Heya! I'm currently using Windows Vista 32-bit.
Something happened to my system two nights ago where my program windows (inc. FireFox) reverted back to Windows 95 style for a short time. Then my computer automatically restarted, and when it rebooted all of my files and folders were gone! However my desktop background remained unchanged.
I did a system restore, and many of my files and folders came back, but the majority were still gone. Turns out they were randomly made hidden. Around this time my firefox browser occasionally opens up new tabs by itself, or redirects google searchers, so I suspect malware is the problem.
I ran the following in this order: Avira Virus Scan, MalwareBytes, GMER, and DDS. All logs are pasted below. Please help! Thanks in advance. =)
AVIRA SCAN:
Avira AntiVir Personal
Report file date: Tuesday, 24 May 2011 20:24
Scanning for 2757234 virus strains and unwanted programs.
The program is running as an unrestricted full version.
Online services are available:
Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows Vista
Windows version : (Service Pack 1) [6.0.6001]
Boot mode : Normally booted
Username : SYSTEM
Computer name : ONUR-PC
Version information:
BUILD.DAT : 10.0.0.648 31823 Bytes 1/04/2011 18:36:00
AVSCAN.EXE : 10.0.4.2 442024 Bytes 1/04/2011 07:07:43
AVSCAN.DLL : 10.0.3.0 46440 Bytes 1/04/2011 07:07:57
LUKE.DLL : 10.0.3.2 104296 Bytes 1/04/2011 07:07:53
LUKERES.DLL : 10.0.0.1 12648 Bytes 10/02/2010 14:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 6/11/2009 00:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 14/12/2010 06:15:47
VBASE002.VDF : 7.11.3.0 1950720 Bytes 9/02/2011 06:15:47
VBASE003.VDF : 7.11.5.225 1980416 Bytes 7/04/2011 10:12:21
VBASE004.VDF : 7.11.5.226 2048 Bytes 7/04/2011 10:12:21
VBASE005.VDF : 7.11.5.227 2048 Bytes 7/04/2011 10:12:22
VBASE006.VDF : 7.11.5.228 2048 Bytes 7/04/2011 10:12:22
VBASE007.VDF : 7.11.5.229 2048 Bytes 7/04/2011 10:12:23
VBASE008.VDF : 7.11.5.230 2048 Bytes 7/04/2011 10:12:23
VBASE009.VDF : 7.11.5.231 2048 Bytes 7/04/2011 10:12:24
VBASE010.VDF : 7.11.5.232 2048 Bytes 7/04/2011 10:12:24
VBASE011.VDF : 7.11.5.233 2048 Bytes 7/04/2011 10:12:25
VBASE012.VDF : 7.11.5.234 2048 Bytes 7/04/2011 10:12:25
VBASE013.VDF : 7.11.6.28 158208 Bytes 11/04/2011 10:12:28
VBASE014.VDF : 7.11.6.74 116224 Bytes 13/04/2011 10:12:30
VBASE015.VDF : 7.11.6.113 137728 Bytes 14/04/2011 10:12:32
VBASE016.VDF : 7.11.6.150 146944 Bytes 18/04/2011 10:12:34
VBASE017.VDF : 7.11.6.192 138240 Bytes 20/04/2011 10:12:36
VBASE018.VDF : 7.11.6.237 156160 Bytes 22/04/2011 10:12:38
VBASE019.VDF : 7.11.7.45 427520 Bytes 27/04/2011 10:12:42
VBASE020.VDF : 7.11.7.64 192000 Bytes 28/04/2011 10:12:49
VBASE021.VDF : 7.11.7.97 182272 Bytes 2/05/2011 10:12:52
VBASE022.VDF : 7.11.7.127 467968 Bytes 4/05/2011 10:12:58
VBASE023.VDF : 7.11.7.183 185856 Bytes 9/05/2011 10:13:02
VBASE024.VDF : 7.11.7.218 133120 Bytes 11/05/2011 10:13:04
VBASE025.VDF : 7.11.7.234 139776 Bytes 11/05/2011 10:13:06
VBASE026.VDF : 7.11.8.16 147456 Bytes 13/05/2011 10:13:09
VBASE027.VDF : 7.11.8.46 169472 Bytes 17/05/2011 10:13:11
VBASE028.VDF : 7.11.8.109 181760 Bytes 24/05/2011 10:13:14
VBASE029.VDF : 7.11.8.110 2048 Bytes 24/05/2011 10:13:15
VBASE030.VDF : 7.11.8.111 2048 Bytes 24/05/2011 10:13:15
VBASE031.VDF : 7.11.8.115 22016 Bytes 24/05/2011 10:13:16
Engineversion : 8.2.4.242
AEVDF.DLL : 8.1.2.1 106868 Bytes 28/03/2011 06:15:27
AESCRIPT.DLL : 8.1.3.64 1606011 Bytes 24/05/2011 10:13:54
AESCN.DLL : 8.1.7.2 127349 Bytes 28/03/2011 06:15:27
AESBX.DLL : 8.1.3.2 254324 Bytes 28/03/2011 06:15:26
AERDL.DLL : 8.1.9.9 639347 Bytes 25/03/2011 02:21:38
AEPACK.DLL : 8.2.6.8 557430 Bytes 24/05/2011 10:13:46
AEOFFICE.DLL : 8.1.1.22 205178 Bytes 24/05/2011 10:13:43
AEHEUR.DLL : 8.1.2.119 3481976 Bytes 24/05/2011 10:13:42
AEHELP.DLL : 8.1.17.2 246135 Bytes 24/05/2011 10:13:25
AEGEN.DLL : 8.1.5.6 401780 Bytes 24/05/2011 10:13:23
AEEMU.DLL : 8.1.3.0 393589 Bytes 28/03/2011 06:15:19
AECORE.DLL : 8.1.20.5 196983 Bytes 24/05/2011 10:13:21
AEBB.DLL : 8.1.1.0 53618 Bytes 28/03/2011 06:15:19
AVWINLL.DLL : 10.0.0.0 19304 Bytes 28/03/2011 06:15:31
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/04/2011 07:07:42
AVREP.DLL : 10.0.0.10 174120 Bytes 24/05/2011 10:13:56
AVREG.DLL : 10.0.3.2 53096 Bytes 1/04/2011 07:07:42
AVSCPLR.DLL : 10.0.4.2 84840 Bytes 1/04/2011 07:07:43
AVARKT.DLL : 10.0.22.6 231784 Bytes 1/04/2011 07:07:38
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/04/2011 07:07:41
SQLITE3.DLL : 3.6.19.0 355688 Bytes 17/06/2010 05:27:22
AVSMTP.DLL : 10.0.0.17 63848 Bytes 28/03/2011 06:15:30
NETNT.DLL : 10.0.0.0 11624 Bytes 28/03/2011 06:15:39
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/04/2011 07:07:58
RCTEXT.DLL : 10.0.58.0 97128 Bytes 28/03/2011 06:15:52
Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, E:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Start of the scan: Tuesday, 24 May 2011 20:24
Starting search for hidden objects.
The scan of running processes will be started
Scan process 'wmiprvse.exe' - '44' Module(s) have been scanned
Scan process 'STARFI~1.SCR' - '25' Module(s) have been scanned
Scan process 'avscan.exe' - '88' Module(s) have been scanned
Scan process 'avcenter.exe' - '91' Module(s) have been scanned
Scan process 'avgnt.exe' - '55' Module(s) have been scanned
Scan process 'sched.exe' - '61' Module(s) have been scanned
Scan process 'avshadow.exe' - '38' Module(s) have been scanned
Scan process 'avguard.exe' - '72' Module(s) have been scanned
Scan process 'svchost.exe' - '35' Module(s) have been scanned
Scan process 'vssvc.exe' - '60' Module(s) have been scanned
Scan process 'mcupdmgr.exe' - '82' Module(s) have been scanned
Scan process 'svchost.exe' - '161' Module(s) have been scanned
Scan process 'WinMail.exe' - '89' Module(s) have been scanned
Scan process 'sprtsvc.exe' - '71' Module(s) have been scanned
Scan process 'iPodService.exe' - '36' Module(s) have been scanned
Scan process 'wmpnetwk.exe' - '79' Module(s) have been scanned
Scan process 'McSvHost.exe' - '153' Module(s) have been scanned
Scan process 'mfefire.exe' - '34' Module(s) have been scanned
Scan process 'mcshield.exe' - '73' Module(s) have been scanned
Scan process 'RUNDLL32.EXE' - '38' Module(s) have been scanned
Scan process 'SearchIndexer.exe' - '89' Module(s) have been scanned
Scan process 'svchost.exe' - '38' Module(s) have been scanned
Scan process 'svchost.exe' - '50' Module(s) have been scanned
Scan process 'SeaPort.exe' - '69' Module(s) have been scanned
Scan process 'svchost.exe' - '47' Module(s) have been scanned
Scan process 'mfevtps.exe' - '40' Module(s) have been scanned
Scan process 'IAANTMon.exe' - '41' Module(s) have been scanned
Scan process 'BtStackServer.exe' - '78' Module(s) have been scanned
Scan process 'ehmsas.exe' - '26' Module(s) have been scanned
Scan process 'Apntex.exe' - '27' Module(s) have been scanned
Scan process 'HidFind.exe' - '29' Module(s) have been scanned
Scan process 'ApMsgFwd.exe' - '29' Module(s) have been scanned
Scan process 'DellDock.exe' - '89' Module(s) have been scanned
Scan process 'BTTray.exe' - '68' Module(s) have been scanned
Scan process 'wmpnscfg.exe' - '35' Module(s) have been scanned
Scan process 'ehtray.exe' - '31' Module(s) have been scanned
Scan process 'sprtcmd.exe' - '69' Module(s) have been scanned
Scan process 'mcagent.exe' - '115' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '75' Module(s) have been scanned
Scan process 'rundll32.exe' - '39' Module(s) have been scanned
Scan process 'PDVDDXSrv.exe' - '45' Module(s) have been scanned
Scan process 'IAAnotif.exe' - '43' Module(s) have been scanned
Scan process 'quickset.exe' - '83' Module(s) have been scanned
Scan process 'WLTRAY.EXE' - '67' Module(s) have been scanned
Scan process 'sttray.exe' - '46' Module(s) have been scanned
Scan process 'Apoint.exe' - '37' Module(s) have been scanned
Scan process 'hnm_svc.exe' - '118' Module(s) have been scanned
Scan process 'btwdins.exe' - '31' Module(s) have been scanned
Scan process 'svchost.exe' - '47' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '38' Module(s) have been scanned
Scan process 'Explorer.EXE' - '167' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '52' Module(s) have been scanned
Scan process 'aestsrv.exe' - '21' Module(s) have been scanned
Scan process 'Dwm.exe' - '44' Module(s) have been scanned
Scan process 'svchost.exe' - '64' Module(s) have been scanned
Scan process 'spoolsv.exe' - '89' Module(s) have been scanned
Scan process 'bcmwltry.exe' - '78' Module(s) have been scanned
Scan process 'WLTRYSVC.EXE' - '24' Module(s) have been scanned
Scan process 'svchost.exe' - '100' Module(s) have been scanned
Scan process 'Ati2evxx.exe' - '41' Module(s) have been scanned
Scan process 'DockLogin.exe' - '28' Module(s) have been scanned
Scan process 'svchost.exe' - '87' Module(s) have been scanned
Scan process 'SLsvc.exe' - '29' Module(s) have been scanned
Scan process 'svchost.exe' - '44' Module(s) have been scanned
Scan process 'CTAudSvc.exe' - '31' Module(s) have been scanned
Scan process 'STacSV.exe' - '41' Module(s) have been scanned
Scan process 'svchost.exe' - '120' Module(s) have been scanned
Scan process 'svchost.exe' - '80' Module(s) have been scanned
Scan process 'Ati2evxx.exe' - '35' Module(s) have been scanned
Scan process 'svchost.exe' - '42' Module(s) have been scanned
Scan process 'svchost.exe' - '47' Module(s) have been scanned
Scan process 'lsm.exe' - '31' Module(s) have been scanned
Scan process 'lsass.exe' - '69' Module(s) have been scanned
Scan process 'services.exe' - '41' Module(s) have been scanned
Scan process 'winlogon.exe' - '39' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'wininit.exe' - '35' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned
Starting master boot sector scan:
Master boot sector HD0
[DETECTION] Contains code of the BOO/TDss.M boot sector virus
[NOTE] The boot sector was not written!
Start scanning boot sectors:
Boot sector 'C:\'
[DETECTION] Contains code of the BOO/TDss.M boot sector virus
[NOTE] The boot sector was not written!
Boot sector 'E:\'
[DETECTION] Contains code of the BOO/TDss.M boot sector virus
[NOTE] The boot sector was not written!
Starting to scan executable files (registry).
The registry was scanned ( '1817' files ).
Starting the file scan:
Begin scan in 'C:\' <OS>
C:\Program Files\Mozilla Firefox\0.19789321904291302.exe
[DETECTION] Is the TR/Fake.Rean.1948 Trojan
C:\Users\Onur\AppData\Local\vah.exe
[DETECTION] Is the TR/FakeAV.czvb Trojan
C:\Users\Onur\AppData\Local\Temp\0.16296048091286697.exe
[DETECTION] Is the TR/Dldr.Renos.twf Trojan
C:\Users\Onur\AppData\Local\Temp\0.20220546709169274.exe
[DETECTION] Is the TR/Dldr.Renos.twf Trojan
C:\Users\Onur\AppData\Local\Temp\0.6835808642239324.exe
[DETECTION] Is the TR/FakeAV.czvb Trojan
C:\Users\Onur\AppData\Local\Temp\jar_cache1228664689912818467.tmp
[DETECTION] Is the TR/FakeAV.czvb Trojan
C:\Users\Onur\AppData\Local\Temp\jar_cache3488237086204442127.tmp
[DETECTION] Is the TR/Fake.Rean.1948 Trojan
C:\Users\Onur\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\c669a2-2a7f2e72
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/Stutter.AH Java virus
--> vload.class
[DETECTION] Contains recognition pattern of the JAVA/Stutter.AH Java virus
--> vmain.class
[DETECTION] Contains recognition pattern of the JAVA/Stutter.AG Java virus
C:\Users\Onur\Documents\Files\Uni\1st Year\2009\Semester 1\Mind, Brain and Behaviour\Lectures\Sensation and Perception\880-001Lecture1.pdf
[0] Archive type: PDF
[DETECTION] Is the TR/Spy.Banker.vk.1 Trojan
--> pdf_img_49.avp
[DETECTION] Is the TR/Spy.Banker.vk.1 Trojan
C:\Users\Onur\Documents\Files\Uni\1st Year\2009\Semester 1\Mind, Brain and Behaviour\Lectures\Sensation and Perception\880-001Lecture2.pdf
[0] Archive type: PDF
[DETECTION] Is the TR/Spy.Banker.vk.1 Trojan
--> pdf_img_0.avp
[DETECTION] Is the TR/Spy.Banker.vk.1 Trojan
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\6685d300-27140475
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-4452.A exploit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\4d2bdafe-227fa66d
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/Exdoer.CP Java virus
--> FAQ/Template.class
[DETECTION] Contains recognition pattern of the JAVA/Exdoer.CP Java virus
--> tools/Commander.class
[DETECTION] Contains recognition pattern of the JAVA/Exdoer.CR Java virus
--> tools/Syntax.class
[DETECTION] Contains recognition pattern of the JAVA/Exdoer.CQ Java virus
--> tools/XmlStandard.class
[DETECTION] Contains recognition pattern of the JAVA/Exdoer.CO Java virus
C:\Windows\Temp\jar_cache7677709313234663009.tmp
[DETECTION] Is the TR/Drop.Dapato.gp Trojan
Begin scan in 'E:\' <RECOVERY>
Beginning disinfection:
C:\Windows\Temp\jar_cache7677709313234663009.tmp
[DETECTION] Is the TR/Drop.Dapato.gp Trojan
[NOTE] The file was moved to the quarantine directory under the name '4bba6677.qua'.
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\4d2bdafe-227fa66d
[DETECTION] Contains recognition pattern of the JAVA/Exdoer.CO Java virus
[NOTE] The file was moved to the quarantine directory under the name '536d49d3.qua'.
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\6685d300-27140475
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-4452.A exploit
[NOTE] The file was moved to the quarantine directory under the name '671b56b8.qua'.
C:\Users\Onur\Documents\Files\Uni\1st Year\2009\Semester 1\Mind, Brain and Behaviour\Lectures\Sensation and Perception\880-001Lecture2.pdf
[DETECTION] Is the TR/Spy.Banker.vk.1 Trojan
[NOTE] The file could not be copied to quarantine!
[NOTE] The file does not exist!
C:\Users\Onur\Documents\Files\Uni\1st Year\2009\Semester 1\Mind, Brain and Behaviour\Lectures\Sensation and Perception\880-001Lecture1.pdf
[DETECTION] Is the TR/Spy.Banker.vk.1 Trojan
[NOTE] The file could not be copied to quarantine!
[NOTE] The file does not exist!
C:\Users\Onur\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\c669a2-2a7f2e72
[DETECTION] Contains recognition pattern of the JAVA/Stutter.AG Java virus
[NOTE] The file was moved to the quarantine directory under the name '113e6fd1.qua'.
C:\Users\Onur\AppData\Local\Temp\jar_cache3488237086204442127.tmp
[DETECTION] Is the TR/Fake.Rean.1948 Trojan
[NOTE] The file was moved to the quarantine directory under the name '6d7a2e7e.qua'.
C:\Users\Onur\AppData\Local\Temp\jar_cache1228664689912818467.tmp
[DETECTION] Is the TR/FakeAV.czvb Trojan
[NOTE] The file was moved to the quarantine directory under the name '40200130.qua'.
C:\Users\Onur\AppData\Local\Temp\0.6835808642239324.exe
[DETECTION] Is the TR/FakeAV.czvb Trojan
[NOTE] The file could not be copied to quarantine!
[NOTE] The file does not exist!
C:\Users\Onur\AppData\Local\Temp\0.20220546709169274.exe
[DETECTION] Is the TR/Dldr.Renos.twf Trojan
[NOTE] The file could not be copied to quarantine!
[NOTE] The file does not exist!
C:\Users\Onur\AppData\Local\Temp\0.16296048091286697.exe
[DETECTION] Is the TR/Dldr.Renos.twf Trojan
[NOTE] The file could not be copied to quarantine!
[NOTE] The file does not exist!
C:\Users\Onur\AppData\Local\vah.exe
[DETECTION] Is the TR/FakeAV.czvb Trojan
[NOTE] The file could not be copied to quarantine!
[NOTE] The file does not exist!
C:\Program Files\Mozilla Firefox\0.19789321904291302.exe
[DETECTION] Is the TR/Fake.Rean.1948 Trojan
[NOTE] The file could not be copied to quarantine!
[NOTE] The file does not exist!
End of the scan: Wednesday, 25 May 2011 00:39
Used time: 2:26:52 Hour(s)
The scan has been done completely.
26534 Scanned directories
568757 Files were scanned
21 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
6 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
568739 Files not concerned
6470 Archives were scanned
0 Warnings
16 Notes
493798 Objects were scanned with rootkit scan
0 Hidden objects were found
MALWAREBYTES:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6654
Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.19019
25/05/2011 2:31:32 AM
mbam-log-2011-05-25 (02-31-32).txt
Scan type: Quick scan
Objects scanned: 152166
Time elapsed: 9 minute(s), 25 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{9E9DA3C5-C7F9-8051-B7C9-5649F9EA3AA3} (Trojan.ZbotR.Gen) -> Value: {9E9DA3C5-C7F9-8051-B7C9-5649F9EA3AA3} -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Users\Onur\AppData\Roaming\microsoft\Windows\start menu\Programs\StartUp\fulo.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Onur\AppData\Roaming\microsoft\Windows\start menu\Programs\StartUp\mijoe.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Windows\Temp\jar_cache3737238844970604673.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Windows\Temp\jar_cache646693631889566736.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
GMER:
GMER 1.0.15.15627 - http://www.gmer.net
Rootkit quick scan 2011-05-25 13:26:54
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST932032 rev.0003
Running: q8zhshzq.exe; Driver: C:\Users\Onur\AppData\Local\Temp\pxldapob.sys
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior
---- System - GMER 1.0.15 ----
Code B13A4233 TmInitSystem
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
Something happened to my system two nights ago where my program windows (inc. FireFox) reverted back to Windows 95 style for a short time. Then my computer automatically restarted, and when it rebooted all of my files and folders were gone! However my desktop background remained unchanged.
I did a system restore, and many of my files and folders came back, but the majority were still gone. Turns out they were randomly made hidden. Around this time my firefox browser occasionally opens up new tabs by itself, or redirects google searchers, so I suspect malware is the problem.
I ran the following in this order: Avira Virus Scan, MalwareBytes, GMER, and DDS. All logs are pasted below. Please help! Thanks in advance. =)
AVIRA SCAN:
Avira AntiVir Personal
Report file date: Tuesday, 24 May 2011 20:24
Scanning for 2757234 virus strains and unwanted programs.
The program is running as an unrestricted full version.
Online services are available:
Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows Vista
Windows version : (Service Pack 1) [6.0.6001]
Boot mode : Normally booted
Username : SYSTEM
Computer name : ONUR-PC
Version information:
BUILD.DAT : 10.0.0.648 31823 Bytes 1/04/2011 18:36:00
AVSCAN.EXE : 10.0.4.2 442024 Bytes 1/04/2011 07:07:43
AVSCAN.DLL : 10.0.3.0 46440 Bytes 1/04/2011 07:07:57
LUKE.DLL : 10.0.3.2 104296 Bytes 1/04/2011 07:07:53
LUKERES.DLL : 10.0.0.1 12648 Bytes 10/02/2010 14:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 6/11/2009 00:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 14/12/2010 06:15:47
VBASE002.VDF : 7.11.3.0 1950720 Bytes 9/02/2011 06:15:47
VBASE003.VDF : 7.11.5.225 1980416 Bytes 7/04/2011 10:12:21
VBASE004.VDF : 7.11.5.226 2048 Bytes 7/04/2011 10:12:21
VBASE005.VDF : 7.11.5.227 2048 Bytes 7/04/2011 10:12:22
VBASE006.VDF : 7.11.5.228 2048 Bytes 7/04/2011 10:12:22
VBASE007.VDF : 7.11.5.229 2048 Bytes 7/04/2011 10:12:23
VBASE008.VDF : 7.11.5.230 2048 Bytes 7/04/2011 10:12:23
VBASE009.VDF : 7.11.5.231 2048 Bytes 7/04/2011 10:12:24
VBASE010.VDF : 7.11.5.232 2048 Bytes 7/04/2011 10:12:24
VBASE011.VDF : 7.11.5.233 2048 Bytes 7/04/2011 10:12:25
VBASE012.VDF : 7.11.5.234 2048 Bytes 7/04/2011 10:12:25
VBASE013.VDF : 7.11.6.28 158208 Bytes 11/04/2011 10:12:28
VBASE014.VDF : 7.11.6.74 116224 Bytes 13/04/2011 10:12:30
VBASE015.VDF : 7.11.6.113 137728 Bytes 14/04/2011 10:12:32
VBASE016.VDF : 7.11.6.150 146944 Bytes 18/04/2011 10:12:34
VBASE017.VDF : 7.11.6.192 138240 Bytes 20/04/2011 10:12:36
VBASE018.VDF : 7.11.6.237 156160 Bytes 22/04/2011 10:12:38
VBASE019.VDF : 7.11.7.45 427520 Bytes 27/04/2011 10:12:42
VBASE020.VDF : 7.11.7.64 192000 Bytes 28/04/2011 10:12:49
VBASE021.VDF : 7.11.7.97 182272 Bytes 2/05/2011 10:12:52
VBASE022.VDF : 7.11.7.127 467968 Bytes 4/05/2011 10:12:58
VBASE023.VDF : 7.11.7.183 185856 Bytes 9/05/2011 10:13:02
VBASE024.VDF : 7.11.7.218 133120 Bytes 11/05/2011 10:13:04
VBASE025.VDF : 7.11.7.234 139776 Bytes 11/05/2011 10:13:06
VBASE026.VDF : 7.11.8.16 147456 Bytes 13/05/2011 10:13:09
VBASE027.VDF : 7.11.8.46 169472 Bytes 17/05/2011 10:13:11
VBASE028.VDF : 7.11.8.109 181760 Bytes 24/05/2011 10:13:14
VBASE029.VDF : 7.11.8.110 2048 Bytes 24/05/2011 10:13:15
VBASE030.VDF : 7.11.8.111 2048 Bytes 24/05/2011 10:13:15
VBASE031.VDF : 7.11.8.115 22016 Bytes 24/05/2011 10:13:16
Engineversion : 8.2.4.242
AEVDF.DLL : 8.1.2.1 106868 Bytes 28/03/2011 06:15:27
AESCRIPT.DLL : 8.1.3.64 1606011 Bytes 24/05/2011 10:13:54
AESCN.DLL : 8.1.7.2 127349 Bytes 28/03/2011 06:15:27
AESBX.DLL : 8.1.3.2 254324 Bytes 28/03/2011 06:15:26
AERDL.DLL : 8.1.9.9 639347 Bytes 25/03/2011 02:21:38
AEPACK.DLL : 8.2.6.8 557430 Bytes 24/05/2011 10:13:46
AEOFFICE.DLL : 8.1.1.22 205178 Bytes 24/05/2011 10:13:43
AEHEUR.DLL : 8.1.2.119 3481976 Bytes 24/05/2011 10:13:42
AEHELP.DLL : 8.1.17.2 246135 Bytes 24/05/2011 10:13:25
AEGEN.DLL : 8.1.5.6 401780 Bytes 24/05/2011 10:13:23
AEEMU.DLL : 8.1.3.0 393589 Bytes 28/03/2011 06:15:19
AECORE.DLL : 8.1.20.5 196983 Bytes 24/05/2011 10:13:21
AEBB.DLL : 8.1.1.0 53618 Bytes 28/03/2011 06:15:19
AVWINLL.DLL : 10.0.0.0 19304 Bytes 28/03/2011 06:15:31
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/04/2011 07:07:42
AVREP.DLL : 10.0.0.10 174120 Bytes 24/05/2011 10:13:56
AVREG.DLL : 10.0.3.2 53096 Bytes 1/04/2011 07:07:42
AVSCPLR.DLL : 10.0.4.2 84840 Bytes 1/04/2011 07:07:43
AVARKT.DLL : 10.0.22.6 231784 Bytes 1/04/2011 07:07:38
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/04/2011 07:07:41
SQLITE3.DLL : 3.6.19.0 355688 Bytes 17/06/2010 05:27:22
AVSMTP.DLL : 10.0.0.17 63848 Bytes 28/03/2011 06:15:30
NETNT.DLL : 10.0.0.0 11624 Bytes 28/03/2011 06:15:39
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/04/2011 07:07:58
RCTEXT.DLL : 10.0.58.0 97128 Bytes 28/03/2011 06:15:52
Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, E:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Start of the scan: Tuesday, 24 May 2011 20:24
Starting search for hidden objects.
The scan of running processes will be started
Scan process 'wmiprvse.exe' - '44' Module(s) have been scanned
Scan process 'STARFI~1.SCR' - '25' Module(s) have been scanned
Scan process 'avscan.exe' - '88' Module(s) have been scanned
Scan process 'avcenter.exe' - '91' Module(s) have been scanned
Scan process 'avgnt.exe' - '55' Module(s) have been scanned
Scan process 'sched.exe' - '61' Module(s) have been scanned
Scan process 'avshadow.exe' - '38' Module(s) have been scanned
Scan process 'avguard.exe' - '72' Module(s) have been scanned
Scan process 'svchost.exe' - '35' Module(s) have been scanned
Scan process 'vssvc.exe' - '60' Module(s) have been scanned
Scan process 'mcupdmgr.exe' - '82' Module(s) have been scanned
Scan process 'svchost.exe' - '161' Module(s) have been scanned
Scan process 'WinMail.exe' - '89' Module(s) have been scanned
Scan process 'sprtsvc.exe' - '71' Module(s) have been scanned
Scan process 'iPodService.exe' - '36' Module(s) have been scanned
Scan process 'wmpnetwk.exe' - '79' Module(s) have been scanned
Scan process 'McSvHost.exe' - '153' Module(s) have been scanned
Scan process 'mfefire.exe' - '34' Module(s) have been scanned
Scan process 'mcshield.exe' - '73' Module(s) have been scanned
Scan process 'RUNDLL32.EXE' - '38' Module(s) have been scanned
Scan process 'SearchIndexer.exe' - '89' Module(s) have been scanned
Scan process 'svchost.exe' - '38' Module(s) have been scanned
Scan process 'svchost.exe' - '50' Module(s) have been scanned
Scan process 'SeaPort.exe' - '69' Module(s) have been scanned
Scan process 'svchost.exe' - '47' Module(s) have been scanned
Scan process 'mfevtps.exe' - '40' Module(s) have been scanned
Scan process 'IAANTMon.exe' - '41' Module(s) have been scanned
Scan process 'BtStackServer.exe' - '78' Module(s) have been scanned
Scan process 'ehmsas.exe' - '26' Module(s) have been scanned
Scan process 'Apntex.exe' - '27' Module(s) have been scanned
Scan process 'HidFind.exe' - '29' Module(s) have been scanned
Scan process 'ApMsgFwd.exe' - '29' Module(s) have been scanned
Scan process 'DellDock.exe' - '89' Module(s) have been scanned
Scan process 'BTTray.exe' - '68' Module(s) have been scanned
Scan process 'wmpnscfg.exe' - '35' Module(s) have been scanned
Scan process 'ehtray.exe' - '31' Module(s) have been scanned
Scan process 'sprtcmd.exe' - '69' Module(s) have been scanned
Scan process 'mcagent.exe' - '115' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '75' Module(s) have been scanned
Scan process 'rundll32.exe' - '39' Module(s) have been scanned
Scan process 'PDVDDXSrv.exe' - '45' Module(s) have been scanned
Scan process 'IAAnotif.exe' - '43' Module(s) have been scanned
Scan process 'quickset.exe' - '83' Module(s) have been scanned
Scan process 'WLTRAY.EXE' - '67' Module(s) have been scanned
Scan process 'sttray.exe' - '46' Module(s) have been scanned
Scan process 'Apoint.exe' - '37' Module(s) have been scanned
Scan process 'hnm_svc.exe' - '118' Module(s) have been scanned
Scan process 'btwdins.exe' - '31' Module(s) have been scanned
Scan process 'svchost.exe' - '47' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '38' Module(s) have been scanned
Scan process 'Explorer.EXE' - '167' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '52' Module(s) have been scanned
Scan process 'aestsrv.exe' - '21' Module(s) have been scanned
Scan process 'Dwm.exe' - '44' Module(s) have been scanned
Scan process 'svchost.exe' - '64' Module(s) have been scanned
Scan process 'spoolsv.exe' - '89' Module(s) have been scanned
Scan process 'bcmwltry.exe' - '78' Module(s) have been scanned
Scan process 'WLTRYSVC.EXE' - '24' Module(s) have been scanned
Scan process 'svchost.exe' - '100' Module(s) have been scanned
Scan process 'Ati2evxx.exe' - '41' Module(s) have been scanned
Scan process 'DockLogin.exe' - '28' Module(s) have been scanned
Scan process 'svchost.exe' - '87' Module(s) have been scanned
Scan process 'SLsvc.exe' - '29' Module(s) have been scanned
Scan process 'svchost.exe' - '44' Module(s) have been scanned
Scan process 'CTAudSvc.exe' - '31' Module(s) have been scanned
Scan process 'STacSV.exe' - '41' Module(s) have been scanned
Scan process 'svchost.exe' - '120' Module(s) have been scanned
Scan process 'svchost.exe' - '80' Module(s) have been scanned
Scan process 'Ati2evxx.exe' - '35' Module(s) have been scanned
Scan process 'svchost.exe' - '42' Module(s) have been scanned
Scan process 'svchost.exe' - '47' Module(s) have been scanned
Scan process 'lsm.exe' - '31' Module(s) have been scanned
Scan process 'lsass.exe' - '69' Module(s) have been scanned
Scan process 'services.exe' - '41' Module(s) have been scanned
Scan process 'winlogon.exe' - '39' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'wininit.exe' - '35' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned
Starting master boot sector scan:
Master boot sector HD0
[DETECTION] Contains code of the BOO/TDss.M boot sector virus
[NOTE] The boot sector was not written!
Start scanning boot sectors:
Boot sector 'C:\'
[DETECTION] Contains code of the BOO/TDss.M boot sector virus
[NOTE] The boot sector was not written!
Boot sector 'E:\'
[DETECTION] Contains code of the BOO/TDss.M boot sector virus
[NOTE] The boot sector was not written!
Starting to scan executable files (registry).
The registry was scanned ( '1817' files ).
Starting the file scan:
Begin scan in 'C:\' <OS>
C:\Program Files\Mozilla Firefox\0.19789321904291302.exe
[DETECTION] Is the TR/Fake.Rean.1948 Trojan
C:\Users\Onur\AppData\Local\vah.exe
[DETECTION] Is the TR/FakeAV.czvb Trojan
C:\Users\Onur\AppData\Local\Temp\0.16296048091286697.exe
[DETECTION] Is the TR/Dldr.Renos.twf Trojan
C:\Users\Onur\AppData\Local\Temp\0.20220546709169274.exe
[DETECTION] Is the TR/Dldr.Renos.twf Trojan
C:\Users\Onur\AppData\Local\Temp\0.6835808642239324.exe
[DETECTION] Is the TR/FakeAV.czvb Trojan
C:\Users\Onur\AppData\Local\Temp\jar_cache1228664689912818467.tmp
[DETECTION] Is the TR/FakeAV.czvb Trojan
C:\Users\Onur\AppData\Local\Temp\jar_cache3488237086204442127.tmp
[DETECTION] Is the TR/Fake.Rean.1948 Trojan
C:\Users\Onur\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\c669a2-2a7f2e72
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/Stutter.AH Java virus
--> vload.class
[DETECTION] Contains recognition pattern of the JAVA/Stutter.AH Java virus
--> vmain.class
[DETECTION] Contains recognition pattern of the JAVA/Stutter.AG Java virus
C:\Users\Onur\Documents\Files\Uni\1st Year\2009\Semester 1\Mind, Brain and Behaviour\Lectures\Sensation and Perception\880-001Lecture1.pdf
[0] Archive type: PDF
[DETECTION] Is the TR/Spy.Banker.vk.1 Trojan
--> pdf_img_49.avp
[DETECTION] Is the TR/Spy.Banker.vk.1 Trojan
C:\Users\Onur\Documents\Files\Uni\1st Year\2009\Semester 1\Mind, Brain and Behaviour\Lectures\Sensation and Perception\880-001Lecture2.pdf
[0] Archive type: PDF
[DETECTION] Is the TR/Spy.Banker.vk.1 Trojan
--> pdf_img_0.avp
[DETECTION] Is the TR/Spy.Banker.vk.1 Trojan
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\6685d300-27140475
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-4452.A exploit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\4d2bdafe-227fa66d
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the JAVA/Exdoer.CP Java virus
--> FAQ/Template.class
[DETECTION] Contains recognition pattern of the JAVA/Exdoer.CP Java virus
--> tools/Commander.class
[DETECTION] Contains recognition pattern of the JAVA/Exdoer.CR Java virus
--> tools/Syntax.class
[DETECTION] Contains recognition pattern of the JAVA/Exdoer.CQ Java virus
--> tools/XmlStandard.class
[DETECTION] Contains recognition pattern of the JAVA/Exdoer.CO Java virus
C:\Windows\Temp\jar_cache7677709313234663009.tmp
[DETECTION] Is the TR/Drop.Dapato.gp Trojan
Begin scan in 'E:\' <RECOVERY>
Beginning disinfection:
C:\Windows\Temp\jar_cache7677709313234663009.tmp
[DETECTION] Is the TR/Drop.Dapato.gp Trojan
[NOTE] The file was moved to the quarantine directory under the name '4bba6677.qua'.
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\4d2bdafe-227fa66d
[DETECTION] Contains recognition pattern of the JAVA/Exdoer.CO Java virus
[NOTE] The file was moved to the quarantine directory under the name '536d49d3.qua'.
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\6685d300-27140475
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-4452.A exploit
[NOTE] The file was moved to the quarantine directory under the name '671b56b8.qua'.
C:\Users\Onur\Documents\Files\Uni\1st Year\2009\Semester 1\Mind, Brain and Behaviour\Lectures\Sensation and Perception\880-001Lecture2.pdf
[DETECTION] Is the TR/Spy.Banker.vk.1 Trojan
[NOTE] The file could not be copied to quarantine!
[NOTE] The file does not exist!
C:\Users\Onur\Documents\Files\Uni\1st Year\2009\Semester 1\Mind, Brain and Behaviour\Lectures\Sensation and Perception\880-001Lecture1.pdf
[DETECTION] Is the TR/Spy.Banker.vk.1 Trojan
[NOTE] The file could not be copied to quarantine!
[NOTE] The file does not exist!
C:\Users\Onur\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\c669a2-2a7f2e72
[DETECTION] Contains recognition pattern of the JAVA/Stutter.AG Java virus
[NOTE] The file was moved to the quarantine directory under the name '113e6fd1.qua'.
C:\Users\Onur\AppData\Local\Temp\jar_cache3488237086204442127.tmp
[DETECTION] Is the TR/Fake.Rean.1948 Trojan
[NOTE] The file was moved to the quarantine directory under the name '6d7a2e7e.qua'.
C:\Users\Onur\AppData\Local\Temp\jar_cache1228664689912818467.tmp
[DETECTION] Is the TR/FakeAV.czvb Trojan
[NOTE] The file was moved to the quarantine directory under the name '40200130.qua'.
C:\Users\Onur\AppData\Local\Temp\0.6835808642239324.exe
[DETECTION] Is the TR/FakeAV.czvb Trojan
[NOTE] The file could not be copied to quarantine!
[NOTE] The file does not exist!
C:\Users\Onur\AppData\Local\Temp\0.20220546709169274.exe
[DETECTION] Is the TR/Dldr.Renos.twf Trojan
[NOTE] The file could not be copied to quarantine!
[NOTE] The file does not exist!
C:\Users\Onur\AppData\Local\Temp\0.16296048091286697.exe
[DETECTION] Is the TR/Dldr.Renos.twf Trojan
[NOTE] The file could not be copied to quarantine!
[NOTE] The file does not exist!
C:\Users\Onur\AppData\Local\vah.exe
[DETECTION] Is the TR/FakeAV.czvb Trojan
[NOTE] The file could not be copied to quarantine!
[NOTE] The file does not exist!
C:\Program Files\Mozilla Firefox\0.19789321904291302.exe
[DETECTION] Is the TR/Fake.Rean.1948 Trojan
[NOTE] The file could not be copied to quarantine!
[NOTE] The file does not exist!
End of the scan: Wednesday, 25 May 2011 00:39
Used time: 2:26:52 Hour(s)
The scan has been done completely.
26534 Scanned directories
568757 Files were scanned
21 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
6 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
568739 Files not concerned
6470 Archives were scanned
0 Warnings
16 Notes
493798 Objects were scanned with rootkit scan
0 Hidden objects were found
MALWAREBYTES:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6654
Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.19019
25/05/2011 2:31:32 AM
mbam-log-2011-05-25 (02-31-32).txt
Scan type: Quick scan
Objects scanned: 152166
Time elapsed: 9 minute(s), 25 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{9E9DA3C5-C7F9-8051-B7C9-5649F9EA3AA3} (Trojan.ZbotR.Gen) -> Value: {9E9DA3C5-C7F9-8051-B7C9-5649F9EA3AA3} -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Users\Onur\AppData\Roaming\microsoft\Windows\start menu\Programs\StartUp\fulo.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Onur\AppData\Roaming\microsoft\Windows\start menu\Programs\StartUp\mijoe.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Windows\Temp\jar_cache3737238844970604673.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Windows\Temp\jar_cache646693631889566736.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
GMER:
GMER 1.0.15.15627 - http://www.gmer.net
Rootkit quick scan 2011-05-25 13:26:54
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST932032 rev.0003
Running: q8zhshzq.exe; Driver: C:\Users\Onur\AppData\Local\Temp\pxldapob.sys
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior
---- System - GMER 1.0.15 ----
Code B13A4233 TmInitSystem
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----