WindowsFirewallUtilities\4.0.114.0__7ce6deabcb36a8ea\Intuit.Spc.Map.WindowsFirewallUtilities.dll
MOD - [2009/02/15 19:22:17 | 000,471,040 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.Reporter\4.0.114.0__7ce6deabcb36a8ea\Intuit.Spc.Map.Reporter.dll
MOD - [2009/02/15 19:22:15 | 000,047,392 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.UpdateServicePlugin\2.1.72.12__540d4816ead86321\Intuit.Spc.Esd.WinClient.Application.UpdateServicePlugin.dll
MOD - [2009/02/15 19:22:15 | 000,018,720 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateServiceWorker\2.1.72.12__540d4816ead86321\Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateServiceWorker.dll
MOD - [2009/02/15 19:22:12 | 000,401,696 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Api.Net\2.1.72.12__540d4816ead86321\Intuit.Spc.Esd.WinClient.Api.Net.dll
MOD - [2009/02/15 19:22:11 | 000,238,368 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Core\2.0.145.4__540d4816ead86321\Intuit.Spc.Esd.Core.dll
MOD - [2009/02/15 19:22:10 | 000,120,608 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.DataAccess\2.1.72.12__540d4816ead86321\Intuit.Spc.Esd.Client.DataAccess.dll
MOD - [2009/02/15 19:22:09 | 000,072,992 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.Common\2.1.72.12__540d4816ead86321\Intuit.Spc.Esd.Client.Common.dll
MOD - [2009/02/15 19:22:08 | 000,130,848 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.BusinessLogic\2.1.72.12__540d4816ead86321\Intuit.Spc.Esd.Client.BusinessLogic.dll
MOD - [2009/02/15 19:11:22 | 000,755,712 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Data.SQLite\1.0.56.0__28c9bcd4dddc48a1\System.Data.SQLite.dll
MOD - [2009/02/15 19:11:19 | 000,270,336 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\log4net\1.2.10.0__1b44e1d426115821\log4net.dll
MOD - [2009/02/15 19:11:14 | 000,458,752 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Foundations.Portability\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Portability.dll
MOD - [2009/02/15 19:11:13 | 000,065,536 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Foundations.Primary.ExceptionHandling\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Primary.ExceptionHandling.dll
MOD - [2009/02/15 19:11:13 | 000,045,056 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Foundations.Primary.Logging\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Primary.Logging.dll
MOD - [2009/02/15 19:11:11 | 000,073,728 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Foundations.Primary.Config\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Primary.Config.dll
MOD - [2008/06/20 10:41:10 | 000,245,248 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll
MOD - [2005/10/07 16:05:32 | 000,125,440 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2004/10/04 05:47:04 | 000,098,304 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
MOD - [2004/10/04 05:46:50 | 000,147,456 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 3.0\platform.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - File not found [On_Demand | Stopped] -- -- (Altsvert)
SRV - [2011/07/06 19:52:38 | 000,366,640 | ---- | M] (Malwarebytes Corporation) [Disabled | Running] -- C:\Program Files\Mali\mbamservice.exe -- (MBAMService)
SRV - [2011/03/12 18:59:28 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/08/23 21:21:40 | 000,013,672 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2010/01/15 05:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2008/11/09 13:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2004/10/04 05:47:04 | 000,098,304 | ---- | M] () [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor)
SRV - [2003/03/03 14:33:40 | 000,143,360 | ---- | M] (Intel(R) Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc)


========== Driver Services (SafeList) ==========

DRV - [2011/09/21 15:40:23 | 000,041,272 | ---- | M] (Malwarebytes Corporation) [Kernel | Disabled | Running] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2011/07/06 19:52:42 | 000,022,712 | ---- | M] (Malwarebytes Corporation) [File_System | Disabled | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2004/11/17 04:05:38 | 002,297,664 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/11/15 03:15:18 | 000,088,080 | ---- | M] (Jetico, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\BCSwap.sys -- (BCSWAP)
DRV - [2003/09/26 04:53:00 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.param.yahoo-fr: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-type: "${8}"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:6.8.2
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.1
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:6
FF - prefs.js..extensions.enabledItems: {AE93811A-5C9A-4d34-8462-F7B864FC4696}:3.95
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:2.14
FF - prefs.js..extensions.enabledItems: {d57c9ff1-6389-48fc-b770-f78bd89b6e8a}:1.36
FF - prefs.js..network.proxy.ftp: "102.227.gdsl.nwc.net"
FF - prefs.js..network.proxy.ftp_port: 80
FF - prefs.js..network.proxy.gopher: "102.227.gdsl.nwc.net"
FF - prefs.js..network.proxy.gopher_port: 80
FF - prefs.js..network.proxy.http: "102.227.gdsl.nwc.net"
FF - prefs.js..network.proxy.http_port: 80
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "102.227.gdsl.nwc.net"
FF - prefs.js..network.proxy.socks_port: 80
FF - prefs.js..network.proxy.ssl: "102.227.gdsl.nwc.net"
FF - prefs.js..network.proxy.ssl_port: 80


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Content Upload Plugin,version=1.0.0: C:\Program Files\DivX\DivX Content Uploader\npUpload.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60310.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.2571: C:\Program Files\Ringz Studio\Storm Codec\Plugins\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.1739: C:\Program Files\Ringz Studio\Storm Codec\Plugins\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll ()

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.21\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/08/31 14:35:44 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.21\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/08/31 14:35:44 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\mozilla_cc@internetdownloadmanager.com: C:\Documents and Settings\RAMON\Application Data\IDM\idmmzcc3 [2010/02/05 09:37:54 | 000,000,000 | ---D | M]

[2010/02/04 12:58:17 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\RAMON\Application Data\Mozilla\Extensions
[2011/09/21 16:40:19 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\RAMON\Application Data\Mozilla\Firefox\Profiles\kctzac7p.default\extensions
[2010/05/13 08:51:32 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\RAMON\Application Data\Mozilla\Firefox\Profiles\kctzac7p.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/05/30 11:38:13 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\RAMON\Application Data\Mozilla\Firefox\Profiles\kctzac7p.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2011/07/27 09:13:13 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\RAMON\Application Data\Mozilla\Firefox\Profiles\kctzac7p.default\extensions\{77ac95fc-941d-4c31-a4f2-421895f2cb20}
[2011/09/21 15:47:20 | 000,000,000 | ---D | M] ("StumbleUpon") -- C:\Documents and Settings\RAMON\Application Data\Mozilla\Firefox\Profiles\kctzac7p.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
[2011/08/09 14:26:05 | 000,000,000 | ---D | M] (SearchStatus) -- C:\Documents and Settings\RAMON\Application Data\Mozilla\Firefox\Profiles\kctzac7p.default\extensions\{d57c9ff1-6389-48fc-b770-f78bd89b6e8a}
[2011/07/19 10:42:13 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\RAMON\Application Data\Mozilla\Firefox\Profiles\kctzac7p.default\extensions\{f304555a-4dfb-4c0b-bdf2-a4e3cb57215f}
[2011/01/04 09:47:19 | 000,000,000 | ---D | M] (Element Properties) -- C:\Documents and Settings\RAMON\Application Data\Mozilla\Firefox\Profiles\kctzac7p.default\extensions\properties@darktrojan.net
[2011/02/16 17:28:43 | 000,000,000 | ---D | M] (TinEye Reverse Image Search) -- C:\Documents and Settings\RAMON\Application Data\Mozilla\Firefox\Profiles\kctzac7p.default\extensions\tineye@ideeinc.com
[2011/08/17 11:35:41 | 000,000,000 | ---D | M] ("Alexa Toolbar") -- C:\Documents and Settings\RAMON\Application Data\Mozilla\Firefox\Profiles\kctzac7p.default\extensions\toolbar@alexa.com
[2011/09/21 13:39:21 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/02/05 09:37:54 | 000,000,000 | ---D | M] (IDM CC) -- C:\DOCUMENTS AND SETTINGS\RAMON\APPLICATION DATA\IDM\IDMMZCC3
[2010/10/27 16:14:43 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2007/01/05 17:23:00 | 000,049,152 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\mozilla firefox\plugins\npbittorrent.dll
[2006/11/20 14:14:46 | 000,114,688 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npmozax.dll

Hosts file not found
O2 - BHO: (IDMIEHlprObj Class) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll (Tonec Inc.)
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Alexa Toolbar) - {EA582743-9076-4178-9AA6-7393FDF4D5CE} - C:\Program Files\Alexa Toolbar\AlexaToolbar.10.0.dll (Alexa.com)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [BCWipeTM Startup] C:\Program Files\Jetico\BCWipe\BCWipeTM.exe (Jetico, Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [Nikon Message Center 2] C:\Program Files\Nikon\Nikon Message Center 2\NkMC2.exe (Nikon Corporation)
O4 - HKLM..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (Google Inc.)
O4 - HKLM..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe (Intel(R) Corporation)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti File not found
O4 - HKCU..\Run: [EPSON WorkForce 500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEQA.EXE (SEIKO EPSON CORPORATION)
O4 - HKCU..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe (Tonec Inc.)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [NBJ] C:\Program Files\Ahead\Nero BackItUp\NBJ.exe (Ahead Software AG)
O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Mali2\mbamgui.exe /install /silent File not found
O4 - Startup: C:\Documents and Settings\RAMON\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\RAMON\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm ()
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm ()
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm ()
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll (Google Inc.)
O8 - Extra context menu item: Save Picture to Mobile Phone - C:\Program Files\Pix2Fone\p2fd.html File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O15 - HKCU\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} [You must be registered and logged in to see this link.] (QuickTime Object)
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} [You must be registered and logged in to see this link.] (AlternaTIFF ActiveX)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{38E5743E-4755-4BA2-AC9A-5445A694DB2F}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\RAMON\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\RAMON\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/10/28 16:01:25 | 000,000,050 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{f60645e8-67ac-11dd-bbaf-00148560e53c}\Shell\AutoRun\command - "" = F:\WD_Windows_Tools\Setup.exe
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\WD_Windows_Tools\Setup.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/09/21 15:51:16 | 000,000,000 | --SD | C] -- C:\32788R22FWJFW
[2011/09/21 15:46:22 | 000,000,000 | ---D | C] -- C:\~BCWipe.stu
[2011/09/21 15:40:23 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/09/21 15:36:01 | 000,000,000 | ---D | C] -- C:\Program Files\Mali2
[2011/09/07 10:36:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\mali
[2011/09/07 10:36:00 | 000,000,000 | ---D | C] -- C:\Program Files\Mali
[2011/09/02 15:31:15 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\RAMON\Recent
[2011/09/01 12:26:08 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/08/26 16:19:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\RAMON\My Documents\LAGreatDeals
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[25 C:\*.tmp files -> C:\*.tmp -> ]
[1 C:\Documents and Settings\RAMON\Desktop\*.tmp files -> C:\Documents and Settings\RAMON\Desktop\*.tmp -> ]
[1 C:\Documents and Settings\RAMON\*.tmp files -> C:\Documents and Settings\RAMON\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/09/21 16:51:01 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/09/21 15:50:18 | 004,223,304 | R--- | M] () -- C:\Documents and Settings\RAMON\Desktop\iexplore.exe
[2011/09/21 15:40:23 | 000,041,272 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/09/21 15:38:17 | 000,000,633 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/09/21 14:30:43 | 000,108,544 | ---- | M] () -- C:\Documents and Settings\RAMON\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/09/21 14:02:17 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/09/21 13:31:59 | 000,000,000 | -HS- | M] () -- C:\WINDOWS\{2521BB91-29B1-4d7e-9137-AC9875D77735}
[2011/09/21 08:38:58 | 000,013,700 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/09/21 08:38:43 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/09/21 08:38:28 | 000,000,000 | ---- | M] () -- C:\WINDOWS\2572840512
[2011/09/21 08:38:27 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/09/01 15:50:22 | 000,143,095 | ---- | M] () -- C:\Documents and Settings\RAMON\My Documents\Screen Shot 2011-09-01 at 3.49.58 PM.png
[2011/09/01 15:28:07 | 000,045,466 | ---- | M] () -- C:\Documents and Settings\RAMON\My Documents\Screen Shot 2011-09-01 at 3.27.52 PM.png
[2011/09/01 15:24:52 | 000,215,869 | ---- | M] () -- C:\Documents and Settings\RAMON\My Documents\Screen Shot 2011-09-01 at 3.24.24 PM.png
[2011/09/01 14:19:55 | 000,042,228 | ---- | M] () -- C:\Documents and Settings\RAMON\My Documents\Screen Shot 2011-09-01 at 2.19.30 PM.png
[2011/09/01 14:15:03 | 000,070,955 | ---- | M] () -- C:\Documents and Settings\RAMON\My Documents\Screen Shot 2011-09-01 at 2.14.37 PM.png
[2011/09/01 12:51:38 | 000,000,736 | ---- | M] () -- C:\Documents and Settings\RAMON\Desktop\Shortcut to YahooMessenger.exe.lnk
[2011/09/01 11:57:12 | 004,194,304 | ---- | M] () -- C:\WINDOWS\System32\cokiejsi.dll
[2011/08/30 11:22:44 | 003,102,620 | ---- | M] () -- C:\Documents and Settings\RAMON\My Documents\IMG_0218.JPG
[2011/08/30 11:21:43 | 003,069,720 | ---- | M] () -- C:\Documents and Settings\RAMON\My Documents\IMG_0208.JPG
[2011/08/26 16:19:20 | 000,000,156 | ---- | M] () -- C:\WINDOWS\Twunk001.MTX
[2011/08/26 16:19:20 | 000,000,005 | ---- | M] () -- C:\WINDOWS\Twain001.Mtx
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[25 C:\*.tmp files -> C:\*.tmp -> ]
[1 C:\Documents and Settings\RAMON\Desktop\*.tmp files -> C:\Documents and Settings\RAMON\Desktop\*.tmp -> ]
[1 C:\Documents and Settings\RAMON\*.tmp files -> C:\Documents and Settings\RAMON\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/09/21 15:50:12 | 004,223,304 | R--- | C] () -- C:\Documents and Settings\RAMON\Desktop\iexplore.exe
[2011/09/21 13:31:59 | 000,000,000 | -HS- | C] () -- C:\WINDOWS\{2521BB91-29B1-4d7e-9137-AC9875D77735}
[2011/09/01 15:50:20 | 000,143,095 | ---- | C] () -- C:\Documents and Settings\RAMON\My Documents\Screen Shot 2011-09-01 at 3.49.58 PM.png
[2011/09/01 15:28:06 | 000,045,466 | ---- | C] () -- C:\Documents and Settings\RAMON\My Documents\Screen Shot 2011-09-01 at 3.27.52 PM.png
[2011/09/01 15:24:50 | 000,215,869 | ---- | C] () -- C:\Documents and Settings\RAMON\My Documents\Screen Shot 2011-09-01 at 3.24.24 PM.png
[2011/09/01 14:19:54 | 000,042,228 | ---- | C] () -- C:\Documents and Settings\RAMON\My Documents\Screen Shot 2011-09-01 at 2.19.30 PM.png
[2011/09/01 14:15:01 | 000,070,955 | ---- | C] () -- C:\Documents and Settings\RAMON\My Documents\Screen Shot 2011-09-01 at 2.14.37 PM.png
[2011/09/01 12:51:38 | 000,000,736 | ---- | C] () -- C:\Documents and Settings\RAMON\Desktop\Shortcut to YahooMessenger.exe.lnk
[2011/09/01 12:26:12 | 000,000,633 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/09/01 11:57:13 | 000,000,000 | ---- | C] () -- C:\WINDOWS\2572840512
[2011/09/01 11:57:12 | 004,194,304 | ---- | C] () -- C:\WINDOWS\System32\cokiejsi.dll
[2011/08/30 11:22:18 | 003,102,620 | ---- | C] () -- C:\Documents and Settings\RAMON\My Documents\IMG_0218.JPG
[2011/08/30 11:21:16 | 003,069,720 | ---- | C] () -- C:\Documents and Settings\RAMON\My Documents\IMG_0208.JPG
[2011/05/12 12:34:58 | 000,000,152 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~17489700
[2011/05/12 12:34:58 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~17489700r
[2011/05/12 12:27:37 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\hxidtbq.sys
[2011/05/12 12:07:31 | 000,000,344 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\17489700
[2011/05/12 12:02:04 | 000,014,570 | -HS- | C] () -- C:\Documents and Settings\RAMON\Local Settings\Application Data\u6q2414fjw7268ptku80vj4v37oh43410k8d0i40wi
[2011/05/12 12:02:04 | 000,014,570 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\u6q2414fjw7268ptku80vj4v37oh43410k8d0i40wi
[2011/03/12 21:42:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ViewNX2.INI
[2011/03/12 19:51:02 | 000,000,268 | R--- | C] () -- C:\Documents and Settings\All Users\Application Data\Image Manipulation
[2011/03/12 19:51:02 | 000,000,268 | R--- | C] () -- C:\Documents and Settings\All Users\Application Data\Image Capture
[2011/03/12 19:51:02 | 000,000,268 | R--- | C] () -- C:\Documents and Settings\All Users\Application Data\Icons
[2011/03/12 19:51:02 | 000,000,268 | R--- | C] () -- C:\Documents and Settings\RAMON\Application Data\Hybrid Morph
[2011/03/12 19:51:02 | 000,000,268 | R--- | C] () -- C:\Documents and Settings\RAMON\Application Data\Hybrid Chords
[2011/03/12 19:51:02 | 000,000,268 | R--- | C] () -- C:\Documents and Settings\RAMON\Application Data\Hybrid Basic
[2011/03/12 19:51:02 | 000,000,020 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLev.DAT
[2011/03/12 19:51:02 | 000,000,020 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLet.DAT
[2011/03/12 19:51:02 | 000,000,020 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLes.DAT
[2011/03/12 19:20:22 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2011/02/21 16:54:58 | 000,825,312 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/04/27 12:44:00 | 000,256,792 | ---- | C] () -- C:\Program Files\SoftonicDownloader60361.exe
[2009/06/24 20:56:46 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2009/06/24 20:56:45 | 000,073,220 | ---- | C] () -- C:\WINDOWS\System32\EPPICPrinterDB.dat
[2009/06/24 20:56:45 | 000,031,053 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern131.dat
[2009/06/24 20:56:45 | 000,029,114 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern1.dat
[2009/06/24 20:56:45 | 000,027,417 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern121.dat
[2009/06/24 20:56:45 | 000,021,021 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern3.dat
[2009/06/24 20:56:45 | 000,015,670 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern5.dat
[2009/06/24 20:56:45 | 000,013,280 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern2.dat
[2009/06/24 20:56:45 | 000,010,673 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern4.dat
[2009/06/24 20:56:45 | 000,004,943 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern6.dat
[2009/06/24 20:56:45 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_PT.dat
[2009/06/24 20:56:45 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_BP.dat
[2009/06/24 20:56:45 | 000,001,137 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_ES.dat
[2009/06/24 20:56:45 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_FR.dat
[2009/06/24 20:56:45 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_CF.dat
[2009/06/24 20:56:45 | 000,001,104 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_EN.dat
[2009/06/24 20:55:41 | 000,000,044 | ---- | C] () -- C:\WINDOWS\EPWF500.ini
[2007/01/07 21:38:50 | 000,001,057 | ---- | C] () -- C:\WINDOWS\ARCHPR.INI
[2006/12/12 01:17:09 | 000,395,776 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2006/12/12 01:17:09 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\TomsMoComp_ff.dll
[2006/12/12 01:17:08 | 002,255,360 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2006/12/12 01:17:08 | 000,112,640 | ---- | C] () -- C:\WINDOWS\System32\libmpeg2_ff.dll
[2006/12/02 02:13:45 | 000,000,102 | ---- | C] () -- C:\WINDOWS\VSWizard.ini
[2006/10/31 23:54:30 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2006/10/31 23:52:38 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2006/10/28 16:09:44 | 000,000,284 | ---- | C] () -- C:\Documents and Settings\RAMON\Application Data\ViewerApp.dat
[2006/09/24 22:16:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/09/24 22:16:16 | 000,003,646 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2006/09/13 23:28:54 | 000,000,056 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006/05/26 06:29:14 | 000,005,120 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2006/02/26 22:18:51 | 000,001,901 | ---- | C] () -- C:\WINDOWS\panose.bin
[2006/02/26 22:14:18 | 000,042,483 | ---- | C] () -- C:\WINDOWS\Icccodes.dat
[2006/02/26 22:14:18 | 000,000,156 | ---- | C] () -- C:\WINDOWS\Kpcms.ini
[2006/02/26 22:14:07 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\Msvcrt10.dll
[2006/02/26 22:01:10 | 000,039,095 | ---- | C] () -- C:\WINDOWS\Iccsigs.dat
[2006/02/26 22:01:09 | 000,112,688 | ---- | C] () -- C:\WINDOWS\System32\shw32.dll
[2006/02/09 01:56:08 | 000,001,375 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/02/08 09:27:41 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\FileOps.exe
[2006/01/24 22:56:07 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\RAMON\Application Data\dm.ini
[2006/01/15 00:26:40 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2006/01/12 22:20:19 | 000,012,499 | ---- | C] () -- C:\WINDOWS\System32\Seagate.bin
[2006/01/12 13:08:24 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/01/12 12:38:07 | 000,108,544 | ---- | C] () -- C:\Documents and Settings\RAMON\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/01/12 12:36:22 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/01/12 03:24:14 | 000,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2006/01/12 03:24:09 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2006/01/12 03:24:09 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2006/01/12 03:23:07 | 000,012,288 | R--- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2006/01/12 03:04:37 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2006/01/12 02:59:39 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2006/01/11 22:49:08 | 000,000,208 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2006/01/11 18:48:37 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/01/11 18:45:45 | 001,553,960 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/04 05:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/04 05:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 05:00:00 | 000,435,260 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 05:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 05:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 05:00:00 | 000,068,156 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 05:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 05:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 05:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 05:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 05:00:00 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2004/08/04 05:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/05/14 23:39:50 | 000,155,136 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2002/05/14 21:58:38 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\v2k2_dec.dll


Last edited by brokecomp on 23rd September 2011, 12:50 am; edited 1 time in total

brokecomp
Novice
Novice

Posts Posts : 11
Joined Joined : 2011-09-21
OS OS : Windows XP Home Edition
Points Points : 19233
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Alureon-AJI/Rootkit virus redirects search results and shuts down malwarebytes

Post by brokecomp on 23rd September 2011, 12:44 am

here is the rest of the OTL:

========== Custom Scans ==========


< %APPDATA%\Microsoft\*.* >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %USERPROFILE%\Desktop\*.exe >
[2006/10/07 18:03:11 | 003,337,107 | ---- | M] (FilmLoop Inc.) -- C:\Documents and Settings\RAMON\Desktop\FilmLoopSetup.exe
[2011/09/21 15:50:18 | 004,223,304 | R--- | M] () -- C:\Documents and Settings\RAMON\Desktop\iexplore.exe
[2006/10/07 20:44:10 | 005,080,744 | ---- | M] () -- C:\Documents and Settings\RAMON\Desktop\SlideSetup-32468.exe
[1 C:\Documents and Settings\RAMON\Desktop\*.tmp files -> C:\Documents and Settings\RAMON\Desktop\*.tmp -> ]

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\winn32\*.* >

< %USERPROFILE%\My Documents\*.exe >
[2006/09/24 22:15:47 | 005,127,800 | ---- | M] (Mozilla) -- C:\Documents and Settings\RAMON\My Documents\Firefox Setup 1.5.0.7.exe
[2006/06/11 22:06:39 | 011,817,800 | ---- | M] (InstallShield Software Corporation) -- C:\Documents and Settings\RAMON\My Documents\GoogleEarth.exe
[2006/02/14 12:16:16 | 005,573,026 | ---- | M] (Cucusoft, Inc. ) -- C:\Documents and Settings\RAMON\My Documents\iPod-ConverterFullikd306.exe
[2010/03/19 08:17:57 | 002,923,978 | ---- | M] (Nav.Net Solutions ) -- C:\Documents and Settings\RAMON\My Documents\NavNetSetupB35.exe
[2006/01/12 22:19:07 | 006,370,342 | ---- | M] (DJI Interprises, LLC) -- C:\Documents and Settings\RAMON\My Documents\nb432u.exe

< %USERPROFILE%\*.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.exe >
[2011/08/31 14:35:38 | 000,107,480 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\crashreporter.exe
[2011/08/31 14:35:38 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
[2011/08/31 14:35:42 | 000,016,856 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
[2011/08/31 14:35:42 | 000,246,744 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\updater.exe

< %ProgramFiles%\TinyProxy. >

< %systemroot%\system32\*.* /lockedfiles >
[6 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.* /lockedfiles >

< %PROGRAMFILES%\*. >
[2006/06/27 23:44:53 | 000,000,000 | ---D | M] -- C:\Program Files\AC3Filter
[2011/03/12 19:22:36 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2006/01/12 03:47:16 | 000,000,000 | ---D | M] -- C:\Program Files\Ahead
[2011/06/25 09:38:32 | 000,000,000 | ---D | M] -- C:\Program Files\Alexa Toolbar
[2006/12/06 22:10:15 | 000,000,000 | ---D | M] -- C:\Program Files\Apple Software Update
[2006/01/12 03:24:16 | 000,000,000 | ---D | M] -- C:\Program Files\AvRack
[2011/03/12 19:08:10 | 000,000,000 | ---D | M] -- C:\Program Files\Bonjour
[2011/06/16 15:13:39 | 000,000,000 | ---D | M] -- C:\Program Files\CamStudio 2.6b
[2010/12/18 19:58:41 | 000,000,000 | ---D | M] -- C:\Program Files\CCleaner
[2011/05/06 07:38:40 | 000,000,000 | R--D | M] -- C:\Program Files\Common Files
[2006/01/12 02:59:31 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2006/02/26 22:01:14 | 000,000,000 | ---D | M] -- C:\Program Files\Corel
[2006/12/12 01:17:07 | 000,000,000 | ---D | M] -- C:\Program Files\Cucusoft
[2006/01/12 03:37:01 | 000,000,000 | ---D | M] -- C:\Program Files\CyberLink
[2010/02/05 14:46:43 | 000,000,000 | ---D | M] -- C:\Program Files\DivX
[2011/04/10 15:18:31 | 000,000,000 | ---D | M] -- C:\Program Files\DVD Flick
[2011/08/17 11:32:21 | 000,000,000 | ---D | M] -- C:\Program Files\DVDFab 8
[2009/06/24 21:01:18 | 000,000,000 | ---D | M] -- C:\Program Files\epson
[2011/03/05 14:15:57 | 000,000,000 | ---D | M] -- C:\Program Files\FileZilla FTP Client
[2010/02/16 10:40:44 | 000,000,000 | ---D | M] -- C:\Program Files\FLV Player
[2006/11/05 23:00:01 | 000,000,000 | ---D | M] -- C:\Program Files\Folder Lock
[2006/12/07 13:10:32 | 000,000,000 | ---D | M] -- C:\Program Files\Free iPod Video Converter
[2006/09/13 23:56:41 | 000,000,000 | ---D | M] -- C:\Program Files\Getleft
[2010/02/04 16:20:52 | 000,000,000 | ---D | M] -- C:\Program Files\Google
[2011/03/12 19:53:36 | 000,000,000 | ---D | M] -- C:\Program Files\InstallShield Installation Information
[2006/01/12 03:23:25 | 000,000,000 | ---D | M] -- C:\Program Files\Intel
[2010/02/05 09:37:02 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Download Manager
[2011/05/09 14:20:07 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2006/12/06 22:12:59 | 000,000,000 | ---D | M] -- C:\Program Files\iPod
[2007/01/19 23:31:58 | 000,000,000 | ---D | M] -- C:\Program Files\ItsDeductible2006
[2006/12/06 22:13:06 | 000,000,000 | ---D | M] -- C:\Program Files\iTunes
[2007/04/04 20:46:51 | 000,000,000 | ---D | M] -- C:\Program Files\JAlbum
[2007/04/04 20:48:17 | 000,000,000 | ---D | M] -- C:\Program Files\JAlbum7.1
[2010/10/27 16:14:38 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2006/03/10 00:07:43 | 000,000,000 | ---D | M] -- C:\Program Files\Jetico
[2006/02/26 18:09:27 | 000,000,000 | ---D | M] -- C:\Program Files\Kai's Power Goo
[2006/02/14 00:35:24 | 000,000,000 | ---D | M] -- C:\Program Files\Macromedia
[2011/09/21 15:46:18 | 000,000,000 | ---D | M] -- C:\Program Files\Mali
[2011/09/21 15:48:01 | 000,000,000 | ---D | M] -- C:\Program Files\Mali2
[2011/09/02 18:36:04 | 000,000,000 | ---D | M] -- C:\Program Files\Malwarebytes' Anti-Malware
[2006/09/17 00:05:53 | 000,000,000 | ---D | M] -- C:\Program Files\Maxtor
[2010/02/09 09:54:19 | 000,000,000 | ---D | M] -- C:\Program Files\McAfee Security Scan
[2008/08/28 14:06:36 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2006/01/12 03:02:40 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2011/05/05 15:07:39 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2011/06/08 13:34:45 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Silverlight
[2006/01/12 13:06:33 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Visual Studio
[2011/05/05 14:59:49 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Visual Studio 8
[2011/05/06 07:43:56 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Works
[2011/05/05 15:05:53 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft.NET
[2010/04/22 11:11:00 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2011/09/21 15:47:24 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2011/05/05 15:08:00 | 000,000,000 | ---D | M] -- C:\Program Files\MSBuild
[2006/01/12 02:58:16 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2006/01/12 02:58:48 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2011/03/14 09:13:57 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0
[2009/11/24 09:01:05 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 6.0
[2006/10/30 01:18:48 | 000,000,000 | ---D | M] -- C:\Program Files\MTV Networks
[2010/12/17 12:17:52 | 000,000,000 | ---D | M] -- C:\Program Files\MyPublisher
[2006/01/12 03:00:21 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2011/03/12 19:53:24 | 000,000,000 | ---D | M] -- C:\Program Files\Nikon
[2006/01/12 02:58:56 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2011/06/13 09:45:19 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2006/04/10 00:00:20 | 000,000,000 | ---D | M] -- C:\Program Files\Paint Shop Pro
[2007/07/15 19:14:49 | 000,000,000 | ---D | M] -- C:\Program Files\Picasa2
[2006/11/01 21:02:53 | 000,000,000 | ---D | M] -- C:\Program Files\Pinnacle
[2011/07/19 10:42:05 | 000,000,000 | ---D | M] -- C:\Program Files\Pix2Fone
[2006/10/28 16:00:44 | 000,000,000 | ---D | M] -- C:\Program Files\PIXELA
[2011/03/12 19:50:12 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2006/01/12 03:24:16 | 000,000,000 | ---D | M] -- C:\Program Files\Realtek Sound Manager
[2009/11/24 09:05:15 | 000,000,000 | ---D | M] -- C:\Program Files\Reference Assemblies
[2007/10/31 12:57:08 | 000,000,000 | ---D | M] -- C:\Program Files\Ringz Studio
[2006/09/13 23:28:38 | 000,000,000 | ---D | M] -- C:\Program Files\Roxio
[2006/10/14 23:41:51 | 000,000,000 | ---D | M] -- C:\Program Files\Slide
[2006/10/28 15:58:30 | 000,000,000 | ---D | M] -- C:\Program Files\Sony Corporation
[2011/07/14 16:38:52 | 000,000,000 | ---D | M] -- C:\Program Files\Sophos
[2006/11/02 22:59:51 | 000,000,000 | ---D | M] -- C:\Program Files\Symantec
[2006/11/01 19:09:00 | 000,000,000 | ---D | M] -- C:\Program Files\Symantec_Client_Security
[2011/02/21 11:35:25 | 000,000,000 | ---D | M] -- C:\Program Files\TurboTax
[2006/01/12 03:08:20 | 000,000,000 | ---D | M] -- C:\Program Files\Uninstall Information
[2010/04/23 09:53:38 | 000,000,000 | ---D | M] -- C:\Program Files\VideoLAN
[2006/02/08 09:29:54 | 000,000,000 | ---D | M] -- C:\Program Files\Viewpoint
[2006/12/02 02:20:24 | 000,000,000 | ---D | M] -- C:\Program Files\viewsonic
[2006/11/01 20:24:43 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Components
[2011/06/21 18:25:38 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Connect 2
[2007/03/23 14:36:07 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2006/01/12 02:58:39 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2006/01/12 03:01:10 | 000,000,000 | ---D | M] -- C:\Program Files\WindowsUpdate
[2006/07/04 13:19:21 | 000,000,000 | ---D | M] -- C:\Program Files\WinRAR
[2006/01/12 03:02:40 | 000,000,000 | ---D | M] -- C:\Program Files\xerox
[2006/10/29 23:39:12 | 000,000,000 | ---D | M] -- C:\Program Files\XviD
[2010/02/04 09:55:49 | 000,000,000 | ---D | M] -- C:\Program Files\Yahoo!


< MD5 for: AGP440.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 05:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys

< MD5 for: DISK.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:disk.sys
[2004/08/04 05:00:00 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=00CA44E4534865F8A3B64F7C0984BFF0 -- C:\WINDOWS\system32\dllcache\disk.sys
[2004/08/04 05:00:00 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=00CA44E4534865F8A3B64F7C0984BFF0 -- C:\WINDOWS\system32\drivers\disk.sys
[2008/04/13 11:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\disk.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\netlogon.dll
[2009/02/06 11:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 11:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/04 05:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2004/08/04 05:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-05-12 16:26:11

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\firefox.exe\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/08/31 14:35:42 | 000,552,464 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\firefox.exe\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/08/31 14:35:42 | 000,552,464 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\firefox.exe\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/08/31 14:35:42 | 000,552,464 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\firefox.exe\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011/08/31 14:35:38 | 000,912,344 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\firefox.exe\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011/08/31 14:35:38 | 000,912,344 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\firefox.exe\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011/08/31 14:35:38 | 000,912,344 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2010/05/05 06:30:57 | 000,173,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2010/05/05 06:30:57 | 000,173,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2010/05/05 06:30:57 | 000,173,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: iexplore.exe

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\firefox.exe\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/08/31 14:35:42 | 000,552,464 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\firefox.exe\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/08/31 14:35:42 | 000,552,464 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\firefox.exe\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/08/31 14:35:42 | 000,552,464 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\firefox.exe\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011/08/31 14:35:38 | 000,912,344 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\firefox.exe\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011/08/31 14:35:38 | 000,912,344 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\firefox.exe\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011/08/31 14:35:38 | 000,912,344 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2010/05/05 06:30:57 | 000,173,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2010/05/05 06:30:57 | 000,173,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2010/05/05 06:30:57 | 000,173,056 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: iexplore.exe

========== Files - Unicode (All) ==========
[2011/05/31 10:01:16 | 030,200,003 | ---- | M] ()(C:\Documents and Settings\RAMON\My Documents\YouTube - ?charliejames1975_s Channel??.flv) -- C:\Documents and Settings\RAMON\My Documents\YouTube - ‪charliejames1975_s Channel‬‏.flv
[2011/05/31 10:00:45 | 030,200,003 | ---- | C] ()(C:\Documents and Settings\RAMON\My Documents\YouTube - ?charliejames1975_s Channel??.flv) -- C:\Documents and Settings\RAMON\My Documents\YouTube - ‪charliejames1975_s Channel‬‏.flv

========== Alternate Data Streams ==========

@Alternate Data Stream - 816 bytes -> C:\WINDOWS\2572840512:3213993318.exe

< End of report >

brokecomp
Novice
Novice

Posts Posts : 11
Joined Joined : 2011-09-21
OS OS : Windows XP Home Edition
Points Points : 19233
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Alureon-AJI/Rootkit virus redirects search results and shuts down malwarebytes

Post by brokecomp on 23rd September 2011, 12:45 am

Here are the extras.txt info:

OTL Extras logfile created on: 9/21/2011 4:53:19 PM - Run 1
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Documents and Settings\RAMON\My Documents\Downloads
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1007.48 Mb Total Physical Memory | 254.36 Mb Available Physical Memory | 25.25% Memory free
3.85 Gb Paging File | 3.23 Gb Available in Paging File | 83.89% Paging File free
Paging file location(s): C:\pagefile.sys 3024 3024 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 55.65 Gb Free Space | 37.34% Space Free | Partition Type: NTFS
Drive G: | 279.47 Gb Total Space | 161.21 Gb Free Space | 57.68% Space Free | Partition Type: NTFS

Computer Name: RAMON-2193E6164 | User Name: RAMON | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.js [@ = JSFile] -- "C:\Program Files\Macromedia\Dreamweaver 4\Dreamweaver.exe" "%1"

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
jsfile [edit] -- "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe" "%1" (Macromedia, Inc.)
jsfile [open] -- "C:\Program Files\Macromedia\Dreamweaver 4\Dreamweaver.exe" "%1"
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\usmt\migwiz.exe" = C:\WINDOWS\system32\usmt\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard -- (Microsoft Corporation)
"C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe" = C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe:*:Enabled:Dreamweaver 8 -- (Macromedia, Inc.)
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
"C:\Documents and Settings\RAMON\Local Settings\Temp\Rar$EX00.203\Charon.exe" = C:\Documents and Settings\RAMON\Local Settings\Temp\Rar$EX00.203\Charon.exe:*:Enabled:Charon - A proxy checking / scanning program.
"C:\Documents and Settings\RAMON\Local Settings\Temp\Rar$EX21.297\Charon.exe" = C:\Documents and Settings\RAMON\Local Settings\Temp\Rar$EX21.297\Charon.exe:*:Enabled:Charon - A proxy checking / scanning program.
"C:\Program Files\JAlbum7.1\JAlbumWin.exe" = C:\Program Files\JAlbum7.1\JAlbumWin.exe:*:Enabled:JAlbumWin -- ()
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Disabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe" = C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0046FA01-C5B9-4985-BACB-398DC480FC05}" = Adobe Photoshop CS3
"{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3
"{05BDC796-3451-4F81-B91D-E98F7ADA76C2}" = TurboTax 2010 WinPerTaxSupport
"{0837A661-FEC3-48B3-876C-91E7D32048A9}" = Macromedia Dreamweaver 8
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{09E2111C-16B1-4DDF-BF0D-F994C9A12350}" = Adobe Setup
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java(TM) 6 Update 15
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}" = Adobe Flash Video Encoder
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
"{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{360EDFB0-EAA2-012B-AD16-000000000000}" = TurboTax 2009 wcaiper
"{3782EC09-4000-475E-8A59-9CABD6F03B4C}" = TurboTax 2010 WinPerFedFormset
"{3881DB80-EAA2-012B-ADAE-000000000000}" = TurboTax 2009 WinPerFedFormset
"{38975F50-EAA2-012B-ADB4-000000000000}" = TurboTax 2009 WinPerReleaseEngine
"{38A34630-EAA2-012B-ADB6-000000000000}" = TurboTax 2009 WinPerTaxSupport
"{3C5A81D0-EAA2-012B-AE9F-000000000000}" = TurboTax 2009 wrapper
"{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}" = Google Earth
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{416DFEDD-9F1B-4EFC-AF70-FCA891AE0251}" = Adobe InDesign CS
"{446DBFFA-4088-48E3-8932-74316BA4CAE4}" = iTunes
"{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}" = Adobe® Photoshop® Album Starter Edition 3.0
"{4F2FCCCF-29F3-44B9-886F-6D16F8417522}" = TurboTax 2010 wrapper
"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings
"{51EF423B-DEAD-4102-A330-2B4260FD6579}" = Roxio MediaTicker
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}" = Macromedia Extension Manager
"{5B30AA25-BF39-4BE4-8FEE-51938BAB214D}" = TurboTax 2008 wcaiper
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{61CEB2D7-8D3B-4247-B75E-A95F6699B90A}" = Adobe After Effects 6.5
"{639858DD-4966-40F3-A706-7C838BCF3A2B}" = MaxBlast 4
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
"{6B708481-748A-4EB4-97C1-CD386244FF77}" = Adobe MotionPicture Color Files
"{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}" = AHV content for Acrobat and Flash
"{6BD31B80-7E9E-4FAF-B911-0AC31FB94BF6}" = Adobe Encore DVD 1.5
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English
"{802771A9-A856-4A41-ACF7-1450E523C923}" = Adobe XMP Panels CS3
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{851C67EF-068A-4060-9EF5-2E3DDCD68382}" = Adobe Photoshop Elements 3.0
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{87441A59-5E64-4096-A170-14EFE67200C3}" = Picture Control Utility
"{87FF0E39-8490-4EB4-A557-FF12F712EF7E}" = TurboTax 2010 wcaiper
"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A367C28-423C-48E2-8C76-EBA1171F932A}" = Adobe Photoshop Album 2.0
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics 2 Driver
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{91A4AD99-69CE-4745-97B7-0E0DFBECFDE5}" = Adobe Illustrator CS
"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime
"{a0fe116e-9a8a-466f-aee0-625cb7c207e3}" = Microsoft Visual C++ 2005 Redistributable - KB2467175
"{A14F7508-B784-40B8-B11A-E0E2EEB7229F}" = Adobe Premiere Pro 1.5
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}" = Apple Software Update
"{A525E00B-6609-442E-9DCD-64453C233E8D}" = TurboTax 2010 WinPerReleaseEngine
"{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}" = Intel(R) PROSet
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{ABDA9912-5D00-11D4-BAE7-9367CA097955}" = Macromedia Dreamweaver 4
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC76BA86-7AD7-1033-7B44-A70500000002}" = Adobe Reader 7.0.8
"{AC76BA86-7AD7-5464-3428-7050000000A7}" = Adobe Reader 7.0.5 Language Support
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}" = TurboTax ItsDeductible 2006
"{B014EE44-9197-4513-9613-71E6EB1B514E}" = Nikon Message Center 2
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B4FEA924-630D-11D4-B78E-005004566E4D}" = ViewSonic Monitor Drivers
"{B671CBFD-4109-4D35-9252-3062D3CCB7B2}" = Adobe SING CS3
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player
"{B7F560B3-6EFF-4026-A982-843895A41149}" = Adobe BridgeTalk Plugin CS3
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}" = Adobe Flash Player 9 ActiveX
"{BE5F3842-8309-4754-92D5-83E02E6077A3}" = Adobe Extension Manager CS3
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}" = Adobe ExtendScript Toolkit 2
"{C5BD220A-EFE8-48A5-B70E-9503D535FACE}" = Adobe WAS CS3
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D1C18EDD-571A-4BDD-BE7B-1DD86027D7FF}" = Adobe Creative Suite 3 Design Premium
"{D1E7142C-6BC3-49EB-A71A-E5D7ADAC7599}" = Nikon File Uploader 2
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}" = Nikon Message Center
"{D3E4251D-8364-4698-B0E0-A7C799384403}" = Adobe GoLive CS (ENG)
"{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}" = Adobe Color Common Settings
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{DDD62492-32A7-412B-8AF1-2CF032AD42E3}" = ViewNX 2
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
"{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}" = WexTech AnswerWorks
"{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}" = Adobe InDesign CS3 Icon Handler
"{EFB21DE7-8C19-4A88-BB28-A766E16493BC}" = Adobe Photoshop CS
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FD9C31B6-F572-414D-81E3-89368C97A125}_is1" = CamStudio OSS Desktop Recorder
"{FF3999BE-1A7B-4738-88AA-97BF14094A4A}" = PictureProject
"AC3Filter" = AC3Filter (remove only)
"Adobe Acrobat 4.0" = Adobe Acrobat 4.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe PageMaker 7.0" = Adobe PageMaker 7.0
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"Adobe_c14ac4070fd9614ffe63f4bb533db2c" = Add or Remove Adobe Creative Suite 3 Design Premium
"AdobeESD" = Adobe Download Manager 2.0 (Remove Only)
"Advanced Archive Password Recovery" = Advanced Archive Password Recovery (remove only)
"Alexa Toolbar" = Alexa Toolbar
"BCWipe" = BCWipe 3.0
"camcodec" = CamStudio Lossless Codec
"CCleaner" = CCleaner
"Corel Applications" = Corel Applications
"Cucusoft iPod Video Converter_is1" = Cucusoft iPod Video Converter 3.06
"DivX Content Uploader" = DivX Content Uploader
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"DVD Flick_is1" = DVD Flick 1.3.0.7
"DVDFab 8_is1" = DVDFab 8.0.8.2 (15/03/2011)
"ENTERPRISE" = Microsoft Office Enterprise 2007
"EPSON Scanner" = EPSON Scan
"EPSON WorkForce 500 Series" = EPSON WorkForce 500 Series Printer Uninstall
"FileZilla Client" = FileZilla Client 3.3.5.1
"FLV Player" = FLV Player 2.0 (build 25)
"Free iPod Video Converter_is1" = Free iPod Video Converter 1.26
"Getleft_is1" = Getleft v1.1.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Internet Download Manager" = Internet Download Manager
"JAlbum_0" = JAlbum 7.1
"Macromedia Dreamweaver 3" = Macromedia Dreamweaver 3
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"McAfee Security Scan" = McAfee Security Scan Plus
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.21)" = Mozilla Firefox (3.6.21)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MyPublisher" = MyPublisher
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Paint Shop Pro 4.12 Shareware" = Paint Shop Pro 4.12 Shareware
"Picasa2" = Picasa 2
"PROSet" = Intel(R) PRO Network Adapters and Drivers
"Storm Codec 5" = Storm Codec
"TurboTax 2008" = TurboTax 2008
"TurboTax 2009" = TurboTax 2009
"TurboTax 2010" = TurboTax 2010
"TurboTax Deluxe 2007" = TurboTax Deluxe 2007
"TurboTax Deluxe Deduction Maximizer 2006" = TurboTax Deluxe Deduction Maximizer 2006
"ViewpointMediaPlayer" = Viewpoint Media Player
"VLC media player" = VLC media player 1.0.5
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XviD_is1" = XviD 1.1 final uninstall
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox
"Pix2Fone Extension for Internet Explorer" = Pix2Fone Extension for Internet Explorer

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/26/2011 4:38:32 PM | Computer Name = RAMON-2193E6164 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.2.4127, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/26/2011 4:38:34 PM | Computer Name = RAMON-2193E6164 | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.4127, faulting
module ntdll.dll, version 5.1.2600.3520, fault address 0x0000100b.

Error - 6/7/2011 7:36:14 PM | Computer Name = RAMON-2193E6164 | Source = Application Hang | ID = 1002
Description = Hanging application YahooMessenger.exe, version 10.0.0.1102, hang
module hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 6/8/2011 7:46:46 PM | Computer Name = RAMON-2193E6164 | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.4127, faulting
module ntdll.dll, version 5.1.2600.3520, fault address 0x0000100b.

Error - 6/14/2011 8:21:52 PM | Computer Name = RAMON-2193E6164 | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.4127, faulting
module ntdll.dll, version 5.1.2600.3520, fault address 0x0000100b.

Error - 7/21/2011 5:11:50 PM | Computer Name = RAMON-2193E6164 | Source = Application Hang | ID = 1002
Description = Hanging application QuickTimePlayer.exe, version 7.66.71.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/6/2011 3:06:03 PM | Computer Name = RAMON-2193E6164 | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.4182, faulting
module ntdll.dll, version 5.1.2600.3520, fault address 0x0000100b.

Error - 8/23/2011 8:00:00 PM | Computer Name = RAMON-2193E6164 | Source = Application Hang | ID = 1002
Description = Hanging application YahooMessenger.exe, version 10.0.0.1102, hang
module hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/31/2011 5:35:34 PM | Computer Name = RAMON-2193E6164 | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.4232, faulting
module ntdll.dll, version 5.1.2600.3520, fault address 0x0000100b.

Error - 9/21/2011 7:10:17 PM | Computer Name = RAMON-2193E6164 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.3156, faulting
module urlmon.dll, version 8.0.6001.18923, fault address 0x00004ff0.

[ Application Events ]
Error - 5/26/2011 4:38:32 PM | Computer Name = RAMON-2193E6164 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.2.4127, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/26/2011 4:38:34 PM | Computer Name = RAMON-2193E6164 | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.4127, faulting
module ntdll.dll, version 5.1.2600.3520, fault address 0x0000100b.

Error - 6/7/2011 7:36:14 PM | Computer Name = RAMON-2193E6164 | Source = Application Hang | ID = 1002
Description = Hanging application YahooMessenger.exe, version 10.0.0.1102, hang
module hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 6/8/2011 7:46:46 PM | Computer Name = RAMON-2193E6164 | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.4127, faulting
module ntdll.dll, version 5.1.2600.3520, fault address 0x0000100b.

Error - 6/14/2011 8:21:52 PM | Computer Name = RAMON-2193E6164 | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.4127, faulting
module ntdll.dll, version 5.1.2600.3520, fault address 0x0000100b.

Error - 7/21/2011 5:11:50 PM | Computer Name = RAMON-2193E6164 | Source = Application Hang | ID = 1002
Description = Hanging application QuickTimePlayer.exe, version 7.66.71.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/6/2011 3:06:03 PM | Computer Name = RAMON-2193E6164 | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.4182, faulting
module ntdll.dll, version 5.1.2600.3520, fault address 0x0000100b.

Error - 8/23/2011 8:00:00 PM | Computer Name = RAMON-2193E6164 | Source = Application Hang | ID = 1002
Description = Hanging application YahooMessenger.exe, version 10.0.0.1102, hang
module hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/31/2011 5:35:34 PM | Computer Name = RAMON-2193E6164 | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.4232, faulting
module ntdll.dll, version 5.1.2600.3520, fault address 0x0000100b.

Error - 9/21/2011 7:10:17 PM | Computer Name = RAMON-2193E6164 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.3156, faulting
module urlmon.dll, version 8.0.6001.18923, fault address 0x00004ff0.

[ System Events ]
Error - 9/21/2011 6:25:51 PM | Computer Name = RAMON-2193E6164 | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 9/21/2011 6:27:27 PM | Computer Name = RAMON-2193E6164 | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 9/21/2011 6:32:09 PM | Computer Name = RAMON-2193E6164 | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 9/21/2011 6:32:09 PM | Computer Name = RAMON-2193E6164 | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 9/21/2011 6:32:10 PM | Computer Name = RAMON-2193E6164 | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 9/21/2011 6:32:10 PM | Computer Name = RAMON-2193E6164 | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 9/21/2011 6:32:10 PM | Computer Name = RAMON-2193E6164 | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 9/21/2011 6:32:10 PM | Computer Name = RAMON-2193E6164 | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 9/21/2011 7:10:33 PM | Computer Name = RAMON-2193E6164 | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 9/21/2011 7:10:38 PM | Computer Name = RAMON-2193E6164 | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127


< End of report >

brokecomp
Novice
Novice

Posts Posts : 11
Joined Joined : 2011-09-21
OS OS : Windows XP Home Edition
Points Points : 19233
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Alureon-AJI/Rootkit virus redirects search results and shuts down malwarebytes

Post by brokecomp on 23rd September 2011, 12:47 am

Like I said earlier aswMBR and Security Check get shut down by the virus so I'm unable to run and upload those results.

If someone could help I would greatly appreciate it.

Thanks!

brokecomp
Novice
Novice

Posts Posts : 11
Joined Joined : 2011-09-21
OS OS : Windows XP Home Edition
Points Points : 19233
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Alureon-AJI/Rootkit virus redirects search results and shuts down malwarebytes

Post by brokecomp on 23rd September 2011, 1:00 am

Forgot to add the TDssKiller info:

2011/09/22 17:27:39.0015 3148 TDSS rootkit removing tool 2.5.23.0 Sep 20 2011 08:53:10
2011/09/22 17:27:39.0562 3148 ================================================================================
2011/09/22 17:27:39.0562 3148 SystemInfo:
2011/09/22 17:27:39.0562 3148
2011/09/22 17:27:39.0562 3148 OS Version: 5.1.2600 ServicePack: 2.0
2011/09/22 17:27:39.0562 3148 Product type: Workstation
2011/09/22 17:27:39.0562 3148 ComputerName: RAMON-2193E6164
2011/09/22 17:27:39.0562 3148 UserName: RAMON
2011/09/22 17:27:39.0562 3148 Windows directory: C:\WINDOWS
2011/09/22 17:27:39.0562 3148 System windows directory: C:\WINDOWS
2011/09/22 17:27:39.0562 3148 Processor architecture: Intel x86
2011/09/22 17:27:39.0562 3148 Number of processors: 1
2011/09/22 17:27:39.0562 3148 Page size: 0x1000
2011/09/22 17:27:39.0562 3148 Boot type: Normal boot
2011/09/22 17:27:39.0562 3148 ================================================================================
2011/09/22 17:27:40.0468 3148 Initialize success
2011/09/22 17:27:42.0109 3332 ================================================================================
2011/09/22 17:27:42.0109 3332 Scan started
2011/09/22 17:27:42.0109 3332 Mode: Manual;
2011/09/22 17:27:42.0109 3332 ================================================================================
2011/09/22 17:27:42.0953 3332 406e5a99 (8f2bb1827cac01aee6a16e30a1260199) C:\WINDOWS\2572840512:3213993318.exe
2011/09/22 17:27:45.0046 3332 Suspicious file (Hidden): C:\WINDOWS\2572840512:3213993318.exe. md5: 8f2bb1827cac01aee6a16e30a1260199
2011/09/22 17:27:45.0062 3332 406e5a99 - detected HiddenFile.Multi.Generic (1)
2011/09/22 17:27:45.0140 3332 61883 (86d7b1e70661d754685b9ac6d749aae5) C:\WINDOWS\system32\DRIVERS\61883.sys
2011/09/22 17:27:45.0515 3332 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/22 17:27:45.0671 3332 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/09/22 17:27:45.0796 3332 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
2011/09/22 17:27:45.0906 3332 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
2011/09/22 17:27:46.0187 3332 ALCXWDM (933933288df5ed26d1928215c97d05c7) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2011/09/22 17:27:46.0468 3332 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/09/22 17:27:46.0687 3332 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/09/22 17:27:46.0765 3332 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/09/22 17:27:46.0906 3332 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/09/22 17:27:46.0984 3332 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/09/22 17:27:47.0062 3332 Avc (87c223adb8f7596b31caae3c67b16ddd) C:\WINDOWS\system32\DRIVERS\avc.sys
2011/09/22 17:27:47.0140 3332 BCSWAP (78986bd2b53c6c0405c30f39dbec5192) C:\WINDOWS\system32\drivers\BCSWAP.sys
2011/09/22 17:27:47.0234 3332 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/09/22 17:27:47.0343 3332 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/09/22 17:27:47.0421 3332 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/09/22 17:27:47.0546 3332 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/09/22 17:27:47.0609 3332 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/09/22 17:27:47.0687 3332 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/22 17:27:48.0015 3332 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/09/22 17:27:48.0125 3332 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2011/09/22 17:27:48.0250 3332 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2011/09/22 17:27:48.0328 3332 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/09/22 17:27:48.0437 3332 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2011/09/22 17:27:48.0578 3332 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/09/22 17:27:48.0656 3332 E100B (98b46b331404a951cabad8b4877e1276) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/09/22 17:27:48.0781 3332 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/09/22 17:27:48.0859 3332 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/09/22 17:27:48.0937 3332 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2011/09/22 17:27:49.0015 3332 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/09/22 17:27:49.0109 3332 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/09/22 17:27:49.0187 3332 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/09/22 17:27:49.0265 3332 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/09/22 17:27:49.0359 3332 GEARAspiWDM (4ac51459805264affd5f6fdfb9d9235f) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/09/22 17:27:49.0437 3332 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/09/22 17:27:49.0609 3332 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/09/22 17:27:49.0828 3332 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/09/22 17:27:49.0906 3332 ialm (510a5e1cb84e82d4e89dff3d96752048) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/09/22 17:27:50.0031 3332 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/22 17:27:50.0171 3332 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/09/22 17:27:50.0265 3332 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/09/22 17:27:50.0359 3332 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/09/22 17:27:50.0421 3332 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/09/22 17:27:50.0515 3332 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/09/22 17:27:50.0578 3332 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/09/22 17:27:50.0656 3332 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/09/22 17:27:50.0718 3332 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/09/22 17:27:50.0796 3332 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/09/22 17:27:50.0906 3332 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
2011/09/22 17:27:51.0000 3332 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/09/22 17:27:51.0156 3332 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\WINDOWS\system32\drivers\mbam.sys
2011/09/22 17:27:51.0281 3332 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/09/22 17:27:51.0390 3332 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2011/09/22 17:27:51.0453 3332 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/09/22 17:27:51.0531 3332 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/09/22 17:27:51.0656 3332 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/09/22 17:27:51.0750 3332 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/09/22 17:27:51.0843 3332 MSDV (6dd721dfd2648f3f6d5808b5ba6cb095) C:\WINDOWS\system32\DRIVERS\msdv.sys
2011/09/22 17:27:51.0921 3332 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2011/09/22 17:27:52.0046 3332 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/09/22 17:27:52.0140 3332 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/09/22 17:27:52.0234 3332 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/09/22 17:27:52.0312 3332 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/09/22 17:27:52.0406 3332 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/09/22 17:27:52.0500 3332 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2011/09/22 17:27:52.0578 3332 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/09/22 17:27:52.0671 3332 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2011/09/22 17:27:52.0750 3332 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/09/22 17:27:52.0828 3332 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/09/22 17:27:52.0890 3332 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/09/22 17:27:52.0968 3332 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/09/22 17:27:53.0046 3332 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/09/22 17:27:53.0125 3332 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/09/22 17:27:53.0203 3332 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/09/22 17:27:53.0359 3332 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/09/22 17:27:53.0453 3332 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2011/09/22 17:27:53.0546 3332 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/09/22 17:27:53.0656 3332 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/09/22 17:27:53.0734 3332 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/09/22 17:27:53.0812 3332 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/09/22 17:27:53.0890 3332 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/09/22 17:27:53.0968 3332 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/09/22 17:27:54.0031 3332 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/09/22 17:27:54.0125 3332 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/09/22 17:27:54.0187 3332 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/09/22 17:27:54.0296 3332 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/09/22 17:27:54.0390 3332 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/09/22 17:27:54.0781 3332 pfc (e5ac9f8c128b597dd7919af96b84172e) C:\WINDOWS\system32\drivers\pfc.sys
2011/09/22 17:27:54.0875 3332 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/09/22 17:27:54.0937 3332 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/09/22 17:27:55.0015 3332 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/09/22 17:27:55.0093 3332 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
2011/09/22 17:27:55.0421 3332 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/09/22 17:27:55.0500 3332 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/09/22 17:27:55.0578 3332 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/09/22 17:27:55.0656 3332 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/09/22 17:27:55.0750 3332 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/09/22 17:27:55.0812 3332 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/09/22 17:27:55.0906 3332 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/09/22 17:27:56.0000 3332 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/09/22 17:27:56.0156 3332 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/09/22 17:27:56.0250 3332 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/09/22 17:27:56.0328 3332 Serial (a9bfb60fbb01bba6fe1b1419d08b66b1) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/09/22 17:27:56.0328 3332 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\serial.sys. Real md5: a9bfb60fbb01bba6fe1b1419d08b66b1, Fake md5: cd9404d115a00d249f70a371b46d5a26
2011/09/22 17:27:56.0328 3332 Serial - detected Rootkit.Win32.ZAccess.e (0)
2011/09/22 17:27:56.0421 3332 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/09/22 17:27:56.0546 3332 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/09/22 17:27:56.0703 3332 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
2011/09/22 17:27:56.0765 3332 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/09/22 17:27:56.0828 3332 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/09/22 17:27:56.0968 3332 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/09/22 17:27:57.0031 3332 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/09/22 17:27:57.0109 3332 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2011/09/22 17:27:57.0375 3332 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/09/22 17:27:57.0468 3332 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/09/22 17:27:57.0578 3332 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/09/22 17:27:57.0671 3332 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/09/22 17:27:57.0750 3332 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/09/22 17:27:57.0906 3332 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2011/09/22 17:27:58.0046 3332 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
2011/09/22 17:27:58.0156 3332 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/09/22 17:27:58.0265 3332 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/09/22 17:27:58.0359 3332 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/09/22 17:27:58.0453 3332 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/09/22 17:27:58.0546 3332 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/09/22 17:27:58.0656 3332 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/09/22 17:27:58.0750 3332 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/09/22 17:27:58.0812 3332 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/09/22 17:27:58.0875 3332 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2011/09/22 17:27:59.0000 3332 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/09/22 17:27:59.0109 3332 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/09/22 17:27:59.0265 3332 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/09/22 17:27:59.0453 3332 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/09/22 17:27:59.0562 3332 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/09/22 17:27:59.0687 3332 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/09/22 17:27:59.0781 3332 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/09/22 17:27:59.0906 3332 MBR (0x1B8) (35c6b2fcde68facbefe0a4a7200bae58) \Device\Harddisk1\DR1
2011/09/22 17:28:00.0937 3332 Boot (0x1200) (859778526c1253bbaaf2de604f62b3c9) \Device\Harddisk0\DR0\Partition0
2011/09/22 17:28:00.0968 3332 Boot (0x1200) (dd1d9486e3caaa8d3e9d02b4edc2055d) \Device\Harddisk1\DR1\Partition0
2011/09/22 17:28:00.0968 3332 ================================================================================
2011/09/22 17:28:00.0968 3332 Scan finished
2011/09/22 17:28:00.0968 3332 ================================================================================
2011/09/22 17:28:01.0000 3324 Detected object count: 2
2011/09/22 17:28:01.0000 3324 Actual detected object count: 2
2011/09/22 17:58:33.0234 3324 HiddenFile.Multi.Generic(406e5a99) - User select action: Skip
2011/09/22 17:58:33.0312 3324 Serial (a9bfb60fbb01bba6fe1b1419d08b66b1) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/09/22 17:58:33.0328 3324 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\WINDOWS\system32\drivers\serial.sys) error 1813
2011/09/22 17:58:37.0453 3324 Backup copy found, using it..
2011/09/22 17:58:37.0500 3324 C:\WINDOWS\system32\DRIVERS\serial.sys - will be cured after reboot
2011/09/22 17:58:37.0500 3324 Rootkit.Win32.ZAccess.e(Serial) - User select action: Cure

brokecomp
Novice
Novice

Posts Posts : 11
Joined Joined : 2011-09-21
OS OS : Windows XP Home Edition
Points Points : 19233
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Alureon-AJI/Rootkit virus redirects search results and shuts down malwarebytes

Post by Belahzur on 24th September 2011, 6:16 pm

Hi,


Download Combofix from any of the links below, and save it to your desktop.

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

When saving ComboFix rename it to PCHelpForum.exe to prevent it from being blocked by malware.


Refer to this image:

To prevent your anti-virus application interfering with ComboFix we need to disable it. See [You must be registered and logged in to see this link.] for a tutorial regarding how to do so if you are unsure.

  • Close any open windows and double click PCHelpForum.exe to run it.

    You will see the following image:


Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Alureon-AJI/Rootkit virus redirects search results and shuts down malwarebytes

Post by brokecomp on 24th September 2011, 7:08 pm

Here is the log from the combofix, it found a virus called "rootkit.noaccess" or something then rebooted. Log:

ComboFix 11-09-24.03 - RAMON 09/24/2011 11:38:04.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1007.682 [GMT -7:00]
Running from: c:\documents and settings\RAMON\Desktop\PCHelpForum.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\RAMON\Application Data\Adobe\plugs
c:\documents and settings\RAMON\Application Data\Adobe\shed
c:\documents and settings\RAMON\Application Data\IDM\idmmzcc3
c:\documents and settings\RAMON\Application Data\IDM\idmmzcc3\chrome.manifest
c:\documents and settings\RAMON\Application Data\IDM\idmmzcc3\chrome\idmmzcc.jar
c:\documents and settings\RAMON\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
c:\documents and settings\RAMON\Application Data\IDM\idmmzcc3\components\iIDMMzCC.xpt
c:\documents and settings\RAMON\Application Data\IDM\idmmzcc3\install.js
c:\documents and settings\RAMON\Application Data\IDM\idmmzcc3\install.rdf
c:\documents and settings\RAMON\Application Data\IDM\idmmzcc3\META-INF\manifest.mf
c:\documents and settings\RAMON\Application Data\IDM\idmmzcc3\META-INF\zigbert.rsa
c:\documents and settings\RAMON\Application Data\IDM\idmmzcc3\META-INF\zigbert.sf
c:\documents and settings\RAMON\pkhxnbfteg.tmp
c:\documents and settings\RAMON\WINDOWS
c:\documents and settings\Ramon2\Application Data\Mozilla\Firefox\Profiles\3bvn5pl9.default\extensions\{77ac95fc-941d-4c31-a4f2-421895f2cb20}
c:\documents and settings\Ramon2\Application Data\Mozilla\Firefox\Profiles\3bvn5pl9.default\extensions\{77ac95fc-941d-4c31-a4f2-421895f2cb20}\chrome\xulcache.jar
c:\documents and settings\Ramon2\Application Data\Mozilla\Firefox\Profiles\3bvn5pl9.default\extensions\{77ac95fc-941d-4c31-a4f2-421895f2cb20}\defaults\preferences\xulcache.js
c:\documents and settings\Ramon2\Application Data\Mozilla\Firefox\Profiles\3bvn5pl9.default\extensions\{77ac95fc-941d-4c31-a4f2-421895f2cb20}\install.rdf
c:\documents and settings\Ramon2\Application Data\Mozilla\Firefox\Profiles\3bvn5pl9.default\extensions\{d12e538f-4f1e-4ce1-8f7f-0771f94a1b1d}
c:\documents and settings\Ramon2\Application Data\Mozilla\Firefox\Profiles\3bvn5pl9.default\extensions\{d12e538f-4f1e-4ce1-8f7f-0771f94a1b1d}\chrome\xulcache.jar
c:\documents and settings\Ramon2\Application Data\Mozilla\Firefox\Profiles\3bvn5pl9.default\extensions\{d12e538f-4f1e-4ce1-8f7f-0771f94a1b1d}\defaults\preferences\xulcache.js
c:\documents and settings\Ramon2\Application Data\Mozilla\Firefox\Profiles\3bvn5pl9.default\extensions\{d12e538f-4f1e-4ce1-8f7f-0771f94a1b1d}\install.rdf
C:\LOG12A.tmp
C:\LOG22.tmp
C:\LOG31.tmp
C:\LOG4.tmp
C:\LOG5.tmp
C:\LOG6.tmp
C:\LOG9B.tmp
C:\LOGB1.tmp
C:\LOGB2.tmp
C:\LOGB3.tmp
C:\LOGB4.tmp
C:\LOGB7.tmp
C:\LOGBD.tmp
C:\LOGC.tmp
C:\LOGC6.tmp
C:\LOGC7.tmp
C:\LOGCD.tmp
C:\LOGD.tmp
C:\LOGE2.tmp
C:\LOGE3.tmp
C:\LOGE4.tmp
C:\LOGE5.tmp
C:\LOGE6.tmp
C:\LOGE7.tmp
C:\LOGF2.tmp
c:\program files\alexa toolbar
c:\program files\alexa toolbar\AlexaToolbar.10.0.dll
c:\program files\alexa toolbar\AlexaToolbar.10.0.Uninstall.exe
c:\program files\alexa toolbar\AlexaToolbarSSB.10.0.dll
c:\program files\alexa toolbar\AlxSSBPS.dll
c:\program files\SoftonicDownloader60361.exe
c:\windows\$NtUninstallKB58632$
c:\windows\$NtUninstallKB58632$\1080973977\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB58632$\1080973977\click.tlb
c:\windows\$NtUninstallKB58632$\1080973977\L\cokiejsi
c:\windows\$NtUninstallKB58632$\1080973977\loader.tlb
c:\windows\$NtUninstallKB58632$\1080973977\U\@00000001
c:\windows\$NtUninstallKB58632$\1080973977\U\@000000c0
c:\windows\$NtUninstallKB58632$\1080973977\U\@000000cb
c:\windows\$NtUninstallKB58632$\1080973977\U\@000000cf
c:\windows\$NtUninstallKB58632$\1080973977\U\@80000000
c:\windows\$NtUninstallKB58632$\1080973977\U\@800000c0
c:\windows\$NtUninstallKB58632$\1080973977\U\@800000cb
c:\windows\$NtUninstallKB58632$\1080973977\U\@800000cf
c:\windows\$NtUninstallKB58632$\1260893071
c:\windows\{2521BB91-29B1-4d7e-9137-AC9875D77735}
c:\windows\system32\c_45274.nls
.
Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected
Restored copy from - The cat found it Smile
c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe . . . is infected!!
c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Bonjour\mDNSResponder.exe . . . is infected!!
c:\program files\Bonjour\mDNSResponder.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Google\Update\GoogleUpdate.exe . . . is infected!!
c:\program files\Google\Update\GoogleUpdate.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe . . . is infected!!
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\iPod\bin\iPodService.exe . . . is infected!!
c:\program files\iPod\bin\iPodService.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Java\jre6\bin\jqs.exe . . . is infected!!
c:\program files\Java\jre6\bin\jqs.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Mali3\mbamservice.exe . . . is infected!!
c:\program files\Mali3\mbamservice.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE . . . is infected!!
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe . . . is infected!!
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe . . . was deleted!! You should re-install the program it pertains to
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_406e5a99
.
.
((((((((((((((((((((((((( Files Created from 2011-08-24 to 2011-09-24 )))))))))))))))))))))))))))))))
.
.
2011-09-24 18:35 . 2004-08-04 12:00 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys
2011-09-24 18:35 . 2004-08-04 12:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-09-22 18:42 . 2011-09-24 18:51 -------- d-----w- c:\program files\Mali3
2011-09-22 18:40 . 2011-09-23 21:33 50112 --sha-w- c:\windows\system32\c_45274.nl_
2011-09-21 22:46 . 2011-09-23 21:34 -------- d-----w- C:\~BCWipe.stu
2011-09-21 22:36 . 2011-09-22 18:42 -------- d-----w- c:\program files\Mali2
2011-09-01 19:26 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-01 18:57 . 2011-09-01 18:57 4194304 ----a-w- c:\windows\system32\cokiejsi.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-23 21:33 . 2004-08-04 12:00 64896 ----a-w- c:\windows\system32\drivers\serial.sys
2011-09-23 00:26 . 2004-08-04 12:00 41856 ----a-w- c:\windows\system32\drivers\imapi.sys
2011-08-13 17:09 . 2011-05-18 00:42 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 01:32 . 2004-08-04 12:00 52352 ----a-w- c:\windows\system32\drivers\volsnap.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\RAMON\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\RAMON\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\RAMON\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\RAMON\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-15 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2010-02-05 3179952]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-08-09 1961984]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-08 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-12 86016]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 77824]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"BCWipeTM Startup"="c:\program files\Jetico\BCWipe\BCWipeTM.exe" [2006-02-17 311296]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-10-27 149280]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-06-15 366400]
"StormCodec_Helper"="c:\program files\Ringz Studio\Storm Codec\StormSet.exe" [2006-11-26 97357]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"Nikon Message Center 2"="c:\program files\Nikon\Nikon Message Center 2\NkMC2.exe" [2010-05-26 619008]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Malwarebytes' Anti-Malware"="c:\program files\Mali3\mbamgui.exe" [2011-09-01 449608]
.
c:\documents and settings\RAMON\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\RAMON\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\JAlbum7.1\\JAlbumWin.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/1/2011 12:26 PM 22216]
S0 huyjksx;huyjksx;c:\windows\system32\drivers\viaeh.sys --> c:\windows\system32\drivers\viaeh.sys [?]
S0 pykcwl;pykcwl;c:\windows\system32\drivers\mdfhr.sys --> c:\windows\system32\drivers\mdfhr.sys [?]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe --> c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S2 MBAMService;MBAMService;"c:\program files\Mali3\mbamservice.exe" --> c:\program files\Mali3\mbamservice.exe [?]
S3 Altsvert;Altsvert; [x]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe /medsvc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 5:49 AM 227232]
S4 BCSWAP;BCSWAP;c:\windows\system32\drivers\BCSwap.sys [7/28/2005 1:58 AM 88080]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-11 01:13]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: Save Picture to Mobile Phone - c:\program files\Pix2Fone\p2fd.html
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\RAMON\Application Data\Mozilla\Firefox\Profiles\kctzac7p.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: TinEye Reverse Image Search: [You must be registered and logged in to see this link.] - %profile%\extensions\tineye@ideeinc.com
FF - Ext: Element Properties: [You must be registered and logged in to see this link.] - %profile%\extensions\properties@darktrojan.net
FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Alexa Toolbar: [You must be registered and logged in to see this link.] - %profile%\extensions\toolbar@alexa.com
FF - Ext: SearchStatus: {d57c9ff1-6389-48fc-b770-f78bd89b6e8a} - %profile%\extensions\{d57c9ff1-6389-48fc-b770-f78bd89b6e8a}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [You must be registered and logged in to see this link.] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{EA582743-9076-4178-9AA6-7393FDF4D5CE} - c:\program files\Alexa Toolbar\AlexaToolbar.10.0.dll
SafeBoot-16031650.sys
SafeBoot-17474288.sys
SafeBoot-29783096.sys
AddRemove-Advanced Archive Password Recovery - g:\mydocuments\NN\Vidssites\zip\ARCHPR\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-09-24 11:53
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{566142e4-5d58-4424-88aa-dc91fddbd448}]
@Denied: (Full) (Everyone)
"Model"=dword:000000bd
"Therad"=dword:00000015
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):32,55,37,8e,25,33,ae,36,2d,64,55,e3,4a,b9,40,b8,7f,2a,16,c8,2e,
3c,c3,6a,93,54,5f,68,a1,2e,6b,2f,7a,33,3e,13,6a,a7,45,24,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):1a,ad,0a,2c,64,b0,66,a2,c1,a9,9b,d8,6e,03,95,3e,82,95,bd,70,3e,
ce,d0,5a,ad,86,6d,d5,57,c1,83,5a,eb,3c,67,b8,d6,bf,f9,aa,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{cc14e5d2-a9b2-41ed-9afd-6cf0c8ea01ac}]
@Denied: (Full) (Everyone)
"Model"=dword:00000153
"Therad"=dword:00000025
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3512)
c:\windows\system32\WININET.dll
c:\documents and settings\RAMON\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_179798c8\MSVCR80.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\program files\Internet Download Manager\idmmkb.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SOUNDMAN.EXE
c:\progra~1\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\Internet Download Manager\IEMonitor.exe
.
**************************************************************************
.
Completion time: 2011-09-24 12:01:26 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-24 19:01
.
Pre-Run: 59,387,826,176 bytes free
Post-Run: 60,000,546,816 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 6E9F43690B3123E6404246AAD64DFEC1

brokecomp
Novice
Novice

Posts Posts : 11
Joined Joined : 2011-09-21
OS OS : Windows XP Home Edition
Points Points : 19233
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Alureon-AJI/Rootkit virus redirects search results and shuts down malwarebytes

Post by brokecomp on 24th September 2011, 7:23 pm

I was finally able to run malwarebytes and it didn't find any virus. So does this mean its clean or should I do something else? By the way thanks a lot for all the help so far.

brokecomp
Novice
Novice

Posts Posts : 11
Joined Joined : 2011-09-21
OS OS : Windows XP Home Edition
Points Points : 19233
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Alureon-AJI/Rootkit virus redirects search results and shuts down malwarebytes

Post by Belahzur on 24th September 2011, 8:14 pm

Hello.
The malware caused quite a bit of damage to your system - luckily it's reversable but some of your programs may not work correctly and will need to be uninstalled and re-installed to your system.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    http://www.GeekPolice.net/t28018-alureon-aji-rootkit-virus-redirects-search-results-and-shuts-down-malwarebytes

    Collect::
    c:\windows\system32\c_45274.nl_

    FileLook::
    c:\windows\system32\cokiejsi.dll

    Driver::
    huyjksx
    pykcwl

    RegLock::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{566142e4-5d58-4424-88aa-dc91fddbd448}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{cc14e5d2-a9b2-41ed-9afd-6cf0c8ea01ac}]

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


Note: Addtionally, Combofix will want to upload some file for analysis - don't be alarmed - this is normal. Please make sure you have a working internet connection so they are uploaded.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Alureon-AJI/Rootkit virus redirects search results and shuts down malwarebytes

Post by brokecomp on 24th September 2011, 8:58 pm

Here is the log, I had renamed combofix to pchelpforum.exe as previously instructed so I put CFScript.txt into pchelpforum.exe, hope this was ok, it made an update then scanned everything all over again and also sent up the files for further scanning.

Before this I had installed malwarebytes again and it had scanned correctly and found no viruses. I also noticed, like you said before that it removed some of my programs which is ok with me I can reinstall them, I had actually started to reinstall one, but then stopped once I got you reply. I'll wait to finish all your instructions before reinstalling anything. No point in having them removed again by combofix.

Here is the log:

ComboFix 11-09-24.04 - RAMON 09/24/2011 13:29:04.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1007.567 [GMT -7:00]
Running from: c:\documents and settings\RAMON\Desktop\PCHelpForum.exe
Command switches used :: c:\documents and settings\RAMON\Desktop\CFScript.txt
.
file zipped: c:\windows\system32\c_45274.nl_
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\RAMON\Application Data\IDM\idmmzcc3
c:\documents and settings\RAMON\Application Data\IDM\idmmzcc3\chrome.manifest
c:\documents and settings\RAMON\Application Data\IDM\idmmzcc3\chrome\idmmzcc.jar
c:\documents and settings\RAMON\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
c:\documents and settings\RAMON\Application Data\IDM\idmmzcc3\components\iIDMMzCC.xpt
c:\documents and settings\RAMON\Application Data\IDM\idmmzcc3\install.js
c:\documents and settings\RAMON\Application Data\IDM\idmmzcc3\install.rdf
c:\documents and settings\RAMON\Application Data\IDM\idmmzcc3\META-INF\manifest.mf
c:\documents and settings\RAMON\Application Data\IDM\idmmzcc3\META-INF\zigbert.rsa
c:\documents and settings\RAMON\Application Data\IDM\idmmzcc3\META-INF\zigbert.sf
c:\documents and settings\RAMON\Application Data\Ovxob
c:\documents and settings\RAMON\Application Data\Ovxob\wauvk.tmp
c:\documents and settings\RAMON\Application Data\Ovxob\wauvk.uvu
c:\windows\system32\c_45274.nl_
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_huyjksx
-------\Service_pykcwl
.
.
((((((((((((((((((((((((( Files Created from 2011-08-24 to 2011-09-24 )))))))))))))))))))))))))))))))
.
.
2011-09-24 19:09 . 2011-07-07 02:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-24 18:35 . 2004-08-04 12:00 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys
2011-09-24 18:35 . 2004-08-04 12:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-09-22 18:42 . 2011-09-24 19:09 -------- d-----w- c:\program files\Mali3
2011-09-21 22:46 . 2011-09-23 21:34 -------- d-----w- C:\~BCWipe.stu
2011-09-21 22:36 . 2011-09-22 18:42 -------- d-----w- c:\program files\Mali2
2011-09-01 19:26 . 2011-07-07 02:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-01 18:57 . 2011-09-01 18:57 4194304 ----a-w- c:\windows\system32\cokiejsi.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-23 21:33 . 2004-08-04 12:00 64896 ----a-w- c:\windows\system32\drivers\serial.sys
2011-09-23 00:26 . 2004-08-04 12:00 41856 ----a-w- c:\windows\system32\drivers\imapi.sys
2011-08-13 17:09 . 2011-05-18 00:42 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 01:32 . 2004-08-04 12:00 52352 ----a-w- c:\windows\system32\drivers\volsnap.sys
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--- c:\windows\system32\cokiejsi.dll ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 4194304
Created time: 2011-09-01 18:57
Modified time: 2011-09-01 18:57
MD5: D49F3791EF80C02EB96C64F6AE8A39B9
SHA1: EDF97FA303F33804019968773EB8572E1A1CA88F
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\RAMON\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\RAMON\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\RAMON\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\RAMON\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-15 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2011-09-24 3179952]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-08-09 1961984]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-08 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-12 86016]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 77824]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"BCWipeTM Startup"="c:\program files\Jetico\BCWipe\BCWipeTM.exe" [2006-02-17 311296]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-10-27 149280]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-06-15 366400]
"StormCodec_Helper"="c:\program files\Ringz Studio\Storm Codec\StormSet.exe" [2006-11-26 97357]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"Nikon Message Center 2"="c:\program files\Nikon\Nikon Message Center 2\NkMC2.exe" [2010-05-26 619008]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Malwarebytes' Anti-Malware"="c:\program files\Mali3\mbamgui.exe" [2011-07-07 449584]
.
c:\documents and settings\RAMON\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\RAMON\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\JAlbum7.1\\JAlbumWin.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
R2 MBAMService;MBAMService;c:\program files\Mali3\mbamservice.exe [9/24/2011 12:09 PM 366640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/1/2011 12:26 PM 22712]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe --> c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 Altsvert;Altsvert; [x]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe /medsvc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 5:49 AM 227232]
S4 BCSWAP;BCSWAP;c:\windows\system32\drivers\BCSwap.sys [7/28/2005 1:58 AM 88080]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-11 01:13]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: Save Picture to Mobile Phone - c:\program files\Pix2Fone\p2fd.html
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\RAMON\Application Data\Mozilla\Firefox\Profiles\kctzac7p.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: TinEye Reverse Image Search: [You must be registered and logged in to see this link.] - %profile%\extensions\tineye@ideeinc.com
FF - Ext: Element Properties: [You must be registered and logged in to see this link.] - %profile%\extensions\properties@darktrojan.net
FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Alexa Toolbar: [You must be registered and logged in to see this link.] - %profile%\extensions\toolbar@alexa.com
FF - Ext: SearchStatus: {d57c9ff1-6389-48fc-b770-f78bd89b6e8a} - %profile%\extensions\{d57c9ff1-6389-48fc-b770-f78bd89b6e8a}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [You must be registered and logged in to see this link.] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-09-24 13:43
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1660)
c:\windows\system32\WININET.dll
c:\documents and settings\RAMON\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_179798c8\MSVCR80.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\program files\Internet Download Manager\idmmkb.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SOUNDMAN.EXE
c:\progra~1\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\Internet Download Manager\IEMonitor.exe
.
**************************************************************************
.
Completion time: 2011-09-24 13:50:03 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-24 20:50
ComboFix2.txt 2011-09-24 19:01
.
Pre-Run: 60,038,946,816 bytes free
Post-Run: 60,019,056,640 bytes free
.
- - End Of File - - CEBB1D41AF04400DFDF54327FAF07C1C
Upload was successful


Thanks again for your help so far!

brokecomp
Novice
Novice

Posts Posts : 11
Joined Joined : 2011-09-21
OS OS : Windows XP Home Edition
Points Points : 19233
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Alureon-AJI/Rootkit virus redirects search results and shuts down malwarebytes

Post by Belahzur on 24th September 2011, 9:14 pm

Hello.
Nearly done, you had a very messy infection so just cleaning things up now.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :files
    c:\windows\system32\cokiejsi.dll

    :commands
    [emptytemp]
    [clearallrestorepoints]
    [reboot]


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Alureon-AJI/Rootkit virus redirects search results and shuts down malwarebytes

Post by brokecomp on 25th September 2011, 2:58 am

I ran OTL with the info above, but at the end it did not open a fix log. It removed all my icons and is frozen with only the OTL window open and it says "Process completed" at the bottom. It's been like this for about 30 minutes, not sure what to do know. I'll leave it like that for a while to see if it does something or is there any suggestion? Seems to be frozen because I also cant move the window around.

brokecomp
Novice
Novice

Posts Posts : 11
Joined Joined : 2011-09-21
OS OS : Windows XP Home Edition
Points Points : 19233
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Alureon-AJI/Rootkit virus redirects search results and shuts down malwarebytes

Post by brokecomp on 25th September 2011, 4:06 am

After about an hour and half of still being frozen I decided to shut down OTL using the task manager. Without having any icons or the bottom bar in windows I used the power button on my cpu to shut down the computer. When it restarted, OTL did indeed pop up a fix log, here is what it had:

All processes killed
========== FILES ==========
c:\windows\system32\cokiejsi.dll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: house

User: Irma
->Temp folder emptied: 541161 bytes
->Temporary Internet Files folder emptied: 16553768 bytes
->FireFox cache emptied: 1236112 bytes
->Flash cache emptied: 348 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: MusicVids

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: RAMON
->Temp folder emptied: 10605 bytes
->Temporary Internet Files folder emptied: 327974 bytes
->Java cache emptied: 25452117 bytes
->FireFox cache emptied: 150473185 bytes
->Flash cache emptied: 15557 bytes

User: Ramon2
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 8434 bytes
->FireFox cache emptied: 13040173 bytes
->Flash cache emptied: 0 bytes

User: Unitedyp

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2142714 bytes
%systemroot%\System32 .tmp files removed: 3132433 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 452 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 203.00 mb

Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.29.1 log created on 09242011_192841

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

brokecomp
Novice
Novice

Posts Posts : 11
Joined Joined : 2011-09-21
OS OS : Windows XP Home Edition
Points Points : 19233
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Alureon-AJI/Rootkit virus redirects search results and shuts down malwarebytes

Post by Belahzur on 26th September 2011, 5:48 pm

Hello.
Looks good, just programs to update now.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Adobe Reader 7.0.8
    Adobe Reader 7.0.5 Language Support
    Alexa Toolbar
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 9
    J2SE Runtime Environment 5.0 Update 11
    Java(TM) 6 Update 15
    Viewpoint Media Player

Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Click the "Download JRE" button to the right.
  • In the Window that opens, select your platform, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-7-windows-i586.exe that you downloaded to install the newest version.

Please download [You must be registered and logged in to see this link.] and install it. It will install over version 3.6.22 you currently have installed, so you won't lose any bookmarked websites.

Download and install [You must be registered and logged in to see this link.]
When installing, it will ask if you want to uninstall the old version first before it can install the new version, so please select yes and allow it to install.

Then download and install [You must be registered and logged in to see this link.]

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Alureon-AJI/Rootkit virus redirects search results and shuts down malwarebytes

Post by brokecomp on 26th September 2011, 11:44 pm

Did all the recommended tasks of removing the programs and adding the ones you asked. Computer is running great so far, thanks a lot! You have no idea how much you have helped me. This computer and my laptop were in so much trouble. On my laptop I had to use the restore disks to start from scratch. It didn't help with the slow connection to the internet, so I assume that one has a different issue. But this desktop was my main computer I used for doing work. As soon as it got infected and I couldn't fix it myself, I knew it was going to be a big headache. But thanks to you guys, you got me back up and running.

I'll definitely add the paid malwarebytes to this computer later in the week so it doesn't happen again. You guys do a GREAT job!

brokecomp
Novice
Novice

Posts Posts : 11
Joined Joined : 2011-09-21
OS OS : Windows XP Home Edition
Points Points : 19233
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Alureon-AJI/Rootkit virus redirects search results and shuts down malwarebytes

Post by Belahzur on 27th September 2011, 8:17 pm

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

AntiSpyware

  • [You must be registered and logged in to see this link.]
    SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found [You must be registered and logged in to see this link.].
  • [You must be registered and logged in to see this link.].
    Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).

NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
[You must be registered and logged in to see this link.]

Securing your computer

  • [You must be registered and logged in to see this link.] - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • [You must be registered and logged in to see this link.] replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:
Thank you for choosing GeekPolice. [You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum