TechSpot

Google redirect problems, 8 steps done, logs posted

By Jace0207
Nov 23, 2010
  1. Having a problem with google redirect. I have completed the 8 steps the logs are below. Thanks in advance for the help

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 5176

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 7.0.6002.18005

    11/23/2010 10:47:57 AM
    mbam-log-2010-11-23 (10-47-57).txt

    Scan type: Quick scan
    Objects scanned: 143068
    Time elapsed: 6 minute(s), 28 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2010-11-23 11:04:29
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\iaStor0 WDC_WD16 rev.11.0
    Running: gmer.exe; Driver: C:\Users\JOYMIL~1\AppData\Local\Temp\pxrcrkoc.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 29: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 39: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 49: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sectors 312581552 (+255): rootkit-like behavior;

    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8CDB4BAE]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x8CDB49D2]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x8CDB4B0C]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\iaStor -> DriverStartIo \Device\Ide\iaStor0 8702A292
    Device \Driver\iaStor -> DriverStartIo \Device\Ide\IAAStorageDevice-0 8702A292
    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

    Device \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskWDC_WD1600BEVS-26VAT0___________________11.01A11#4&939d6c5&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- EOF - GMER 1.0.15 ----
     
  2. Jace0207

    Jace0207 TS Rookie Topic Starter Posts: 32

    DDS (Ver_10-11-10.01) - NTFSx86
    Run by Joy Milam at 11:07:30.82 on Tue 11/23/2010
    Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_22
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1915.819 [GMT -8:00]

    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Windows\system32\WLANExt.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\agrsmsvc.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
    C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    C:\Windows\system32\TODDSrv.exe
    C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
    C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\igfxpers.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
    C:\Program Files\Toshiba\SmoothView\SmoothView.exe
    C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
    C:\Program Files\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exe
    C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
    C:\Program Files\Zune\ZuneLauncher.exe
    C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
    C:\Windows\ehome\ehtray.exe
    C:\Users\Joy Milam\AppData\Local\Autobahn\mlb-nexdef-autobahn.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\igfxext.exe
    C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\explorer.exe
    C:\Users\Joy Milam\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
    uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
    mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
    mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
    uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [jswtrayutil] "c:\program files\jumpstart\jswtrayutil.exe"
    mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
    mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
    mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
    mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [NDSTray.exe] NDSTray.exe
    mRun: [cfFncEnabler.exe] cfFncEnabler.exe
    mRun: [ToshibaServiceStation] c:\program files\toshiba\toshiba service station\ToshibaServiceStation.exe /hide:60
    mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
    mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
    mRun: [Skytel] Skytel.exe
    mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    StartupFolder: c:\users\joymil~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\mlbtvn~1.lnk - c:\users\joy milam\appdata\local\autobahn\mlb-nexdef-autobahn.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    Notify: igfxcui - igfxdev.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\joymil~1\appdata\roaming\mozilla\firefox\profiles\qhx4z701.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.klove.com/
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\users\joy milam\appdata\roaming\facebook\npfbplugin_1_0_3.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

    ============= SERVICES / DRIVERS ===============

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-2 165584]
    R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2009-1-15 20384]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-2 17744]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-6-2 50768]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-2 40384]
    R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-4-16 40960]
    R2 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2008-8-18 62776]
    R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
    R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-2 40384]
    R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-2 40384]
    R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-8-18 7168]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
    S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\jumpstart\jswpsapi.exe [2009-1-15 954368]
    S3 SVRPEDRV;SVRPEDRV;c:\windows\system32\sysprep\PEDRV.SYS [2008-8-21 9216]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

    =============== Created Last 30 ================

    2010-11-23 09:44:28 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{d8342f02-9b5c-473c-a8c1-69004f1410e7}\mpengine.dll
    2010-11-10 18:08:31 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
    2010-11-10 04:24:26 -------- d-----w- c:\users\joymil~1\appdata\local\Xenocode
    2010-11-06 19:37:34 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
    2010-11-06 19:37:34 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
    2010-10-27 04:58:58 1696256 ----a-w- c:\windows\system32\gameux.dll
    2010-10-27 04:58:57 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2010-10-27 04:58:56 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

    ==================== Find3M ====================

    2010-10-19 18:41:44 222080 ----a-w- c:\windows\system32\MpSigStub.exe
    2010-09-15 12:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-09-13 13:56:41 8147456 ----a-w- c:\windows\system32\wmploc.DLL
    2010-09-08 17:23:42 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-09-08 17:07:35 834048 ----a-w- c:\windows\system32\wininet.dll
    2010-09-08 15:23:27 389632 ----a-w- c:\windows\system32\html.iec
    2010-09-07 15:12:17 38848 ----a-w- c:\windows\avastSS.scr
    2010-09-06 16:20:29 125952 ----a-w- c:\windows\system32\srvsvc.dll
    2010-09-06 16:19:06 17920 ----a-w- c:\windows\system32\netevent.dll
    2010-08-31 15:46:37 954752 ----a-w- c:\windows\system32\mfc40.dll
    2010-08-31 15:46:37 954288 ----a-w- c:\windows\system32\mfc40u.dll
    2010-08-31 15:44:31 531968 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-31 13:27:38 2038272 ----a-w- c:\windows\system32\win32k.sys
    2010-08-26 16:37:45 157184 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-26 16:33:06 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
    2010-08-26 16:33:04 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
    2010-08-26 16:33:04 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
    2010-08-26 16:33:04 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 6.0.6002 Disk: WDC_WD16 rev.11.0 -> Harddisk0\DR0 -> \Device\Ide\iaStor0

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8702A446]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x87030504]; MOV EAX, [0x87030580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x82858962] -> \Device\Harddisk0\DR0[0x86A91780]
    3 CLASSPNP[0x8330C8B3] -> ntkrnlpa!IofCallDriver[0x82858962] -> [0x87088880]
    \Driver\iaStor[0x8700FCF8] -> IRP_MJ_CREATE -> 0x8702A446
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
    detected disk devices:
    \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskWDC_WD1600BEVS-26VAT0___________________11.01A11#4&939d6c5&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\iaStor DriverStartIo -> 0x8702A292
    user != kernel MBR !!!
    sectors 312581806 (+255): user != kernel
    Warning: possible TDL4 rootkit infection !
    TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

    ============= FINISH: 11:08:20.57 ===============
     
  3. Jace0207

    Jace0207 TS Rookie Topic Starter Posts: 32

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-11-10.01)

    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 1/15/2009 10:22:49 PM
    System Uptime: 11/23/2010 10:32:33 AM (1 hours ago)

    Motherboard: TOSHIBA | | Portable PC
    Processor: Intel(R) Pentium(R) Dual CPU T3400 @ 2.16GHz | CPU | 2166/667mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 140 GiB total, 38.961 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================


    ==== Installed Programs ======================

    µTorrent
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.1
    Adobe Shockwave Player 11.5
    Atheros Driver Installation Program
    Atheros Wi-Fi Protected Setup Library
    avast! Free Antivirus
    BurnAware Free 2.4.7
    CD/DVD Drive Acoustic Silencer
    CDisplay 1.8
    Cisco EAP-FAST Module
    Cisco LEAP Module
    Cisco PEAP Module
    Compatibility Pack for the 2007 Office system
    DC Universe Online
    DVD MovieFactory for TOSHIBA
    Facebook Plug-In
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Intel(R) Graphics Media Accelerator Driver
    Intel® Matrix Storage Manager
    Java Auto Updater
    Java(TM) 6 Update 22
    Java(TM) 6 Update 6
    K-Lite Codec Pack 4.7.0 (Standard)
    LeapFrog Connect
    LeapFrog Leapster2 Plugin
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Suite Activation Assistant
    Microsoft Office Word MUI (English) 2007
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Works
    Microsoft XML Parser
    MLBScoreboard
    Mozilla Firefox (3.6.12)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    QuickBooks Financial Center
    Realtek 8169 8168 8101E 8102E Ethernet Driver
    Realtek High Definition Audio Driver
    Realtek USB 2.0 Card Reader
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Media Encoder (KB954156)
    Security Update for Windows Media Encoder (KB979332)
    Spelling Dictionaries Support For Adobe Reader 8
    Synaptics Pointing Device Driver
    TOSHIBA Assist
    TOSHIBA ConfigFree
    TOSHIBA Desktop Links
    TOSHIBA Disc Creator
    TOSHIBA DVD PLAYER
    TOSHIBA Extended Tiles for Windows Mobility Center
    TOSHIBA Hardware Setup
    TOSHIBA Recovery Disc Creator
    Toshiba Registration
    TOSHIBA Service Station
    TOSHIBA Software Modem
    TOSHIBA Speech System Applications
    TOSHIBA Speech System SR Engine(U.S.) Version1.0
    TOSHIBA Speech System TTS Engine(U.S.) Version1.0
    TOSHIBA Supervisor Password
    TOSHIBA Value Added Package
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Office 2007 (KB934528)
    Update for Office System 2007 Setup (KB929722)
    Use the entry named LeapFrog Connect to uninstall (LeapFrog Leapster2 Plugin)
    Ventrilo Client
    Windows Media Encoder 9 Series
    Windows Media Player Firefox Plugin
    WinRAR archiver
    Yahoo! Toolbar
    Zune
    Zune Language Pack (DE)
    Zune Language Pack (ES)
    Zune Language Pack (FR)
    Zune Language Pack (IT)

    ==== End Of File ===========================
     
  4. crunchie

    crunchie Malware Helper Posts: 728

    Please download ComboFix by sUBs from HERE or HERE
    • You must download it to and run it from your Desktop
    • Physically disconnect from the internet.
    • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    • Double click combofix.exe & follow the prompts.
    • When finished, it will produce a log. Please save that log to post in your next reply.
    • Re-enable all the programs that were disabled during the running of ComboFix..

    Note:
    Do not mouse-click combofix's window while it is running. That may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Run Combofix ONCE only!!

    ===========

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.
     
  5. Jace0207

    Jace0207 TS Rookie Topic Starter Posts: 32

    ComboFix 10-11-23.01 - Joy Milam 11/23/2010 14:17:10.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1915.1242 [GMT -8:00]
    Running from: c:\users\Joy Milam\Desktop\ComboFix.exe
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
    c:\programdata\Microsoft\Network\Downloader\qmgr1.dat

    ----- BITS: Possible infected sites -----

    hxxp://updates.swarmcast.net
    .
    \\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
    .
    ((((((((((((((((((((((((( Files Created from 2010-10-23 to 2010-11-23 )))))))))))))))))))))))))))))))
    .

    2010-11-23 22:23 . 2010-11-23 22:23 -------- d-----w- c:\users\Joy Milam\AppData\Local\temp
    2010-11-23 22:23 . 2010-11-23 22:23 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-11-23 09:44 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D8342F02-9B5C-473C-A8C1-69004F1410E7}\mpengine.dll
    2010-11-23 09:18 . 2010-11-23 09:18 -------- d-----w- c:\windows\Sun
    2010-11-10 18:08 . 2010-10-07 11:37 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2010-11-10 04:24 . 2010-11-10 04:24 -------- d-----w- c:\users\Joy Milam\AppData\Local\Xenocode
    2010-11-06 19:37 . 2010-11-06 19:37 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2010-11-06 19:37 . 2010-11-06 19:37 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    2010-10-27 04:58 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
    2010-10-27 04:58 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2010-10-27 04:58 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-19 18:41 . 2009-12-04 18:22 222080 ----a-w- c:\windows\system32\MpSigStub.exe
    2010-09-15 12:50 . 2010-06-04 05:41 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-09-13 13:56 . 2010-10-13 23:10 8147456 ----a-w- c:\windows\system32\wmploc.DLL
    2010-09-08 17:23 . 2010-10-13 23:09 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-09-08 17:07 . 2010-10-13 23:09 834048 ----a-w- c:\windows\system32\wininet.dll
    2010-09-08 15:23 . 2010-10-13 23:09 389632 ----a-w- c:\windows\system32\html.iec
    2010-09-07 15:12 . 2010-09-24 02:54 38848 ----a-w- c:\windows\avastSS.scr
    2010-09-07 15:11 . 2010-06-03 05:12 167592 ----a-w- c:\windows\system32\aswBoot.exe
    2010-09-07 14:52 . 2010-06-03 05:13 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-09-07 14:52 . 2010-06-03 05:13 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-09-07 14:47 . 2010-06-03 05:13 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-09-07 14:47 . 2010-06-03 05:13 50768 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2010-09-07 14:47 . 2010-06-03 05:13 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-09-06 16:20 . 2010-10-13 22:44 125952 ----a-w- c:\windows\system32\srvsvc.dll
    2010-09-06 16:19 . 2010-10-13 22:44 17920 ----a-w- c:\windows\system32\netevent.dll
    2010-09-06 13:45 . 2010-10-13 22:44 304128 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-09-06 13:45 . 2010-10-13 22:44 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
    2010-09-06 13:45 . 2010-10-13 22:44 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2010-08-31 15:46 . 2010-10-13 23:09 954752 ----a-w- c:\windows\system32\mfc40.dll
    2010-08-31 15:46 . 2010-10-13 23:09 954288 ----a-w- c:\windows\system32\mfc40u.dll
    2010-08-31 15:44 . 2010-10-13 22:20 531968 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-31 13:27 . 2010-10-13 22:38 2038272 ----a-w- c:\windows\system32\win32k.sys
    2010-08-26 16:37 . 2010-10-13 22:25 157184 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-26 16:33 . 2010-10-27 04:58 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
    2010-08-26 16:33 . 2010-10-27 04:58 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
    2010-08-26 16:33 . 2010-10-27 04:58 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
    2010-08-26 16:33 . 2010-10-27 04:58 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-07 1029416]
    "NDSTray.exe"="NDSTray.exe" [BU]
    "ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-04-02 1283384]
    "Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-11-10 443728]
    "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]
    "Skytel"="Skytel.exe" [2007-11-21 1826816]
    "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

    c:\users\Joy Milam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    MLB.TV NexDef Plug-in.lnk - c:\users\Joy Milam\AppData\Local\Autobahn\mlb-nexdef-autobahn.exe [2009-4-1 801032]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
    @="Service"

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
    R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2008-04-16 954368]
    R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDrv.sys [2008-01-18 9216]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S1 aswSP;aswSP; [x]
    S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-29 20384]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]
    S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
    S2 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-04-02 62776]
    S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
    S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
    mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    FF - ProfilePath - c:\users\Joy Milam\AppData\Roaming\Mozilla\Firefox\Profiles\qhx4z701.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.klove.com/
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\users\Joy Milam\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
    HKLM-Run-jswtrayutil - c:\program files\Jumpstart\jswtrayutil.exe
    HKLM-Run-TPwrMain - %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
    HKLM-Run-HSON - %ProgramFiles%\TOSHIBA\TBS\HSON.exe
    HKLM-Run-SmoothView - %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
    HKLM-Run-00TCrdMain - %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
    HKLM-Run-cfFncEnabler.exe - cfFncEnabler.exe
    SafeBoot-WudfPf
    SafeBoot-WudfRd



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-23 14:23
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i???????? ?m??h?????????????????

    scanning hidden files ...


    c:\windows\TEMP\TMP00000041E5FE16DD07EDD0E5 524288 bytes executable

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    Completion time: 2010-11-23 14:24:55
    ComboFix-quarantined-files.txt 2010-11-23 22:24

    Pre-Run: 41,812,312,064 bytes free
    Post-Run: 41,749,499,904 bytes free

    Current=1 Default=1 Failed=0 LastKnownGood=10 Sets=1,2,3,4,5,6,7,8,9,10
    - - End Of File - - F188399E402CD9CA9479EC8187F7C733

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows Vista Home Premium Edition
    Windows Information: Service Pack 2 (build 6002), 32-bit
    Base Board Manufacturer: TOSHIBA
    BIOS Manufacturer: INSYDE
    System Manufacturer: TOSHIBA
    System Product Name: Satellite L305
    Logical Drives Mask: 0x0000000c

    Kernel Drivers (total 146):
    0x82850000 \SystemRoot\system32\ntkrnlpa.exe
    0x8281D000 \SystemRoot\system32\hal.dll
    0x80405000 \SystemRoot\system32\kdcom.dll
    0x8040C000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
    0x8047C000 \SystemRoot\system32\PSHED.dll
    0x8048D000 \SystemRoot\system32\BOOTVID.dll
    0x80495000 \SystemRoot\system32\CLFS.SYS
    0x804D6000 \SystemRoot\system32\CI.dll
    0x80605000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x80676000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x80684000 \SystemRoot\system32\drivers\acpi.sys
    0x806CA000 \SystemRoot\system32\drivers\WMILIB.SYS
    0x806D3000 \SystemRoot\system32\drivers\msisadrv.sys
    0x806DB000 \SystemRoot\system32\drivers\pci.sys
    0x80702000 \SystemRoot\System32\drivers\partmgr.sys
    0x80711000 \SystemRoot\system32\DRIVERS\compbatt.sys
    0x80714000 \SystemRoot\system32\DRIVERS\BATTC.SYS
    0x8071E000 \SystemRoot\system32\drivers\volmgr.sys
    0x8072D000 \SystemRoot\System32\drivers\volmgrx.sys
    0x80777000 \SystemRoot\System32\drivers\mountmgr.sys
    0x82E00000 \SystemRoot\system32\DRIVERS\iaStor.sys
    0x82ECE000 \SystemRoot\system32\drivers\atapi.sys
    0x82ED6000 \SystemRoot\system32\drivers\ataport.SYS
    0x82EF4000 \SystemRoot\system32\drivers\fltmgr.sys
    0x82F26000 \SystemRoot\system32\drivers\fileinfo.sys
    0x82F36000 \SystemRoot\System32\Drivers\PxHelp20.sys
    0x82F3F000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x8800C000 \SystemRoot\system32\drivers\ndis.sys
    0x88117000 \SystemRoot\system32\drivers\msrpc.sys
    0x88142000 \SystemRoot\system32\drivers\NETIO.SYS
    0x88202000 \SystemRoot\System32\drivers\tcpip.sys
    0x882EC000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x8840A000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x8851A000 \SystemRoot\system32\drivers\volsnap.sys
    0x88553000 \SystemRoot\system32\DRIVERS\TVALZ_O.SYS
    0x88558000 \SystemRoot\system32\DRIVERS\tos_sps32.sys
    0x8859B000 \SystemRoot\System32\Drivers\spldr.sys
    0x885A3000 \SystemRoot\System32\Drivers\mup.sys
    0x885B2000 \SystemRoot\System32\drivers\ecache.sys
    0x885D9000 \SystemRoot\system32\drivers\disk.sys
    0x88307000 \SystemRoot\system32\drivers\CLASSPNP.SYS
    0x885EA000 \SystemRoot\system32\drivers\crcdisk.sys
    0x8817D000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x88400000 \SystemRoot\system32\DRIVERS\tunmp.sys
    0x883F6000 \SystemRoot\system32\DRIVERS\FwLnk.sys
    0x88188000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0x88197000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0x8C403000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
    0x8CAE7000 \SystemRoot\System32\drivers\dxgkrnl.sys
    0x8CB88000 \SystemRoot\System32\drivers\watchdog.sys
    0x8CB94000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0x8CB9F000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x8CBDD000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x8CE0C000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x8CE99000 \SystemRoot\system32\DRIVERS\Rtlh86.sys
    0x8CEBA000 \SystemRoot\system32\DRIVERS\athr.sys
    0x8CFA1000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0x8CFB4000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x8CFBF000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0x8CFEE000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x8CFF0000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x8CE00000 \SystemRoot\system32\DRIVERS\tdcmdpst.sys
    0x8819B000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x881B3000 \SystemRoot\system32\DRIVERS\msiscsi.sys
    0x82FB0000 \SystemRoot\system32\DRIVERS\storport.sys
    0x8CBEC000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x881E2000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x88000000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x80787000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x82FF1000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x807AA000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x807BE000 \SystemRoot\system32\DRIVERS\rassstp.sys
    0x807D3000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x8CE0A000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x805B6000 \SystemRoot\system32\DRIVERS\ks.sys
    0x807E3000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x807ED000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x8D000000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x8D035000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x8D200000 \SystemRoot\system32\drivers\RTKVHDA.sys
    0x8D046000 \SystemRoot\system32\drivers\portcls.sys
    0x8D073000 \SystemRoot\system32\drivers\drmk.sys
    0x8D098000 \SystemRoot\system32\DRIVERS\AGRSM.sys
    0x8D1B4000 \SystemRoot\system32\drivers\modem.sys
    0x8D1C1000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0x8D1CA000 \SystemRoot\System32\Drivers\Null.SYS
    0x8D1D1000 \SystemRoot\System32\Drivers\Beep.SYS
    0x8D1D8000 \SystemRoot\System32\drivers\vga.sys
    0x8D404000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x8D425000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x8D42D000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x8D435000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x8D440000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x8D44E000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0x8D457000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x8D46D000 \SystemRoot\System32\Drivers\aswTdi.SYS
    0x8D477000 \SystemRoot\system32\DRIVERS\smb.sys
    0x8D48B000 \SystemRoot\system32\drivers\afd.sys
    0x8D4D3000 \SystemRoot\System32\Drivers\aswRdr.SYS
    0x8D4D8000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x8D50A000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x8D520000 \SystemRoot\system32\DRIVERS\jswpslwf.sys
    0x8D525000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x8D533000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x8D546000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x8D582000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x8D58C000 \SystemRoot\System32\Drivers\dfsc.sys
    0x8D5A3000 \SystemRoot\System32\Drivers\aswSP.SYS
    0x8D5CA000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x88328000 \SystemRoot\System32\Drivers\dump_iaStor.sys
    0x8D5D7000 \SystemRoot\system32\drivers\RTSTOR.SYS
    0x94E90000 \SystemRoot\System32\win32k.sys
    0x8D5EB000 \SystemRoot\System32\drivers\Dxapi.sys
    0x8D5F5000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0x8D1E4000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0x8D1F4000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0x8CBF7000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0x805E0000 \SystemRoot\system32\DRIVERS\monitor.sys
    0x950B0000 \SystemRoot\System32\TSDDD.dll
    0x950D0000 \SystemRoot\System32\cdd.dll
    0xA8000000 \SystemRoot\system32\drivers\luafv.sys
    0xA801B000 \??\C:\Windows\system32\drivers\aswMonFlt.sys
    0xA8052000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
    0xA8055000 \SystemRoot\system32\drivers\WudfPf.sys
    0xA806F000 \SystemRoot\system32\DRIVERS\lltdio.sys
    0xA807F000 \SystemRoot\system32\DRIVERS\nwifi.sys
    0xA80A9000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xA80B3000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0xA80C6000 \SystemRoot\system32\drivers\spsys.sys
    0xA8176000 \SystemRoot\system32\drivers\HTTP.sys
    0xA81E3000 \SystemRoot\System32\DRIVERS\srvnet.sys
    0xAA801000 \SystemRoot\system32\DRIVERS\bowser.sys
    0xAA81A000 \SystemRoot\System32\drivers\mpsdrv.sys
    0xAA82F000 \SystemRoot\system32\drivers\mrxdav.sys
    0xAA850000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xAA86F000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0xAA8A8000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0xAA8C0000 \SystemRoot\System32\DRIVERS\srv2.sys
    0xAA8E8000 \SystemRoot\System32\DRIVERS\srv.sys
    0xAB000000 \SystemRoot\system32\drivers\peauth.sys
    0xAB0DE000 \SystemRoot\System32\Drivers\secdrv.SYS
    0xAB0E8000 \SystemRoot\System32\drivers\tcpipreg.sys
    0xAB0F4000 \SystemRoot\system32\DRIVERS\cdfs.sys
    0xAB10A000 \??\C:\Users\JOYMIL~1\AppData\Local\Temp\catchme.sys
    0xAB112000 \??\C:\Windows\system32\Drivers\PROCEXP113.SYS
    0x76F70000 \Windows\System32\ntdll.dll

    Processes (total 49):
    0 System Idle Process
    4 System
    464 C:\Windows\System32\smss.exe
    596 csrss.exe
    644 C:\Windows\System32\wininit.exe
    656 csrss.exe
    688 C:\Windows\System32\services.exe
    744 C:\Windows\System32\winlogon.exe
    772 C:\Windows\System32\lsass.exe
    780 C:\Windows\System32\lsm.exe
    932 C:\Windows\System32\svchost.exe
    988 C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
    1032 C:\Windows\System32\svchost.exe
    1072 C:\Windows\System32\svchost.exe
    1164 C:\Windows\System32\svchost.exe
    1220 C:\Windows\System32\svchost.exe
    1240 C:\Windows\System32\svchost.exe
    1316 C:\Windows\System32\audiodg.exe
    1348 C:\Windows\System32\SLsvc.exe
    1396 C:\Windows\System32\svchost.exe
    1548 C:\Windows\System32\svchost.exe
    1752 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    1760 C:\Windows\System32\wlanext.exe
    280 C:\Windows\System32\spoolsv.exe
    312 C:\Windows\System32\svchost.exe
    1080 C:\Windows\System32\agrsmsvc.exe
    1448 C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
    2060 C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
    2104 C:\Windows\System32\svchost.exe
    2120 C:\Windows\System32\svchost.exe
    2168 C:\Program Files\Toshiba\TOSHIBA Service Station\TMachInfo.exe
    2260 C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
    2276 C:\Windows\System32\TODDSrv.exe
    2296 C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
    2364 C:\Program Files\Toshiba\SMARTLogService\TosIPCSrv.exe
    2392 C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    2408 C:\Windows\System32\svchost.exe
    2428 C:\Windows\System32\SearchIndexer.exe
    2488 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
    1692 C:\Windows\System32\taskeng.exe
    876 C:\Windows\System32\dwm.exe
    1620 C:\Windows\explorer.exe
    2740 C:\Users\Joy Milam\AppData\Local\Autobahn\mlb-nexdef-autobahn.exe
    2252 C:\Windows\System32\SearchProtocolHost.exe
    3096 C:\Windows\System32\SearchFilterHost.exe
    3164 C:\Program Files\Mozilla Firefox\firefox.exe
    3600 C:\Program Files\Mozilla Firefox\plugin-container.exe
    2968 C:\Windows\explorer.exe
    3920 C:\Users\Joy Milam\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`5dd00000 (NTFS)

    PhysicalDrive0 Model Number: WDCWD1600BEVS-26VAT0, Rev: 11.01A11

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
    SHA1: BBAD517F7EAC529451E4B9586C847AE190574F61


    Done!
     
  6. crunchie

    crunchie Malware Helper Posts: 728

    How are things at the moment?

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:


    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\System32\config\*.sav
    CREATERESTOREPOINT


    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...