Google searches redirected

Inactive
By Puchatek
Mar 10, 2011
Topic Status:
Not open for further replies.
  1. My google searches get redirected, pages to which I'm redirected depend on country I'm accessing the web in. Should anyone of you be able to figure out what's causing the problem and how to get rid of, I would be very grateful for help. Below is the list of logs as suggested in 8 steps virus/spyware removal post. Mawarebytes, as well as my Avast, found few infected files. but althought they claimed to clean the system from those, I am still getting redirected on most of my searches.

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.18928

    09/03/2011 00:28:45
    mbam-log-2011-03-09 (00-28-45).txt

    Scan type: Quick scan
    Objects scanned: 128624
    Time elapsed: 6 minute(s), 29 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 1
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\_VOID (Rootkit.TDSS) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\TOY5KNQ8OC (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Program Files\User Protection (Rogue.Protection) -> Quarantined and deleted successfully.

    Files Infected:
    (No malicious items detected)

    /*********************************/

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-03-09 00:32:37
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HM251JI rev.2SS00_03
    Running: ux052f5s.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\ugroapow.sys


    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x911388DE]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 [8ACA99B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
    Device \Driver\atapi \Device\Ide\IdePort0 [8ACA99B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
    Device \Driver\atapi \Device\Ide\IdePort1 [8ACA99B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
    Device \Driver\atapi \Device\Ide\IdePort2 [8ACA99B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
    Device \Driver\atapi \Device\Ide\IdePort3 [8ACA99B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 [8ACA99B0] \SystemRoot\system32\drivers\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
    Device \Driver\msahci \Device\Ide\PciIde0Channel0 855061F8
    Device \Driver\msahci \Device\Ide\PciIde0Channel1 855061F8
    Device \Driver\msahci \Device\Ide\PciIde0Channel4 855061F8
    Device \Driver\msahci \Device\Ide\PciIde0Channel5 855061F8
    Device \Driver\axwxalwn \Device\Scsi\axwxalwn1 8721E1F8
    Device \Driver\a5s9rvbt \Device\Scsi\a5s9rvbt1 872251F8
    Device \Driver\axwxalwn \Device\Scsi\axwxalwn1Port6Path0Target0Lun0 8721E1F8
    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
    Device \FileSystem\Ntfs \Ntfs 855251F8

    AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

    ---- Files - GMER 1.0.15 ----

    File C:\Windows\system32\drivers\atapi.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----

    /*********************************/

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Administrator at 0:33:41.26 on 09/03/2011
    Internet Explorer: 8.0.6001.18928 BrowserJavaVersion: 1.6.0_13
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Windows\system32\WLANExt.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\HP\QuickPlay\QPService.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Users\Administrator\AppData\Roaming\Dropbox\bin\Dropbox.exe
    C:\Windows\system32\svchost.exe -k apphost
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\SMINST\BLService.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\VMware\VMware Server\vmware-authd.exe
    C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
    C:\Windows\system32\vmnat.exe
    C:\Windows\system32\svchost.exe -k iissvcs
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Windows\system32\vmnetdhcp.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
    C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
    C:\Windows\system32\svchost.exe -k HPService
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\ctfmon.exe
    C:\Users\Administrator\Desktop\dds.scr
    C:\Windows\system32\conime.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=91&bd=Pavilion&pf=cnnb
    uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=91&bd=Pavilion&pf=cnnb
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=91&bd=Pavilion&pf=cnnb
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=91&bd=Pavilion&pf=cnnb
    uInternet Settings,ProxyOverride = *.local
    mWinlogon: Userinit=c:\windows\system32\userinit.exe,userinit.exe,
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    {555d4d79-4bd2-4094-a395-cfc534424a05}
    uRun: [Gadu-Gadu] "c:\program files\gadu-gadu\gg.exe" /tray
    uRun: [EPSON Stylus SX200 Series (Copy 2)] c:\windows\system32\spool\drivers\w32x86\3\e_fatiefe.exe /fu "c:\windows\temp\E_S5CEE.tmp" /EF "HKCU"
    uRun: [EPSON Stylus DX5000 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatibve.exe /fu "c:\windows\temp\E_S6B01.tmp" /EF "HKCU"
    uRun: [EPSON Stylus SX200 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\e_fatiefe.exe /fu "c:\windows\temp\E_SFC0A.tmp" /EF "HKCU"
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [Google Update] "c:\users\administrator\appdata\local\google\update\GoogleUpdate.exe" /c
    uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\AxAutoMntSrv.exe" -automount
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
    mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    StartupFolder: c:\users\admini~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\administrator\appdata\roaming\dropbox\bin\Dropbox.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
    IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
    IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
    IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    Notify: igfxcui - igfxdev.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\admini~1\appdata\roaming\mozilla\firefox\profiles\k0msse8d.default\
    FF - prefs.js: browser.startup.homepage - google.com.sg
    FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll
    FF - component: c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\k0msse8d.default\extensions\{d249fd00-4df9-11d9-9fdc-0080481ada61}\components\mpint.dll
    FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
    FF - plugin: c:\users\administrator\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: British English Dictionary: en-GB@dictionaries.addons.mozilla.org - %profile%\extensions\en-GB@dictionaries.addons.mozilla.org
    FF - Ext: Characterizer: kanjilish@jay.starkey - %profile%\extensions\kanjilish@jay.starkey
    FF - Ext: MetaProducts Integration: {D249FD00-4DF9-11D9-9FDC-0080481ADA61} - %profile%\extensions\{D249FD00-4DF9-11D9-9FDC-0080481ADA61}
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-8 371544]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-4 301528]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-4 19544]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-6-4 53592]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-4 42184]
    R2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe -k netsvcs [2008-1-21 21504]
    R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2008-10-27 365952]
    R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2009-12-24 370688]
    R2 vmserverdWin32;VMware Registration Service;c:\program files\vmware\vmware server\vmserverdWin32.exe [2008-5-9 1650781]
    R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-29 112128]
    S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
    S3 ZTEusbnmeaext;ZTE NMEAExt Port;c:\windows\system32\drivers\ZTEusbnmeaext.sys [2010-7-1 103936]
    .
    =============== Created Last 30 ================
    .
    2011-03-08 14:36:48 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-02-17 13:43:33 -------- d-----w- C:\Dropbox
    2011-02-17 13:41:31 -------- d-----w- c:\users\admini~1\appdata\roaming\Dropbox
    .
    ==================== Find3M ====================
    .
    2011-02-23 15:04:21 40648 ----a-w- c:\windows\avastSS.scr
    .
    ============= FINISH: 0:34:29.76 ===============

    /*********************************/

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    .
    Motherboard: Wistron | | 360C
    Processor: Intel(R) Pentium(R) Dual CPU T3400 @ 2.16GHz | CPU | 2166/667mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 173 GiB total, 64.448 GiB free.
    D: is FIXED (NTFS) - 11 GiB total, 1.398 GiB free.
    E: is CDROM ()
    F: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
    Description: Deskjet F4500 series
    Device ID: ROOT\MULTIFUNCTION\0000
    Manufacturer: HP
    Name: Deskjet F4500 series
    PNP Device ID: ROOT\MULTIFUNCTION\0000
    Service:
    .
    Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
    Description: HP Color LaserJet 2600n
    Device ID: ROOT\MULTIFUNCTION\0001
    Manufacturer: Hewlett-Packard
    Name: HP Color LaserJet 2600n
    PNP Device ID: ROOT\MULTIFUNCTION\0001
    Service:
    .
    Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
    Description: hp color LaserJet 5500
    Device ID: ROOT\MULTIFUNCTION\0002
    Manufacturer: Hewlett-Packard
    Name: hp color LaserJet 5500
    PNP Device ID: ROOT\MULTIFUNCTION\0002
    Service:
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    "Minimal SYStem 1.0.11"
    32 Bit HP CIO Components Installer
    8051IDE
    Activation Assistant for the 2007 Microsoft Office suites
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.3.2
    Adobe Shockwave Player
    Adobe Shockwave Player 11.5
    Anki
    Apple Software Update
    Atheros Driver Installation Program
    AutoCAD 2000
    AutoCAD 2000 Migration Assistance
    avast! Free Antivirus
    Blood Bowl version 1.2.0.1
    Bonjour
    BufferChm
    CCleaner
    Cisco EAP-FAST Module
    Cisco LEAP Module
    Cisco PEAP Module
    Compatibility Pack for the 2007 Office system
    Conexant HD Audio
    ContainerEx Decrypter
    CyberLink DVD Suite
    Dev-C++ 5 beta 9 release (4.9.9.2)
    DJ_AIO_06_F4500_SW_MIN
    DjVuLibre+DjView
    DocProc
    DocProcQFolder
    Dropbox
    EPSON Printer Software
    EPSON Scan
    EPSON Stylus SX200 Series Printer Uninstall
    ESU for Microsoft Vista
    F4500
    Free Download Manager 3.0
    Freelang Dictionary (wordlist)
    Freelang Dictionary 3.74 beta
    FTDI USB Serial Converter Drivers
    Gadu-Gadu 6.1
    GearDrvs
    Google Chrome
    HDAUDIO Soft Data Fax Modem with SmartCP
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Deskjet F4500 Printer Driver Software 13.0 Rel .6
    HP Doc Viewer
    HP DVD Play 3.7
    HP User Guides 0118
    HP Wireless Assistant
    HPPhotoGadget
    HPTCSSetup
    hpWLPGInstaller
    Intel(R) Graphics Media Accelerator Driver
    Japanese Fonts Support For Adobe Reader 9
    Java DB 10.4.1.3
    Java(TM) 6 Update 13
    Java(TM) 6 Update 7
    Java(TM) SE Development Kit 6 Update 13
    JavaFX(TM) 1.1 SDK
    Kantaris Media Player 0.4.3
    Malwarebytes' Anti-Malware
    MATLAB Student R2007a
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Document Explorer 2008
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Firefox (3.6.2pre)
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NetWaiting
    Network
    Notepad++
    OCR Software by I.R.I.S. 11.0
    Open Source Computer Vision Library 1.1pre1
    OpenOffice.org 3.1
    Pando Media Booster
    Power2Go
    QuickTime
    Realtek 8169 8168 8101E 8102E Ethernet Driver
    Realtek High Definition Audio Driver
    Realtek USB 2.0 Card Reader
    Scan
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for 2007 Microsoft Office System (KB982312)
    Security Update for 2007 Microsoft Office System (KB982331)
    Security Update for Microsoft Office Excel 2007 (KB982308)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB969613)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB982135)
    Skype? 3.8
    Smart Defrag 1.11
    Spybot - Search & Destroy
    SpywareBlaster 4.3
    Swiff Player 1.5
    Synaptics Pointing Device Driver
    Toolbox
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    Visual Studio Tools for the Office system 3.0 Runtime
    VLC media player 1.0.1
    VMware Server
    WebReg
    Winamp
    Windows Driver Package - FTDI CDM Driver Package (02/17/2009 2.04.16)
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    WinRAR archiver
    WinVDIG 1.0
    ╬╝Torrent
    .
    ==== End Of File ===========================
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Welcome to TechSpot! I'll help with the malware.

    You have a rootkit malware infection, which is why you can remove the infection. Special scans are used for this:
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result. Please include the log with the next reply.
    • A reboot is required after disinfection.
    ==================================================
    When finished with the above, Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
  3. Puchatek

    Puchatek Newcomer, in training Topic Starter Posts: 19

    Below's the log from TDSSKiller.
    I'm still getting redirected, and the only visible results from running both programmes is that my wallpaper got removed and for some reason setting new one doesn't actually change the desktop.

    BTW, are there any articles at TechSpot that teach you to make sense of those various logs? I would like to learn how you realized I have a rootkit malware infection from the logs, so that next time I don't have to sheepishly follow someone's else instructions.

    Well, here's the log:

    2011/03/12 11:19:13.0871 1740 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
    2011/03/12 11:19:13.0934 1740 ================================================================================
    2011/03/12 11:19:13.0934 1740 SystemInfo:
    2011/03/12 11:19:13.0934 1740
    2011/03/12 11:19:13.0934 1740 OS Version: 6.0.6002 ServicePack: 2.0
    2011/03/12 11:19:13.0934 1740 Product type: Workstation
    2011/03/12 11:19:13.0934 1740 ComputerName: PUCHATEK
    2011/03/12 11:19:13.0949 1740 UserName: Administrator
    2011/03/12 11:19:13.0949 1740 Windows directory: C:\Windows
    2011/03/12 11:19:13.0949 1740 System windows directory: C:\Windows
    2011/03/12 11:19:13.0949 1740 Processor architecture: Intel x86
    2011/03/12 11:19:13.0949 1740 Number of processors: 2
    2011/03/12 11:19:13.0949 1740 Page size: 0x1000
    2011/03/12 11:19:13.0949 1740 Boot type: Normal boot
    2011/03/12 11:19:13.0949 1740 ================================================================================
    2011/03/12 11:19:20.0938 1740 Initialize success
    2011/03/12 11:19:26.0414 5904 ================================================================================
    2011/03/12 11:19:26.0414 5904 Scan started
    2011/03/12 11:19:26.0414 5904 Mode: Manual;
    2011/03/12 11:19:26.0414 5904 ================================================================================
    2011/03/12 11:19:27.0506 5904 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
    2011/03/12 11:19:27.0584 5904 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
    2011/03/12 11:19:27.0631 5904 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
    2011/03/12 11:19:27.0662 5904 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
    2011/03/12 11:19:27.0693 5904 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
    2011/03/12 11:19:27.0802 5904 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
    2011/03/12 11:19:27.0865 5904 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
    2011/03/12 11:19:27.0880 5904 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
    2011/03/12 11:19:27.0958 5904 aliide (3d76fda1a10acc3dc84728f55c29b6d4) C:\Windows\system32\drivers\aliide.sys
    2011/03/12 11:19:27.0989 5904 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
    2011/03/12 11:19:28.0021 5904 amdide (5b92e7839f5a1fbc1b39de67758ad6f8) C:\Windows\system32\drivers\amdide.sys
    2011/03/12 11:19:28.0052 5904 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
    2011/03/12 11:19:28.0099 5904 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
    2011/03/12 11:19:28.0192 5904 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
    2011/03/12 11:19:28.0270 5904 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
    2011/03/12 11:19:28.0317 5904 aswFsBlk (1c2e6bb4fe8621b1b863855b02bc33eb) C:\Windows\system32\drivers\aswFsBlk.sys
    2011/03/12 11:19:28.0364 5904 aswMonFlt (b0f137f664f10829cd2380b0e20e7c29) C:\Windows\system32\drivers\aswMonFlt.sys
    2011/03/12 11:19:28.0395 5904 aswRdr (b6a9373619d851be80fb5f1b5eed0d4e) C:\Windows\system32\drivers\aswRdr.sys
    2011/03/12 11:19:28.0473 5904 aswSnx (9be41c1ae8bc481eb662d85c98d979c2) C:\Windows\system32\drivers\aswSnx.sys
    2011/03/12 11:19:28.0520 5904 aswSP (4b1a54ba2bc5873a774df6b70ab8b0b3) C:\Windows\system32\drivers\aswSP.sys
    2011/03/12 11:19:28.0551 5904 aswTdi (c7f1cea32766184911293f4e1ee653f5) C:\Windows\system32\drivers\aswTdi.sys
    2011/03/12 11:19:28.0613 5904 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
    2011/03/12 11:19:28.0676 5904 atapi (f980094c5e02cb9cce996171d273128b) C:\Windows\system32\drivers\atapi.sys
    2011/03/12 11:19:28.0676 5904 Suspicious file (Forged): C:\Windows\system32\drivers\atapi.sys. Real md5: f980094c5e02cb9cce996171d273128b, Fake md5: 1f05b78ab91c9075565a9d8a4b880bc4
    2011/03/12 11:19:28.0676 5904 atapi - detected Rootkit.Win32.TDSS.tdl3 (0)
    2011/03/12 11:19:28.0769 5904 athr (2846f5ee802889d500fcf5cc48b28381) C:\Windows\system32\DRIVERS\athr.sys
    2011/03/12 11:19:28.0847 5904 atksgt (f9c24d25d9ff29f894995a64812b4d85) C:\Windows\system32\DRIVERS\atksgt.sys
    2011/03/12 11:19:28.0957 5904 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
    2011/03/12 11:19:29.0035 5904 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
    2011/03/12 11:19:29.0097 5904 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
    2011/03/12 11:19:29.0144 5904 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
    2011/03/12 11:19:29.0206 5904 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
    2011/03/12 11:19:29.0237 5904 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
    2011/03/12 11:19:29.0284 5904 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
    2011/03/12 11:19:29.0331 5904 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
    2011/03/12 11:19:29.0362 5904 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
    2011/03/12 11:19:29.0409 5904 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
    2011/03/12 11:19:29.0456 5904 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
    2011/03/12 11:19:29.0518 5904 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
    2011/03/12 11:19:29.0565 5904 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
    2011/03/12 11:19:29.0627 5904 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
    2011/03/12 11:19:29.0690 5904 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
    2011/03/12 11:19:29.0737 5904 cmdide (d36372a6ea6805efbe8884d10772313f) C:\Windows\system32\drivers\cmdide.sys
    2011/03/12 11:19:29.0815 5904 CnxtHdAudService (dda0cb141150fef87419926790cd26c8) C:\Windows\system32\drivers\CHDRT32.sys
    2011/03/12 11:19:29.0846 5904 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
    2011/03/12 11:19:29.0877 5904 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
    2011/03/12 11:19:29.0924 5904 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
    2011/03/12 11:19:30.0033 5904 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
    2011/03/12 11:19:30.0158 5904 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
    2011/03/12 11:19:30.0236 5904 Dot4 (4f59c172c094e1a1d46463a8dc061cbd) C:\Windows\system32\DRIVERS\Dot4.sys
    2011/03/12 11:19:30.0283 5904 Dot4Print (80bf3ba09f6f2523c8f6b7cc6dbf7bd5) C:\Windows\system32\DRIVERS\Dot4Prt.sys
    2011/03/12 11:19:30.0329 5904 dot4usb (c55004ca6b419b6695970dfe849b122f) C:\Windows\system32\DRIVERS\dot4usb.sys
    2011/03/12 11:19:30.0392 5904 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
    2011/03/12 11:19:30.0454 5904 DXGKrnl (5c7e2097b91d689ded7a6ff90f0f3a25) C:\Windows\System32\drivers\dxgkrnl.sys
    2011/03/12 11:19:30.0532 5904 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
    2011/03/12 11:19:30.0626 5904 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
    2011/03/12 11:19:30.0704 5904 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
    2011/03/12 11:19:30.0782 5904 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
    2011/03/12 11:19:30.0875 5904 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
    2011/03/12 11:19:30.0938 5904 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
    2011/03/12 11:19:30.0985 5904 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
    2011/03/12 11:19:31.0031 5904 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
    2011/03/12 11:19:31.0078 5904 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
    2011/03/12 11:19:31.0125 5904 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
    2011/03/12 11:19:31.0203 5904 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
    2011/03/12 11:19:31.0312 5904 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
    2011/03/12 11:19:31.0406 5904 FTDIBUS (7c17235845d5ae3fb33ead47b5881521) C:\Windows\system32\drivers\ftdibus.sys
    2011/03/12 11:19:31.0468 5904 FTSER2K (23220a4709cc5785f9633ba71416145c) C:\Windows\system32\drivers\ftser2k.sys
    2011/03/12 11:19:31.0515 5904 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
    2011/03/12 11:19:31.0640 5904 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\Drivers\GEARAspiWDM.sys
    2011/03/12 11:19:31.0827 5904 hcmon (1d6e3fc794fc0d01c77211b809aa7b12) C:\Windows\system32\Drivers\hcmon.sys
    2011/03/12 11:19:31.0889 5904 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
    2011/03/12 11:19:31.0967 5904 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
    2011/03/12 11:19:32.0030 5904 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
    2011/03/12 11:19:32.0077 5904 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
    2011/03/12 11:19:32.0123 5904 HidUsb (e2b5bd48afcc0f0974fb44641b223250) C:\Windows\system32\DRIVERS\hidusb.sys
    2011/03/12 11:19:32.0170 5904 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
    2011/03/12 11:19:32.0217 5904 HpqKbFiltr (35956140e686d53bf676cf0c778880fc) C:\Windows\system32\DRIVERS\HpqKbFiltr.sys
    2011/03/12 11:19:32.0326 5904 HSF_DPV (cc267848cb3508e72762be65734e764d) C:\Windows\system32\DRIVERS\HSX_DPV.sys
    2011/03/12 11:19:32.0389 5904 HSXHWAZL (a2882945cc4b6e3e4e9e825590438888) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
    2011/03/12 11:19:32.0435 5904 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
    2011/03/12 11:19:32.0576 5904 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
    2011/03/12 11:19:32.0623 5904 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
    2011/03/12 11:19:32.0669 5904 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
    2011/03/12 11:19:32.0966 5904 igfx (59fa038451070172e47d0cd347f32bc4) C:\Windows\system32\DRIVERS\igdkmd32.sys
    2011/03/12 11:19:33.0262 5904 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
    2011/03/12 11:19:33.0340 5904 IntcHdmiAddService (c7e7e43cbd34d3b0a0156b51b917dfcc) C:\Windows\system32\drivers\IntcHdmi.sys
    2011/03/12 11:19:33.0387 5904 intelide (dd512a049bd7b4bce8a83554c5eff2c1) C:\Windows\system32\drivers\intelide.sys
    2011/03/12 11:19:33.0434 5904 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
    2011/03/12 11:19:33.0543 5904 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
    2011/03/12 11:19:33.0652 5904 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
    2011/03/12 11:19:33.0683 5904 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
    2011/03/12 11:19:33.0730 5904 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
    2011/03/12 11:19:33.0793 5904 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
    2011/03/12 11:19:33.0824 5904 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
    2011/03/12 11:19:33.0871 5904 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
    2011/03/12 11:19:33.0902 5904 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
    2011/03/12 11:19:33.0949 5904 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\drivers\kbdhid.sys
    2011/03/12 11:19:34.0027 5904 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
    2011/03/12 11:19:34.0105 5904 lirsgt (8ccf9ed46d52af1375875f74a91ffacf) C:\Windows\system32\DRIVERS\lirsgt.sys
    2011/03/12 11:19:34.0136 5904 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
    2011/03/12 11:19:34.0198 5904 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
    2011/03/12 11:19:34.0229 5904 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
    2011/03/12 11:19:34.0292 5904 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
    2011/03/12 11:19:34.0307 5904 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
    2011/03/12 11:19:34.0417 5904 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
    2011/03/12 11:19:34.0463 5904 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
    2011/03/12 11:19:34.0526 5904 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
    2011/03/12 11:19:34.0619 5904 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
    2011/03/12 11:19:34.0666 5904 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
    2011/03/12 11:19:34.0697 5904 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
    2011/03/12 11:19:34.0744 5904 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
    2011/03/12 11:19:34.0791 5904 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
    2011/03/12 11:19:34.0822 5904 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
    2011/03/12 11:19:34.0869 5904 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
    2011/03/12 11:19:34.0900 5904 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
    2011/03/12 11:19:34.0947 5904 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
    2011/03/12 11:19:35.0025 5904 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
    2011/03/12 11:19:35.0056 5904 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
    2011/03/12 11:19:35.0103 5904 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
    2011/03/12 11:19:35.0181 5904 msahci (5457dcfa7c0da43522f4d9d4049c1472) C:\Windows\system32\drivers\msahci.sys
    2011/03/12 11:19:35.0212 5904 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
    2011/03/12 11:19:35.0259 5904 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
    2011/03/12 11:19:35.0321 5904 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
    2011/03/12 11:19:35.0368 5904 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
    2011/03/12 11:19:35.0415 5904 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
    2011/03/12 11:19:35.0477 5904 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
    2011/03/12 11:19:35.0571 5904 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
    2011/03/12 11:19:35.0618 5904 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
    2011/03/12 11:19:35.0665 5904 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
    2011/03/12 11:19:35.0696 5904 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
    2011/03/12 11:19:35.0774 5904 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
    2011/03/12 11:19:36.0055 5904 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
    2011/03/12 11:19:36.0101 5904 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
    2011/03/12 11:19:36.0148 5904 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
    2011/03/12 11:19:36.0226 5904 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
    2011/03/12 11:19:36.0257 5904 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
    2011/03/12 11:19:36.0304 5904 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
    2011/03/12 11:19:36.0382 5904 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
    2011/03/12 11:19:36.0772 5904 NETw3v32 (35d5458d9a1b26b2005abffbf4c1c5e7) C:\Windows\system32\DRIVERS\NETw3v32.sys
    2011/03/12 11:19:37.0178 5904 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
    2011/03/12 11:19:37.0303 5904 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
    2011/03/12 11:19:37.0365 5904 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
    2011/03/12 11:19:37.0833 5904 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
    2011/03/12 11:19:37.0973 5904 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
    2011/03/12 11:19:38.0051 5904 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
    2011/03/12 11:19:38.0083 5904 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
    2011/03/12 11:19:38.0114 5904 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
    2011/03/12 11:19:38.0161 5904 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
    2011/03/12 11:19:38.0410 5904 ohci1394 (790e27c3db53410b40ff9ef2fd10a1d9) C:\Windows\system32\DRIVERS\ohci1394.sys
    2011/03/12 11:19:38.0473 5904 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
    2011/03/12 11:19:38.0551 5904 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
    2011/03/12 11:19:38.0597 5904 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
    2011/03/12 11:19:38.0738 5904 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
    2011/03/12 11:19:38.0800 5904 pciide (1d8b3d8df8eb7fcf2f0ac02f9f947802) C:\Windows\system32\drivers\pciide.sys
    2011/03/12 11:19:38.0847 5904 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
    2011/03/12 11:19:38.0941 5904 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
    2011/03/12 11:19:39.0362 5904 PID_PEPI (dd184d9adfe2a8a21741dbdfe9e22f5c) C:\Windows\system32\DRIVERS\LV302V32.SYS
    2011/03/12 11:19:39.0986 5904 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
    2011/03/12 11:19:40.0048 5904 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
    2011/03/12 11:19:40.0173 5904 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
    2011/03/12 11:19:40.0267 5904 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
    2011/03/12 11:19:40.0329 5904 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
    2011/03/12 11:19:40.0360 5904 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
    2011/03/12 11:19:40.0391 5904 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
    2011/03/12 11:19:40.0438 5904 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
    2011/03/12 11:19:40.0501 5904 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
    2011/03/12 11:19:40.0563 5904 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
    2011/03/12 11:19:40.0641 5904 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
    2011/03/12 11:19:40.0672 5904 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
    2011/03/12 11:19:40.0766 5904 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
    2011/03/12 11:19:40.0797 5904 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
    2011/03/12 11:19:40.0875 5904 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
    2011/03/12 11:19:41.0000 5904 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
    2011/03/12 11:19:41.0062 5904 RTL8169 (a1adc7b4c074744662207da6edcdfbb0) C:\Windows\system32\DRIVERS\Rtlh86.sys
    2011/03/12 11:19:41.0140 5904 RTSTOR (d1fb9a678bd6c2b1129fcb09d5feb6dd) C:\Windows\system32\drivers\RTSTOR.SYS
    2011/03/12 11:19:41.0171 5904 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
    2011/03/12 11:19:41.0265 5904 sdbus (126ea89bcc413ee45e3004fb0764888f) C:\Windows\system32\DRIVERS\sdbus.sys
    2011/03/12 11:19:41.0421 5904 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
    2011/03/12 11:19:41.0483 5904 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\DRIVERS\serenum.sys
    2011/03/12 11:19:41.0530 5904 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
    2011/03/12 11:19:41.0608 5904 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
    2011/03/12 11:19:41.0671 5904 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
    2011/03/12 11:19:41.0733 5904 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
    2011/03/12 11:19:41.0780 5904 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
    2011/03/12 11:19:41.0842 5904 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
    2011/03/12 11:19:41.0905 5904 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
    2011/03/12 11:19:41.0967 5904 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
    2011/03/12 11:19:42.0014 5904 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
    2011/03/12 11:19:42.0139 5904 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
    2011/03/12 11:19:42.0263 5904 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
    2011/03/12 11:19:42.0326 5904 sptd (a199171385be17973fd800fa91f8f78a) C:\Windows\system32\Drivers\sptd.sys
    2011/03/12 11:19:42.0326 5904 Suspicious file (NoAccess): C:\Windows\system32\Drivers\sptd.sys. md5: a199171385be17973fd800fa91f8f78a
    2011/03/12 11:19:42.0341 5904 sptd - detected Locked file (1)
    2011/03/12 11:19:42.0388 5904 srv (0debafcc0e3591fca34f077cab62f7f7) C:\Windows\system32\DRIVERS\srv.sys
    2011/03/12 11:19:42.0435 5904 srv2 (6b6f3658e0a58c6c50c5f7fbdf3df633) C:\Windows\system32\DRIVERS\srv2.sys
    2011/03/12 11:19:42.0482 5904 srvnet (0c5ab1892ae0fa504218db094bf6d041) C:\Windows\system32\DRIVERS\srvnet.sys
    2011/03/12 11:19:42.0622 5904 StillCam (ef70b3d22b4bffda6ea851ecb063efaa) C:\Windows\system32\DRIVERS\serscan.sys
    2011/03/12 11:19:42.0700 5904 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
    2011/03/12 11:19:42.0747 5904 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
    2011/03/12 11:19:42.0794 5904 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
    2011/03/12 11:19:42.0825 5904 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
    2011/03/12 11:19:42.0934 5904 SynTP (00b19f27858f56181edb58b71a7c67a0) C:\Windows\system32\DRIVERS\SynTP.sys
    2011/03/12 11:19:43.0387 5904 Tcpip (48cbe6d53632d0067c2d6b20f90d84ca) C:\Windows\system32\drivers\tcpip.sys
    2011/03/12 11:19:43.0449 5904 Tcpip6 (48cbe6d53632d0067c2d6b20f90d84ca) C:\Windows\system32\DRIVERS\tcpip.sys
    2011/03/12 11:19:43.0480 5904 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
    2011/03/12 11:19:43.0527 5904 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
    2011/03/12 11:19:43.0589 5904 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
    2011/03/12 11:19:43.0667 5904 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
    2011/03/12 11:19:43.0730 5904 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
    2011/03/12 11:19:43.0870 5904 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
    2011/03/12 11:19:43.0948 5904 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
    2011/03/12 11:19:43.0979 5904 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
    2011/03/12 11:19:44.0026 5904 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
    2011/03/12 11:19:44.0104 5904 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
    2011/03/12 11:19:44.0182 5904 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
    2011/03/12 11:19:44.0245 5904 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
    2011/03/12 11:19:44.0276 5904 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
    2011/03/12 11:19:44.0323 5904 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
    2011/03/12 11:19:44.0369 5904 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
    2011/03/12 11:19:44.0463 5904 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
    2011/03/12 11:19:44.0510 5904 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
    2011/03/12 11:19:44.0588 5904 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
    2011/03/12 11:19:44.0806 5904 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
    2011/03/12 11:19:44.0931 5904 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
    2011/03/12 11:19:45.0009 5904 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
    2011/03/12 11:19:45.0087 5904 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
    2011/03/12 11:19:45.0134 5904 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
    2011/03/12 11:19:45.0165 5904 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
    2011/03/12 11:19:45.0227 5904 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
    2011/03/12 11:19:45.0321 5904 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
    2011/03/12 11:19:45.0383 5904 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
    2011/03/12 11:19:45.0430 5904 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
    2011/03/12 11:19:45.0508 5904 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
    2011/03/12 11:19:45.0571 5904 viaide (ea1aa6e3abb3c194feba12a46de8cf2c) C:\Windows\system32\drivers\viaide.sys
    2011/03/12 11:19:45.0617 5904 VMnetAdapter (fdfd74ab4d0f27b5d062c2a39cbb6d54) C:\Windows\system32\DRIVERS\vmnetadapter.sys
    2011/03/12 11:19:45.0680 5904 VMnetBridge (73ad50a27e2f2b6442df3034e18ac296) C:\Windows\system32\DRIVERS\vmnetbridge.sys
    2011/03/12 11:19:45.0742 5904 VMnetuserif (ac33327fb6cef90c389c3d9078877214) C:\Windows\system32\drivers\vmnetuserif.sys
    2011/03/12 11:19:45.0805 5904 vmx86 (aa57871334fae62834025133a4d3c372) C:\Windows\system32\Drivers\vmx86.sys
    2011/03/12 11:19:45.0961 5904 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
    2011/03/12 11:19:46.0132 5904 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
    2011/03/12 11:19:46.0210 5904 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
    2011/03/12 11:19:46.0273 5904 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
    2011/03/12 11:19:46.0475 5904 vstor2 (449bf234cae814ba938252364bb4c39d) C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vstor2.sys
    2011/03/12 11:19:46.0569 5904 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
    2011/03/12 11:19:46.0631 5904 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
    2011/03/12 11:19:46.0663 5904 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
    2011/03/12 11:19:46.0709 5904 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
    2011/03/12 11:19:46.0756 5904 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
    2011/03/12 11:19:46.0928 5904 winachsf (0acd399f5db3df1b58903cf4949ab5a8) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
    2011/03/12 11:19:47.0021 5904 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
    2011/03/12 11:19:47.0146 5904 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
    2011/03/12 11:19:47.0224 5904 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
    2011/03/12 11:19:47.0474 5904 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
    2011/03/12 11:19:47.0521 5904 XAudio (dab33cfa9dd24251aaa389ff36b64d4b) C:\Windows\system32\DRIVERS\xaudio.sys
    2011/03/12 11:19:47.0614 5904 yukonwlh (7d1f3b131d503ef43ee594b5a2b9b427) C:\Windows\system32\DRIVERS\yk60x86.sys
    2011/03/12 11:19:47.0786 5904 ZTEusbnmeaext (1d4eb2e5fc4276cd5e9b862d349f68bd) C:\Windows\system32\DRIVERS\ZTEusbnmeaext.sys
    2011/03/12 11:19:47.0848 5904 ================================================================================
    2011/03/12 11:19:47.0848 5904 Scan finished
    2011/03/12 11:19:47.0848 5904 ================================================================================
    2011/03/12 11:19:47.0864 1908 Detected object count: 2
    2011/03/12 11:20:27.0862 1908 atapi (f980094c5e02cb9cce996171d273128b) C:\Windows\system32\drivers\atapi.sys
    2011/03/12 11:20:27.0862 1908 Suspicious file (Forged): C:\Windows\system32\drivers\atapi.sys. Real md5: f980094c5e02cb9cce996171d273128b, Fake md5: 1f05b78ab91c9075565a9d8a4b880bc4
    2011/03/12 11:20:27.0862 1908 C:\Windows\system32\drivers\atapi.sys - copied to quarantine
    2011/03/12 11:20:28.0034 1908 \HardDisk0\TDLFS\z00clicker.dll - copied to quarantine
    2011/03/12 11:20:28.0034 1908 \HardDisk0\TDLFS\config.ini - copied to quarantine
    2011/03/12 11:20:28.0034 1908 Rootkit.Win32.TDSS.tdl3(atapi) - User select action: Quarantine
    2011/03/12 11:20:28.0096 1908 sptd (a199171385be17973fd800fa91f8f78a) C:\Windows\system32\Drivers\sptd.sys
    2011/03/12 11:20:28.0096 1908 Suspicious file (NoAccess): C:\Windows\system32\Drivers\sptd.sys. md5: a199171385be17973fd800fa91f8f78a
    2011/03/12 11:20:28.0096 1908 C:\Windows\system32\Drivers\sptd.sys - copied to quarantine
    2011/03/12 11:20:28.0096 1908 Locked file(sptd) - User select action: Quarantine
    2011/03/12 11:21:10.0528 6052 Deinitialize success
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Please run Combofix as directed.

    Follow that with:Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
    10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
    11. Re-enable your Antivirus software.
      NOTE: If you forget to copy to the clipboard you can find the log here:
      C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    As for your question about learning to read logs, the only article you might find-on various internet sites-may be a general interpretation of HijackThis. But learning to determine the presence of a rootkit is better left to those who have been trained to do it. Do not worry about being "sheepish" in asking for help. We would rather you do that than load a bunch of inappropriate programs to try and find and fix yourself.

    The only directions you should follow are those given by your helper-in this case, me-to address your specific problems and entries.

    If you want to look into this further, there are several virtual schools on the internet for malware teaining.
  5. Puchatek

    Puchatek Newcomer, in training Topic Starter Posts: 19

    Ok, here's the Eset's log:

    C:\TDSSKiller_Quarantine\12.03.2011_11.19.13\rtkt0000\svc0000\tsk0000.dta
    Win32/Olmarik.TM trojan
    C:\TDSSKiller_Quarantine\12.03.2011_11.19.13\rtkt0000\tdlfs0000\tsk0000.dta
    Win32/TrojanClicker.Agent.NJA trojan

    One thing, though - last evening I turned on Combofix and left the laptop unattended. When I came back some half an hour later, the PC was at reboot password stage. I got prompted that windows didn't close normally, and was asked whether I would like to load in safe mode. Once I loaded windows proper (in normal mode) I got a prompt about blue screen of death on last run. So something went wrong with Combofix this time (didn't happen the first time I used it), but as it was late in the night and I had to go to sleep, rather than retrying Combofix I set up the Eset scan for the night. Please let me know if this is a big issue and you need me to rerun the whole procedure.
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Since there was an improper shut down, run the Error Check with both the Fix and Scan boxes checked:
    My Computer> Right click on Local Drive (C)> Properties> Tools tab> Error Check> Check both boxes on screen that comes up> OK> Close message and Reboot.

    Let the checking complete. system will reboot on it's own. Try Combofix again.

    For the Eset entries:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files  
      C:\TDSSKiller_Quarantine\12.03.2011_11.19.13\rtkt0000\svc0000\tsk0000.dta
      C:\TDSSKiller_Quarantine\12.03.2011_11.19.13\rtkt0000\tdlfs0000\tsk0000.dta
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.[/list]
  7. Puchatek

    Puchatek Newcomer, in training Topic Starter Posts: 19

    Still getting redirected, though. Well, below is the log:

    All processes killed
    ========== FILES ==========
    C:\TDSSKiller_Quarantine\12.03.2011_11.19.13\rtkt0000\svc0000\tsk0000.dta moved successfully.
    C:\TDSSKiller_Quarantine\12.03.2011_11.19.13\rtkt0000\tdlfs0000\tsk0000.dta moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 671852 bytes
    ->Temporary Internet Files folder emptied: 7400699 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 43588722 bytes
    ->Google Chrome cache emptied: 6583518 bytes
    ->Flash cache emptied: 689 bytes

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: pcworld
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 738729 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 222249102 bytes

    Total Files Cleaned = 268.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 03162011_201225

    Files moved on Reboot...
    File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.
    C:\Windows\temp\vmware-serverd.log moved successfully.
    File move failed. C:\Windows\temp\vmware-vmount.log scheduled to be moved on reboot.

    Registry entries deleted on Reboot...
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Did you run the Error Check?
    Did you try the Combofix scan again?


    I would like to note the OTM moved Total Files Cleaned = 268.00 mb. This is a very large amount of files and indicates you may not be doing any regular maintenance on the system.

    You have 4 versions of Java installed, none the current version which is v6u24. Check this site Java Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
    (Note: You should not also add Java extensions to Firefox. this update covers FF also)
  9. Puchatek

    Puchatek Newcomer, in training Topic Starter Posts: 19

    Ok, so I realized that I didn't successfully run the Combofix before launching OTMovit, although I thought different. When turning on Combofix first a loading bar comes up, and after about two minutes it disappears. Although it seemed strange to me that would be all the output from the Combofix I would see, computer seemed inactive for the next few minutes, so I was convinced Combofix indeed finished running, so I restarted my PC and went ahead with OTMovit. Turns out I should had waited yet another couple of minutes, after which the Combofix proper would finally load. However, once Combofix begins the scan, Windows crushes. I tried three times, with the same results on each run. Any ideas how to go about it?
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    NOTE: If, for some reason, Combofix refuses to run, try one of the following:
    1. Run Combofix from Safe Mode.
    2. Run RKill:
    First Delete Combofix file:
    • Click START> then RUN
    • Type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Then Reinstall a new Combofix but rename combofix.exe to puchatek.exe BEFORE saving it to your desktop. Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com)
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.pif
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once one Rkill has run, immediately double click on puchatek.exe to run it..

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, Rkill and Combofix.
  11. Puchatek

    Puchatek Newcomer, in training Topic Starter Posts: 19

    No luck. I was able to run Rkill in normal mode (btw - it took a good couple of minutes for it to load, and most of this time PC appeared to be inactive, then maybe a minute to run once Rkill window came up), and here's the log:

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 20/03/2011 at 16:29:03.
    Operating System: Windows Vista (TM) Home Premium


    Processes terminated by Rkill or while it was running:

    C:\PROGRA~1\FREEDO~1\fdm.exe


    Rkill completed on 20/03/2011 at 16:29:11.

    I wasn't able to run Combofix afterwards, though.

    I then tried running both programmes in safemode, and here's the Rkill's log:

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 20/03/2011 at 17:00:50.
    Operating System: Windows Vista (TM) Home Premium


    Processes terminated by Rkill or while it was running:

    C:\Windows\System32\WerFault.exe
    C:\Windows\system32\conime.exe
    C:\Windows\system32\conime.exe


    Rkill completed on 20/03/2011 at 17:00:55.

    But upon attempting to run Combofix PC crashed. I did one more attempt, running Rkill in safemode first (same log, onkly that conime.exe was killed only once, not twice), but Combofix didn't want to open - after the initial loading bar disappeared I let the PC untouched for over half an hour hoping that maybe it's slowly loading in the background, but to no avail, nothing happened.

    BTW - I have Ubuntu 9.04 installed on this PC as well, maybe there's an easier method to sort out the redirections problem from different system?
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Every time I go back and review the logs, I see this and copy it to ask about- but don't. So please explain:

    Can you clarify this for me? How do you know what country a site is in? How is the redirect related? Domain names are okay, but no links. There are particular sites in particular countries that hijack browsers on search, but so far, I'm not seeing that in your logs.

    As for working with Ubuntu, I have no experience with that OS and doubt the Windows scans would work on it. But it does make me wonder if the dual boot is causing the problem,
  13. Puchatek

    Puchatek Newcomer, in training Topic Starter Posts: 19

    No, what I mean is that depending on the country I'm accessing the web in I'm getting redirected to different pages. When in UK I got redirected mainly to one online shopping site (can't remember the name) and some online drug stores, now that I live in Singapore I'm being redirected mainly to Stulus and Yahoo Singapore. Funny enough, when I stayed in Poland for a while I didn't get redirected at all - instead when clicking a new link browser would appear to be inactive for some 3sec or so, before proceeding to the right webpage. Looked a bit as if whatever's redirecting me couldn't find a webpage it would like to forward me to, so gave up and let the right webpage go through.

    Maybe it's worth adding that if after getting redirected I click 'go back one page' button in the browser, and then click on the link I intended to go to again, most of the times I would be taken to the right webpage rather than redirected.

    As for dual boot being the problem - nope, I had two systems for well over a year before I started to get redirected.
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Thank you for the explanation. I'm not sure of the significance, but st least I understand what you mean.

    I'm adding another program to follow rKill: Follow these steps in order:

    If Combofix refuses to run, try one of the following:
    1). Try to run the scan from Safe Mode.

    2). Delete Combofix file, download fresh one, but rename combofix.exe to puchatek.exe BEFORE saving it to your desktop.Do NOT run it yet.

    3). Please download and run the below tool named Rkill (courtesy of Bleeping Computer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.pif
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following>>>>.

    Please download exeHelper by Raktor and save it to your desktop.
    • Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file called exehelperlog.txt will be created and should open at the end of the scan)
    • A copy of that log will also be saved in the directory where you ran exeHelper.com
    • Copy and paste the contents of exehelperlog.txt in your next reply.
    Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).

    Without a reboot, immediately double click on puchatek.exe to run it.. (this i the renamed Combofix.exe file))

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, Rkill and Combofix.
    Once one Rkill has run, immediately double click on puchatek.exe to run it..

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, Rkill and Combofix.
  15. Puchatek

    Puchatek Newcomer, in training Topic Starter Posts: 19

    No luck this time either. exHelper run without problems, both in normal mode and in safe mode, but renamed Combofix wouldn't load up properly nonetheless. After failing in normal mode, I tried the whole process in safe mode twice, in both cases rkill and exHelper run successfully (rkil took good couple of minutes to load up, as before), but on the first attempt renamed Combofix didn't load up afterwards, and on the second attempt the system crashed. Below I pasted rkill and exHelper logs for both normal and safe run modes, as well as the windows crash report, perhaps it will be of some help.

    Normal mode:

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 26/03/2011 at 9:13:17.
    Operating System: Windows Vista (TM) Home Premium


    Processes terminated by Rkill or while it was running:

    C:\Users\Administrator\AppData\Roaming\Dropbox\bin\Dropbox.exe


    Rkill completed on 26/03/2011 at 9:13:27.

    (Note - Dropbox isn't a problem, I installed it long after the redirections issue appeared.)

    /**************/

    exeHelper by Raktor
    Build 20100414
    Run at 09:14:04 on 03/26/11
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    /*********************************************************************/

    Safe mode:

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 26/03/2011 at 9:51:20.
    Operating System: Windows Vista (TM) Home Premium


    Processes terminated by Rkill or while it was running:

    C:\Windows\system32\conime.exe
    C:\Windows\system32\conime.exe


    Rkill completed on 26/03/2011 at 9:51:25.

    /************/

    exeHelper by Raktor
    Build 20100414
    Run at 09:14:04 on 03/26/11
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    exeHelper by Raktor
    Build 20100414
    Run at 09:52:56 on 03/26/11
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    /******************************************/

    (Note - On second safe mode run logs were exactly the same, only that exeHelper had three sets of entries, not two.)

    And here's the windows crash log:

    Problem signature:
    Problem Event Name: BlueScreen
    OS Version: 6.0.6002.2.2.0.768.3
    Locale ID: 2057

    Additional information about the problem:
    BCCode: 1000007e
    BCP1: C0000005
    BCP2: 82217ADD
    BCP3: 8D6B55B8
    BCP4: 8D6B52B4
    OS Version: 6_0_6002
    Service Pack: 2_0
    Product: 768_1

    Files that help describe the problem:
    C:\Windows\Minidump\Mini032611-01.dmp
    C:\Users\Administrator\AppData\Local\Temp\WER-74942-0.sysdata.xml
    C:\Users\Administrator\AppData\Local\Temp\WER57EE.tmp.version.txt

    Read our privacy statement:
    http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Did you run the Error Check I asked for several replies back?

    You may have uninstalled it- but if Rkill stopped the executable, it means it's still running! Try using the Windows Installer Cleanup Utility to remove files left over from uninstalls.

    I'd like you to do a search on the system for ComboFix.txt It's possible there may be a log.
  17. Puchatek

    Puchatek Newcomer, in training Topic Starter Posts: 19

    Yes, I run the Error Check before attempting the rkill + Combofix combination, and also a few reboots before rkill + exeHelper + Combofix combination. I retried today running the Error Check once again and then following with these three right after, but with similar result - rkill and exeHelper executed, but Combofix wouldn't.

    Just to make double sure you have a clear picture of how Combofix is behaving: when I double click the program first a small loading progress bar titled Combofix appears, and slowly loads. A little while after it hits the full loading state it disappears, and there seem to be no program running, but computer is still choked up, with the cursor occasionally changing in and out into the loading circle icon. This continues for a good twenty minutes or so, but at some point ceases and computer starts responding to commands again. A quick check in the task manager confirms that there are indeed no applications running, and the CPU usage is very low, so I assume it means Combofix load dropped.

    As I mentioned, occasionally Combofix actually loaded, but Windows crashed as Combofix was attempting the scan.

    Also, search scan didn't find any ComboFix.txt on the disc.
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    I'd like you to do me a favor please. My d... internet went down-again. I am trying to catch up. But I don't do the minidumps. I'd like you to copy what you posted:
    in our Windows BSOD Forum. Tell them it's crash report from attempt to run Combofix. They will direct you if they need another minidump- that I need to know what drivers are causing this problem, that I'm working with you in V&M.

    Then come back and let me know, okay?
  19. Puchatek

    Puchatek Newcomer, in training Topic Starter Posts: 19

  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Sorry about that! I just sent a couple of PMs asking for someone to assist you.
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Reopening thread at member's request:

    Please uninstall the Malwarebytes you ran originally. The download the current version and run new scan:
    [​IMG]
    Malwarebytes' Anti-Malware
    • Please download Malwarebytes' Anti-Malware from from HERE
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      [o] Update Malwarebytes' Anti-Malware
      [o] and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform Quick scan, then click Scan.
      * When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach this log with your reply
      [o] If you accidentally close it, the log file is saved here and will be named like this:
      [o] C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    ==================================
    When you finish, see if Combofix will run.
    ========================
    Funny thing- I got a PM from another member yesterday telling me he had the same problem as yo u and asking me to reopen this thread! He went ahead and started his own and I explained we only reopen a thread when the original poster asks us to.
  23. Puchatek

    Puchatek Newcomer, in training Topic Starter Posts: 19

    Hi

    Malewarebytes detected and removed a single infection, however it didn't help the redirection issue, nor did it change anything about Combofix - it still wouldn't run. I tried running Malewarebytes once again after restarting my PC to see if the infection would appear again, but no, it seems to be removed permanently. Will probably try once again in a few days. Anyway, here's the log:

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6372

    Windows 6.0.6002 Service Pack 2 (Safe Mode)
    Internet Explorer 8.0.6001.18928

    16/04/2011 14:06:39
    mbam-log-2011-04-16 (14-06-39).txt

    Scan type: Quick scan
    Objects scanned: 166772
    Time elapsed: 3 minute(s), 50 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\7bde84a2-f58f-46ec-9eac-f1f90fead080 (Malware.Trace) -> Value: 7bde84a2-f58f-46ec-9eac-f1f90fead080 -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Please give me an update on the system.
  25. Puchatek

    Puchatek Newcomer, in training Topic Starter Posts: 19

    I'm sorry, but what exactly do you mean by that?
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.