TechSpot

Need help with Google redirect

Solved
By Evangelical
Nov 24, 2010
Topic Status:
Not open for further replies.
  1. i have a Win XP Pro laptop with the redirect issue. I have applied the 6 step suggested in the forum. The resulting logs follow.
    Thanks in advance for your help!

    Malwarebytes log:
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 5184

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    11/24/2010 1:07:20 PM
    mbam-log-2010-11-24 (13-07-20).txt

    Scan type: Quick scan
    Objects scanned: 163923
    Time elapsed: 8 minute(s), 55 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Documents and Settings\kmiller\Application Data\Microsoft\stor.cfg (Malware.Trace) -> Quarantined and deleted successfully.


    GMER log:
    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2010-11-24 13:25:33
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 TOSHIBA_MK1246GSX rev.LB213M
    Running: ftob31p1.exe; Driver: C:\DOCUME~1\KENMIL~1\LOCALS~1\Temp\kxddqpob.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sectors 234441392 (+254): rootkit-like behavior;

    ---- System - GMER 1.0.15 ----

    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9DBC9A6]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xB9DBC940]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB9DBC954]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9DBC9BA]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9DBC9E6]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB9DBCA54]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB9DBCA3E]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwLoadKey2 [0xB9DBCA6A]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9DBCAFE]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB9DBCA96]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9DBC992]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9DBC904]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9DBC918]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryKey [0xB9DBCAD2]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB9DBCA28]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB9DBCA12]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9DBC9D0]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0xB9DBCABE]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0xB9DBCAAA]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xB9DBC97E]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB9DBC96A]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9DBC9FC]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9DBCB2D]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnloadKey [0xB9DBCA80]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9DBCB14]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9DBCAE8]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A606AEA
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A606AEA
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8A606AEA
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8A606AEA
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP2T0L0-12 8A606AEA

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

    Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK1246GSX_______________________LB213M__#5&22499e11&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- EOF - GMER 1.0.15 ----

    DDS.txt:

    DDS (Ver_10-11-10.01) - NTFSx86
    Run by Ken Miller at 13:32:30.34 on Wed 11/24/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1374 [GMT -5:00]

    AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\acs.exe
    svchost.exe
    C:\WINDOWS\system32\agrsmsvc.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    C:\WINDOWS\system32\mfevtps.exe
    C:\TOSHIBA\IVP\ISM\pinger.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
    C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
    C:\WINDOWS\system32\TODDSrv.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\TPSMain.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\Program Files\Atheros\ACU.exe
    C:\Program Files\Synaptics\SynTP\SynTPStart.exe
    C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
    C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
    C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\McAfee\Common Framework\udaterui.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
    C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\WINDOWS\system32\TPSBattM.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Documents and Settings\Ken Miller\Application Data\U3\00001680D773D557\LaunchPad.exe
    C:\Documents and Settings\Ken Miller\Desktop\logs\dds.scr

    ============== Pseudo HJT Report ===============

    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    mDefault_Page_URL = hxxp://msn.com
    mDefault_Search_URL = hxxp://msn.com
    mSearch Page = hxxp://google.com
    mStart Page = hxxp://msn.com
    uInternet Settings,ProxyServer = jal.lmf.net:8013
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
    uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
    mRun: [TPSMain] TPSMain.exe
    mRun: [NDSTray.exe] NDSTray.exe
    mRun: [ACU] "c:\program files\atheros\ACU.exe" -nogui
    mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
    mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
    mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
    mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe
    mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
    mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [CFSServ.exe] CFSServ.exe -NoClient
    IE: &Search
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Notify: AtiExtEvent - Ati2evxx.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\kenmil~1\applic~1\mozilla\firefox\profiles\i90y8dfj.default\
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
    FF - prefs.js: network.proxy.ftp - jal.lmf.net
    FF - prefs.js: network.proxy.ftp_port - 8013
    FF - prefs.js: network.proxy.gopher - jal.lmf.net
    FF - prefs.js: network.proxy.gopher_port - 8013
    FF - prefs.js: network.proxy.http - jal.lmf.net
    FF - prefs.js: network.proxy.http_port - 8013
    FF - prefs.js: network.proxy.socks - jal.lmf.net
    FF - prefs.js: network.proxy.socks_port - 8013
    FF - prefs.js: network.proxy.ssl - jal.lmf.net
    FF - prefs.js: network.proxy.ssl_port - 8013
    FF - prefs.js: network.proxy.type - 0
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: XULRunner: {033D3051-0DA4-4AA6-9A8E-86651C3568CF} - c:\documents and settings\ken miller\local settings\application data\{033D3051-0DA4-4AA6-9A8E-86651C3568CF}
    FF - HiddenExtension: XULRunner: {40C0C7D2-D432-4459-9AD3-75ABCC68B95C} - c:\documents and settings\ken miller\local settings\application data\{40C0C7D2-D432-4459-9AD3-75ABCC68B95C}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

    ============= SERVICES / DRIVERS ===============

    P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2010-8-25 147984]
    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-4-21 344712]
    R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2010-8-25 22816]
    R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-3-14 103744]
    R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2010-8-25 66880]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2008-12-12 69192]
    R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]
    R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]
    R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2007-10-5 5888]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-4-21 91896]
    S3 IO_Memory;IO_Memory;\??\c:\sysprep\drivers\ioport.sys --> c:\sysprep\drivers\ioport.sys [?]
    S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-4-21 43192]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2008-12-12 66536]
    S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2010-8-3 50704]
    S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\up_date\pedrv.sys --> c:\sysprep\up_date\PEDrv.sys [?]

    =============== Created Last 30 ================

    2010-11-24 17:45:14 -------- d-----w- c:\windows\system32\wbem\Logs
    2010-10-26 19:07:50 -------- d-----w- C:\Microsoft

    ==================== Find3M ====================

    2010-09-24 07:49:12 8704 ----a-w- c:\windows\system32\bootexctrl.exe
    2010-09-24 07:49:04 11776 ----a-w- c:\windows\system32\wgx.dll
    2010-09-24 07:49:02 24576 ----a-w- c:\windows\system32\udefrag.exe
    2010-09-24 07:49:00 14848 ----a-w- c:\windows\system32\lua5.1a_gui.exe
    2010-09-24 07:49:00 10752 ----a-w- c:\windows\system32\lua5.1a.exe
    2010-09-24 07:48:58 92160 ----a-w- c:\windows\system32\lua5.1a.dll
    2010-09-24 07:48:52 8192 ----a-w- c:\windows\system32\udefrag.dll
    2010-09-24 07:48:52 6144 ----a-w- c:\windows\system32\hibernate4win.exe
    2010-09-24 07:48:50 48640 ----a-w- c:\windows\system32\udefrag-kernel.dll
    2010-09-24 07:48:46 47104 ----a-w- c:\windows\system32\zenwinx.dll
    2010-09-24 07:48:40 88064 ----a-w- c:\windows\system32\defrag_native.exe
    2010-08-30 14:12:04 0 ----a-w- c:\windows\Qgicigobab.bin

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: TOSHIBA_MK1246GSX rev.LB213M -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A606EC5]<<
    _asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x88be4872; SUB DWORD [EBP-0x4], 0x88be412e; PUSH EDI; CALL 0xffffffffffffdf33; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A801AB8]
    3 CLASSPNP[0xBA118FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000079[0x8A7C2E98]
    5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A864940]
    [0x8A72B7D0] -> IRP_MJ_CREATE -> 0x8A606EC5
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK1246GSX_______________________LB213M__#5&22499e11&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8A606AEA
    user & kernel MBR OK
    sectors 234441646 (+255): user != kernel
    Warning: possible TDL3 rootkit infection !

    ============= FINISH: 13:34:02.61 ===============


    Attach.txt

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-11-10.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 4/21/2008 12:39:47 PM
    System Uptime: 11/24/2010 1:07:55 PM (0 hours ago)

    Motherboard: ATI | | SB600
    Processor: AMD Turion(tm) 64 X2 Mobile Technology TL-60 | Socket M2/S1G1 | 1995/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 103 GiB total, 78.309 GiB free.
    D: is CDROM ()
    E: is CDROM (CDFS)
    G: is Removable

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
    Description: Synaptics PS/2 Port TouchPad
    Device ID: ACPI\SYN1909\4&839A984&0
    Manufacturer: Synaptics
    Name: Synaptics PS/2 Port TouchPad
    PNP Device ID: ACPI\SYN1909\4&839A984&0
    Service: i8042prt

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: 1394 Net Adapter
    Device ID: V1394\NIC1394\33327EA580D1E
    Manufacturer: Microsoft
    Name: 1394 Net Adapter
    PNP Device ID: V1394\NIC1394\33327EA580D1E
    Service: NIC1394

    Class GUID: {72631E54-78A4-11D0-BCF7-00AA00B7B32A}
    Description: Microsoft ACPI-Compliant Control Method Battery
    Device ID: ACPI\PNP0C0A\1
    Manufacturer: Microsoft
    Name: Microsoft ACPI-Compliant Control Method Battery
    PNP Device ID: ACPI\PNP0C0A\1
    Service: CmBatt

    Class GUID: {72631E54-78A4-11D0-BCF7-00AA00B7B32A}
    Description: Microsoft AC Adapter
    Device ID: ACPI\ACPI0003\2&DABA3FF&0
    Manufacturer: Microsoft
    Name: Microsoft AC Adapter
    PNP Device ID: ACPI\ACPI0003\2&DABA3FF&0
    Service: CmBatt

    Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
    Description: Audio Codecs
    Device ID: ROOT\MEDIA\MS_MMACM
    Manufacturer: (Standard system devices)
    Name: Audio Codecs
    PNP Device ID: ROOT\MEDIA\MS_MMACM
    Service: audstub

    Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
    Description: Legacy Audio Drivers
    Device ID: ROOT\MEDIA\MS_MMDRV
    Manufacturer: (Standard system devices)
    Name: Legacy Audio Drivers
    PNP Device ID: ROOT\MEDIA\MS_MMDRV
    Service: audstub

    Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
    Description: Media Control Devices
    Device ID: ROOT\MEDIA\MS_MMMCI
    Manufacturer: (Standard system devices)
    Name: Media Control Devices
    PNP Device ID: ROOT\MEDIA\MS_MMMCI
    Service: audstub

    Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
    Description: Legacy Video Capture Devices
    Device ID: ROOT\MEDIA\MS_MMVCD
    Manufacturer: (Standard system devices)
    Name: Legacy Video Capture Devices
    PNP Device ID: ROOT\MEDIA\MS_MMVCD
    Service: audstub

    Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
    Description: Video Codecs
    Device ID: ROOT\MEDIA\MS_MMVID
    Manufacturer: (Standard system devices)
    Name: Video Codecs
    PNP Device ID: ROOT\MEDIA\MS_MMVID
    Service: audstub

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Direct Parallel
    Device ID: ROOT\MS_PTIMINIPORT\0000
    Manufacturer: Microsoft
    Name: Direct Parallel
    PNP Device ID: ROOT\MS_PTIMINIPORT\0000
    Service: Raspti

    Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
    Description: Microsoft System Management BIOS Driver
    Device ID: ROOT\SYSTEM\0002
    Manufacturer: (Standard system devices)
    Name: Microsoft System Management BIOS Driver
    PNP Device ID: ROOT\SYSTEM\0002
    Service: mssmbios

    ==== System Restore Points ===================

    RP306: 8/30/2010 2:39:22 PM - System Checkpoint
    RP307: 8/31/2010 3:01:44 PM - System Checkpoint
    RP308: 9/2/2010 5:53:49 PM - System Checkpoint
    RP309: 9/7/2010 11:24:23 AM - System Checkpoint
    RP310: 9/9/2010 12:59:43 PM - System Checkpoint
    RP311: 9/10/2010 6:58:17 PM - System Checkpoint
    RP312: 9/13/2010 10:45:57 AM - System Checkpoint
    RP313: 9/14/2010 2:03:54 PM - System Checkpoint
    RP314: 9/16/2010 12:40:47 PM - System Checkpoint
    RP315: 9/20/2010 5:00:00 PM - System Checkpoint
    RP316: 9/21/2010 5:11:44 PM - System Checkpoint
    RP317: 9/28/2010 10:42:15 AM - System Checkpoint
    RP318: 9/30/2010 5:58:52 PM - System Checkpoint
    RP319: 10/4/2010 5:31:07 PM - System Checkpoint
    RP320: 10/12/2010 2:23:18 PM - Configured 2007 Microsoft Office system
    RP321: 10/13/2010 9:33:39 AM - Removed Ad-Aware
    RP322: 10/13/2010 2:13:33 PM - Restore Operation
    RP323: 10/13/2010 2:28:46 PM - Removed Ad-Aware
    RP324: 10/18/2010 11:29:30 AM - System Checkpoint
    RP325: 11/8/2010 12:37:13 PM - System Checkpoint
    RP326: 11/9/2010 3:07:23 PM - System Checkpoint
    RP327: 11/11/2010 9:26:02 AM - System Checkpoint
    RP328: 11/15/2010 2:53:58 PM - System Checkpoint
    RP329: 11/16/2010 3:02:25 PM - System Checkpoint
    RP330: 11/18/2010 10:42:14 AM - System Checkpoint
    RP331: 11/22/2010 3:14:07 PM - System Checkpoint
    RP332: 11/23/2010 3:57:19 PM - System Checkpoint

    ==== Installed Programs ======================

    2007 Microsoft Office system
    Acrobat.com
    Activation Assistant for the 2007 Microsoft Office suites
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.1
    AMD Processor Driver
    Apple Mobile Device Support
    Apple Software Update
    Atheros Client Utility
    Atheros Driver Installation Program
    ATI Catalyst Control Center
    ATI Display Driver
    Bluetooth Stack for Windows by Toshiba
    Bonjour
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Localization Chinese Standard
    Catalyst Control Center Localization Chinese Traditional
    Catalyst Control Center Localization Czech
    Catalyst Control Center Localization Danish
    Catalyst Control Center Localization Dutch
    Catalyst Control Center Localization Finnish
    Catalyst Control Center Localization French
    Catalyst Control Center Localization German
    Catalyst Control Center Localization Greek
    Catalyst Control Center Localization Hungarian
    Catalyst Control Center Localization Italian
    Catalyst Control Center Localization Japanese
    Catalyst Control Center Localization Korean
    Catalyst Control Center Localization Norwegian
    Catalyst Control Center Localization Polish
    Catalyst Control Center Localization Portuguese
    Catalyst Control Center Localization Russian
    Catalyst Control Center Localization Spanish
    Catalyst Control Center Localization Swedish
    Catalyst Control Center Localization Thai
    Catalyst Control Center Localization Turkish
    ccc-core-preinstall
    ccc-core-static
    ccc-utility
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    CCleaner
    CD/DVD Drive Acoustic Silencer
    Compatibility Pack for the 2007 Office system
    CutePDF Writer 2.7
    Foxit Reader
    High Definition Audio Driver Package - KB888111
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    InterVideo WinDVD for TOSHIBA
    iTunes
    Java(TM) 6 Update 11
    Java(TM) 6 Update 3
    Kyocera FS-C1020MFP Twain
    Kyocera Product Library
    Malwarebytes' Anti-Malware
    McAfee Agent
    McAfee VirusScan Enterprise
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional Edition 2003
    Microsoft Office Professional Hybrid 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Mozilla Firefox (3.6.12)
    Mozilla Thunderbird (3.1.6)
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser (KB933579)
    NICI (Shared) U.S./Worldwide (128 bit) (2.6.6-1)
    OGA Notifier 2.0.0048.0
    QuickTime
    REALTEK GbE & FE Ethernet PCI-E NIC Driver
    Realtek High Definition Audio Driver
    RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for 2007 Microsoft Office System (KB982312)
    Security Update for 2007 Microsoft Office System (KB982331)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB982308)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office Outlook 2007 (KB980376)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office Publisher 2007 (KB982124)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB969613)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB982135)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165-v2)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Skins
    Synaptics Pointing Device Driver
    TOSHIBA Assist
    TOSHIBA ConfigFree
    TOSHIBA Controls
    TOSHIBA Direct Disc Writer
    TOSHIBA Disc Creator
    TOSHIBA Hotkey Utility
    TOSHIBA PC Diagnostic Tool
    TOSHIBA Power Saver
    TOSHIBA Recovery Disc Creator
    Toshiba Registration
    TOSHIBA SD Memory Utilities
    TOSHIBA Software Modem
    TOSHIBA Software Upgrades
    TOSHIBA Speech System Applications
    TOSHIBA Speech System SR Engine(U.S.) Version1.0
    TOSHIBA Speech System TTS Engine(U.S.) Version1.0
    TOSHIBA TouchPad ON/Off Utility
    TOSHIBA Utilities
    TOSHIBA Zooming Utility
    Ultra Defragmenter
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Outlook 2007 Junk Email Filter (kb2202131)
    Update for Windows Internet Explorer 8 (KB968220)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live OneCare safety scanner
    Windows Media Format Runtime
    Windows Media Player 10
    Windows XP Service Pack 3

    ==== Event Viewer Messages From Past Week ========

    11/24/2010 12:17:54 PM, error: Dhcp [1002] - The IP address lease 192.168.10.148 for the Network Card with network address 001B9EB757A5 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    11/24/2010 1:23:57 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
    11/24/2010 1:08:28 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    11/23/2010 2:51:45 PM, error: Dhcp [1002] - The IP address lease 192.168.2.34 for the Network Card with network address 001B9EB757A5 has been denied by the DHCP server 192.168.10.1 (The DHCP Server sent a DHCPNACK message).
    11/23/2010 2:50:40 PM, error: Dhcp [1002] - The IP address lease 192.168.10.148 for the Network Card with network address 001B9EB757A5 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
    11/23/2010 12:42:15 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
    11/23/2010 12:42:15 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
    11/18/2010 10:43:19 AM, error: NETLOGON [5719] - No Domain Controller is available for domain AD due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

    ==== End Of File ===========================
  2. crunchie

    crunchie Malware Helper Posts: 761

    Hi and welcome to TechSpot forums :).

    ====

    Please download ComboFix by sUBs from HERE or HERE
    • You must download it to and run it from your Desktop
    • Physically disconnect from the internet.
    • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    • Double click combofix.exe & follow the prompts.
    • When finished, it will produce a log. Please save that log to post in your next reply.
    • Re-enable all the programs that were disabled during the running of ComboFix..

    Note:
    Do not mouse-click combofix's window while it is running. That may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Run Combofix ONCE only!!
  3. Evangelical

    Evangelical TS Rookie Topic Starter Posts: 16

    ComboFix log

    ComboFix 10-11-25.05 - Ken Miller 11/26/2010 9:32.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1437 [GMT -5:00]
    Running from: c:\documents and settings\Ken Miller\Desktop\ComboFix.exe
    AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    * Created a new restore point
    * Resident AV is active

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Ken Miller\Local Settings\Application Data\{033D3051-0DA4-4AA6-9A8E-86651C3568CF}
    c:\documents and settings\Ken Miller\Local Settings\Application Data\{033D3051-0DA4-4AA6-9A8E-86651C3568CF}\chrome.manifest
    c:\documents and settings\Ken Miller\Local Settings\Application Data\{033D3051-0DA4-4AA6-9A8E-86651C3568CF}\chrome\content\overlay.xul
    c:\documents and settings\Ken Miller\Local Settings\Application Data\{033D3051-0DA4-4AA6-9A8E-86651C3568CF}\install.rdf
    c:\documents and settings\Ken Miller\Local Settings\Application Data\{40C0C7D2-D432-4459-9AD3-75ABCC68B95C}
    c:\documents and settings\Ken Miller\Local Settings\Application Data\{40C0C7D2-D432-4459-9AD3-75ABCC68B95C}\chrome.manifest
    c:\documents and settings\Ken Miller\Local Settings\Application Data\{40C0C7D2-D432-4459-9AD3-75ABCC68B95C}\chrome\content\overlay.xul
    c:\documents and settings\Ken Miller\Local Settings\Application Data\{40C0C7D2-D432-4459-9AD3-75ABCC68B95C}\install.rdf
    C:\Microsoft
    c:\windows\system32\drivers\npf.sys
    c:\windows\system32\Packet.dll
    c:\windows\system32\wpcap.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_MYWEBSEARCHSERVICE
    -------\Legacy_NPF
    -------\Service_NPF


    ((((((((((((((((((((((((( Files Created from 2010-10-26 to 2010-11-26 )))))))))))))))))))))))))))))))
    .

    2010-11-24 17:45 . 2010-11-26 14:31 -------- d-----w- c:\windows\system32\wbem\Logs
    2010-11-01 16:31 . 2010-11-01 16:31 -------- d-----w- c:\documents and settings\kmiller\Local Settings\Application Data\Microsoft Help

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-24 07:49 . 2010-09-24 07:49 8704 ----a-w- c:\windows\system32\bootexctrl.exe
    2010-09-24 07:49 . 2010-09-24 07:49 11776 ----a-w- c:\windows\system32\wgx.dll
    2010-09-24 07:49 . 2010-09-24 07:49 24576 ----a-w- c:\windows\system32\udefrag.exe
    2010-09-24 07:49 . 2010-09-24 07:49 14848 ----a-w- c:\windows\system32\lua5.1a_gui.exe
    2010-09-24 07:49 . 2010-09-24 07:49 10752 ----a-w- c:\windows\system32\lua5.1a.exe
    2010-09-24 07:48 . 2010-09-24 07:48 92160 ----a-w- c:\windows\system32\lua5.1a.dll
    2010-09-24 07:48 . 2010-09-24 07:48 8192 ----a-w- c:\windows\system32\udefrag.dll
    2010-09-24 07:48 . 2010-09-24 07:48 6144 ----a-w- c:\windows\system32\hibernate4win.exe
    2010-09-24 07:48 . 2010-09-24 07:48 48640 ----a-w- c:\windows\system32\udefrag-kernel.dll
    2010-09-24 07:48 . 2010-09-24 07:48 47104 ----a-w- c:\windows\system32\zenwinx.dll
    2010-09-24 07:48 . 2010-09-24 07:48 88064 ----a-w- c:\windows\system32\defrag_native.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2007-01-09 191552]
    "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CFSServ.exe"="CFSServ.exe -NoClient" [X]
    "TPSMain"="TPSMain.exe" [2007-10-08 262144]
    "NDSTray.exe"="NDSTray.exe" [BU]
    "ACU"="c:\program files\Atheros\ACU.exe" [2007-08-03 376921]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
    "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
    "THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2007-08-28 356352]
    "DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-14 311296]
    "SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-10 159744]
    "RTHDCPL"="RTHDCPL.EXE" [2007-09-03 16841216]
    "Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2007-01-26 136816]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-08-26 124224]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
    @="Service"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
    "c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
    "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
    "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [8/25/2010 7:07 PM 22816]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [12/12/2008 10:50 AM 69192]
    R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [3/26/2007 2:22 PM 105856]
    R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2/19/2007 2:15 PM 134016]
    R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [10/5/2007 7:08 AM 5888]
    S3 IO_Memory;IO_Memory;\??\c:\sysprep\Drivers\ioport.sys --> c:\sysprep\Drivers\ioport.sys [?]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [12/12/2008 10:50 AM 66536]
    S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\UP_date\PEDrv.sys --> c:\sysprep\UP_date\PEDrv.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-11-18 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

    2010-11-01 c:\windows\Tasks\CleanXP.job
    - c:\utilities\CleanXP.bat [2008-04-21 18:36]
    .
    .
    ------- Supplementary Scan -------
    .
    mStart Page = hxxp://msn.com
    uInternet Settings,ProxyServer = jal.lmf.net:8013
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    FF - ProfilePath - c:\documents and settings\Ken Miller\Application Data\Mozilla\Firefox\Profiles\i90y8dfj.default\
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
    FF - prefs.js: network.proxy.ftp - jal.lmf.net
    FF - prefs.js: network.proxy.ftp_port - 8013
    FF - prefs.js: network.proxy.gopher - jal.lmf.net
    FF - prefs.js: network.proxy.gopher_port - 8013
    FF - prefs.js: network.proxy.http - jal.lmf.net
    FF - prefs.js: network.proxy.http_port - 8013
    FF - prefs.js: network.proxy.socks - jal.lmf.net
    FF - prefs.js: network.proxy.socks_port - 8013
    FF - prefs.js: network.proxy.ssl - jal.lmf.net
    FF - prefs.js: network.proxy.ssl_port - 8013
    FF - prefs.js: network.proxy.type - 0
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-26 09:43
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: TOSHIBA_MK1246GSX rev.LB213M -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A605EC5]<<
    _asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x88be4872; SUB DWORD [EBP-0x4], 0x88be412e; PUSH EDI; CALL 0xffffffffffffdf33; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A83A9A0]
    3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000007a[0x8A7F2260]
    5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A7CFD98]
    [0x8A6E3D58] -> IRP_MJ_CREATE -> 0x8A605EC5
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK1246GSX_______________________LB213M__#5&22499e11&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8A605AEA
    user & kernel MBR OK
    sectors 234441646 (+255): user != kernel
    Warning: possible TDL3 rootkit infection !

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(944)
    c:\windows\system32\WININET.dll
    c:\windows\system32\Ati2evxx.dll

    - - - - - - - > 'lsass.exe'(1004)
    c:\windows\system32\WININET.dll

    - - - - - - - > 'explorer.exe'(3068)
    c:\windows\system32\WININET.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\acs.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\McAfee\Common Framework\FrameworkService.exe
    c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    c:\program files\McAfee\Common Framework\naPrdMgr.exe
    c:\toshiba\IVP\swupdate\swupdtmr.exe
    c:\program files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
    c:\windows\system32\TODDSrv.exe
    c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    c:\windows\system32\wdfmgr.exe
    c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
    c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
    c:\windows\system32\TPSMain.exe
    c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
    c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
    c:\windows\RTHDCPL.EXE
    c:\windows\system32\TPSBattM.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
    c:\program files\Synaptics\SynTP\SynTPEnh.exe
    c:\program files\McAfee\Common Framework\McTray.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2010-11-26 09:49:37 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-11-26 14:49

    Pre-Run: 83,958,190,080 bytes free
    Post-Run: 83,858,132,992 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

    - - End Of File - - 6938ACA524EBB8115A8C53943653F1EF
  4. crunchie

    crunchie Malware Helper Posts: 761

    Please read carefully and follow these steps.
    • Download TDSSKiller and save it to your Desktop.
    • Extract its contents to your desktop.
    • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

    • If an infected file is detected, the default action will be Cure, click on Continue.

    • If a suspicious file is detected, the default action will be Skip, click on Continue.

    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  5. Evangelical

    Evangelical TS Rookie Topic Starter Posts: 16

    TDSSKiller Log

    2010/11/29 08:50:01.0546 TDSS rootkit removing tool 2.4.10.0 Nov 28 2010 18:35:56
    2010/11/29 08:50:01.0546 ================================================================================
    2010/11/29 08:50:01.0546 SystemInfo:
    2010/11/29 08:50:01.0546
    2010/11/29 08:50:01.0546 OS Version: 5.1.2600 ServicePack: 3.0
    2010/11/29 08:50:01.0546 Product type: Workstation
    2010/11/29 08:50:01.0546 ComputerName: K_MILLER
    2010/11/29 08:50:01.0546 UserName: Ken Miller
    2010/11/29 08:50:01.0546 Windows directory: C:\WINDOWS
    2010/11/29 08:50:01.0546 System windows directory: C:\WINDOWS
    2010/11/29 08:50:01.0546 Processor architecture: Intel x86
    2010/11/29 08:50:01.0546 Number of processors: 2
    2010/11/29 08:50:01.0546 Page size: 0x1000
    2010/11/29 08:50:01.0546 Boot type: Normal boot
    2010/11/29 08:50:01.0546 ================================================================================
    2010/11/29 08:50:01.0921 Initialize success
    2010/11/29 08:50:56.0015 ================================================================================
    2010/11/29 08:50:56.0015 Scan started
    2010/11/29 08:50:56.0015 Mode: Manual;
    2010/11/29 08:50:56.0015 ================================================================================
    2010/11/29 08:50:56.0484 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2010/11/29 08:50:56.0515 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
    2010/11/29 08:50:56.0578 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2010/11/29 08:50:56.0640 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2010/11/29 08:50:56.0890 AgereSoftModem (ce91b158fa490cf4c4d487a4130f4660) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
    2010/11/29 08:50:57.0078 AmdK8 (efbb0956baed786e137351b5ca272aef) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
    2010/11/29 08:50:57.0187 AR5211 (89873aebbf0309393f0737e26d891209) C:\WINDOWS\system32\DRIVERS\ar5211.sys
    2010/11/29 08:50:57.0359 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2010/11/29 08:50:57.0468 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2010/11/29 08:50:57.0500 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2010/11/29 08:50:57.0625 ati2mtag (3b88b6466896cc1a3a7e3287d72aca85) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
    2010/11/29 08:50:57.0828 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2010/11/29 08:50:57.0843 audstub (0316b8d040485aea50bc60d4c58d79a6) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2010/11/29 08:50:57.0937 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2010/11/29 08:50:58.0000 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2010/11/29 08:50:58.0031 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2010/11/29 08:50:58.0203 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2010/11/29 08:50:58.0265 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2010/11/29 08:50:58.0312 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2010/11/29 08:50:58.0375 CmBatt (cfaa868f6038fd41f3aae5ebbe577d89) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    2010/11/29 08:50:58.0640 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    2010/11/29 08:50:58.0812 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2010/11/29 08:50:59.0062 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2010/11/29 08:50:59.0140 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2010/11/29 08:50:59.0312 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2010/11/29 08:50:59.0484 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2010/11/29 08:50:59.0703 dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
    2010/11/29 08:50:59.0765 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
    2010/11/29 08:50:59.0890 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys
    2010/11/29 08:51:00.0156 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2010/11/29 08:51:00.0203 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2010/11/29 08:51:00.0265 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
    2010/11/29 08:51:00.0296 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2010/11/29 08:51:00.0343 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
    2010/11/29 08:51:00.0531 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2010/11/29 08:51:00.0562 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2010/11/29 08:51:00.0609 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2010/11/29 08:51:00.0625 FwLnk (4d52c52101492c450518124c592d8925) C:\WINDOWS\system32\DRIVERS\FwLnk.sys
    2010/11/29 08:51:00.0828 GEARAspiWDM (ab8a6a87d9d7255c3884d5b9541a6e80) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    2010/11/29 08:51:00.0968 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2010/11/29 08:51:01.0109 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2010/11/29 08:51:01.0156 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2010/11/29 08:51:01.0328 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2010/11/29 08:51:01.0437 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2010/11/29 08:51:01.0484 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2010/11/29 08:51:01.0703 IntcAzAudAddService (8c65fcf7ab3389e7c224ea2ec4456f2d) C:\WINDOWS\system32\drivers\RtkHDAud.sys
    2010/11/29 08:51:02.0078 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2010/11/29 08:51:02.0125 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2010/11/29 08:51:02.0187 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2010/11/29 08:51:02.0234 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2010/11/29 08:51:02.0421 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2010/11/29 08:51:02.0468 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2010/11/29 08:51:02.0515 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2010/11/29 08:51:02.0593 Kbdclass (fd13429e2beac0010eb269461450a6be) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2010/11/29 08:51:02.0593 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\kbdclass.sys. Real md5: fd13429e2beac0010eb269461450a6be, Fake md5: 463c1ec80cd17420a542b7f36a36f128
    2010/11/29 08:51:02.0593 Kbdclass - detected Rootkit.Win32.TDSS.tdl3 (0)
    2010/11/29 08:51:02.0625 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    2010/11/29 08:51:02.0812 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2010/11/29 08:51:02.0875 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2010/11/29 08:51:03.0000 mfeapfk (a8d2c54c2f71f5cba7ca2734341e57e6) C:\WINDOWS\system32\drivers\mfeapfk.sys
    2010/11/29 08:51:03.0093 mfeavfk (28bb783d85df19e9e007e81daf40adcc) C:\WINDOWS\system32\drivers\mfeavfk.sys
    2010/11/29 08:51:03.0328 mfebopk (8e43e242073e9db5aa165ebe273ffd09) C:\WINDOWS\system32\drivers\mfebopk.sys
    2010/11/29 08:51:03.0375 mfehidk (e94d35a2a9b175b34b995ab37216c73e) C:\WINDOWS\system32\drivers\mfehidk.sys
    2010/11/29 08:51:03.0421 mferkdet (f68c9cda15114b360727fe622e4aec6f) C:\WINDOWS\system32\drivers\mferkdet.sys
    2010/11/29 08:51:03.0531 mfetdik (78efa6fd2a486c476045eaa1d2f218b7) C:\WINDOWS\system32\drivers\mfetdik.sys
    2010/11/29 08:51:03.0656 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2010/11/29 08:51:03.0734 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2010/11/29 08:51:03.0906 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2010/11/29 08:51:03.0968 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2010/11/29 08:51:04.0015 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2010/11/29 08:51:04.0062 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2010/11/29 08:51:04.0140 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2010/11/29 08:51:04.0328 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2010/11/29 08:51:04.0515 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2010/11/29 08:51:04.0625 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2010/11/29 08:51:04.0656 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2010/11/29 08:51:04.0718 mssmbios (bc3c1c3d36711161d7c6f5d52b6486b2) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2010/11/29 08:51:04.0781 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    2010/11/29 08:51:04.0984 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2010/11/29 08:51:05.0031 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2010/11/29 08:51:05.0093 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2010/11/29 08:51:05.0187 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2010/11/29 08:51:05.0281 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2010/11/29 08:51:05.0328 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2010/11/29 08:51:05.0359 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2010/11/29 08:51:05.0375 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
    2010/11/29 08:51:05.0406 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2010/11/29 08:51:05.0468 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2010/11/29 08:51:05.0531 Netdevio (1265eb253ed4ebe4acb3bd5f548ff796) C:\WINDOWS\system32\DRIVERS\netdevio.sys
    2010/11/29 08:51:05.0703 NIC1394 (c03a4601dc3a23e9dd4d75e046ed490e) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2010/11/29 08:51:05.0875 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2010/11/29 08:51:05.0937 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2010/11/29 08:51:06.0031 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2010/11/29 08:51:06.0078 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2010/11/29 08:51:06.0109 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2010/11/29 08:51:06.0218 NwlnkIpx (8b8b1be2dba4025da6786c645f77f123) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
    2010/11/29 08:51:06.0265 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
    2010/11/29 08:51:06.0296 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
    2010/11/29 08:51:06.0406 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2010/11/29 08:51:06.0468 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
    2010/11/29 08:51:06.0578 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2010/11/29 08:51:06.0640 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2010/11/29 08:51:06.0734 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2010/11/29 08:51:06.0781 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2010/11/29 08:51:06.0890 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2010/11/29 08:51:07.0078 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2010/11/29 08:51:07.0093 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
    2010/11/29 08:51:07.0187 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2010/11/29 08:51:07.0328 Ptilink (e91ec7958f178cb758cebaf427c62729) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2010/11/29 08:51:07.0406 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ptilink.sys. Real md5: e91ec7958f178cb758cebaf427c62729, Fake md5: fa040d17f355759229fa08e1f9735ad8
    2010/11/29 08:51:07.0406 Ptilink - detected Forged file (1)
    2010/11/29 08:51:07.0546 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2010/11/29 08:51:07.0609 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2010/11/29 08:51:07.0687 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2010/11/29 08:51:07.0781 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2010/11/29 08:51:07.0812 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2010/11/29 08:51:07.0875 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2010/11/29 08:51:07.0906 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2010/11/29 08:51:07.0968 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2010/11/29 08:51:08.0093 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2010/11/29 08:51:08.0171 rimmptsk (355aac141b214bef1dbc1483afd9bd50) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
    2010/11/29 08:51:08.0312 rimsptsk (a4216c71dd4f60b26418ccfd99cd0815) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
    2010/11/29 08:51:08.0468 rismxdp (d231b577024aa324af13a42f3a807d10) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
    2010/11/29 08:51:08.0531 RTLE8023xp (badabe0940c01619e8510b90fb314929) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
    2010/11/29 08:51:08.0656 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
    2010/11/29 08:51:08.0750 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2010/11/29 08:51:08.0875 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
    2010/11/29 08:51:08.0921 Sfloppy (df7c158d631f61b1f67161d47ac9bc5a) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2010/11/29 08:51:09.0109 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2010/11/29 08:51:09.0203 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2010/11/29 08:51:09.0281 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2010/11/29 08:51:09.0359 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
    2010/11/29 08:51:09.0453 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2010/11/29 08:51:09.0546 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2010/11/29 08:51:09.0593 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2010/11/29 08:51:09.0765 SynTP (7b36f8ac636168184bab1aa20db1150b) C:\WINDOWS\system32\DRIVERS\SynTP.sys
    2010/11/29 08:51:09.0796 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2010/11/29 08:51:09.0906 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2010/11/29 08:51:10.0031 tdcmdpst (2f8bfbdb5824c71f672779b4b8cf8b01) C:\WINDOWS\system32\DRIVERS\tdcmdpst.sys
    2010/11/29 08:51:10.0140 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2010/11/29 08:51:10.0171 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2010/11/29 08:51:10.0234 tdudf (f56a9327c58ff985616c5e197472932c) C:\WINDOWS\system32\DRIVERS\tdudf.sys
    2010/11/29 08:51:10.0328 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2010/11/29 08:51:10.0578 tosrfec (5c4103544612e5011ef46301b93d1aa6) C:\WINDOWS\system32\DRIVERS\tosrfec.sys
    2010/11/29 08:51:10.0703 trudf (3f9ba8878aa26d0831116733f9bc53ff) C:\WINDOWS\system32\DRIVERS\trudf.sys
    2010/11/29 08:51:10.0765 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2010/11/29 08:51:10.0953 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2010/11/29 08:51:11.0031 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
    2010/11/29 08:51:11.0078 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2010/11/29 08:51:11.0250 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2010/11/29 08:51:11.0312 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2010/11/29 08:51:11.0359 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
    2010/11/29 08:51:11.0421 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2010/11/29 08:51:11.0546 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
    2010/11/29 08:51:11.0609 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2010/11/29 08:51:11.0671 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2010/11/29 08:51:11.0718 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2010/11/29 08:51:11.0828 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2010/11/29 08:51:11.0937 WSIMD (2ea107f535b0b7bfb1d8d6bd79325dbb) C:\WINDOWS\system32\DRIVERS\wsimd.sys
    2010/11/29 08:51:12.0109 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2010/11/29 08:51:12.0328 ================================================================================
    2010/11/29 08:51:12.0328 Scan finished
    2010/11/29 08:51:12.0328 ================================================================================
    2010/11/29 08:51:12.0343 Detected object count: 2
    2010/11/29 08:51:35.0953 Kbdclass (fd13429e2beac0010eb269461450a6be) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2010/11/29 08:51:35.0953 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\kbdclass.sys. Real md5: fd13429e2beac0010eb269461450a6be, Fake md5: 463c1ec80cd17420a542b7f36a36f128
    2010/11/29 08:51:36.0453 Backup copy found, using it..
    2010/11/29 08:51:36.0546 C:\WINDOWS\system32\DRIVERS\kbdclass.sys - will be cured after reboot
    2010/11/29 08:51:36.0546 Rootkit.Win32.TDSS.tdl3(Kbdclass) - User select action: Cure
    2010/11/29 08:51:36.0546 Forged file(Ptilink) - User select action: Skip
    2010/11/29 08:51:50.0828 Deinitialize success
  6. crunchie

    crunchie Malware Helper Posts: 761

    How are things now?
  7. Evangelical

    Evangelical TS Rookie Topic Starter Posts: 16

    Looking better.

    The redirects are not occuring at the moment.
    Is it possible that some email messages would have gotten deleted during the process? (Outlook Express)
    I did not run any applications other than Firefox during the time you were assisting me.

    Thanks again for your help!
  8. crunchie

    crunchie Malware Helper Posts: 761

    I cannot see in the logs that any outlook items were deleted, but thats not to say that it did not happen at some stage, although I cannot remember having that happen before.

    ==

    Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.
    • You will need to use Internet Explorer to complete this scan.
    • You will need to temporarily Disable your current Anti-virus program.
    • Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
    • When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

    NOTE: If you are unable to complete the ESET scan, please try another from the list below:

  9. Evangelical

    Evangelical TS Rookie Topic Starter Posts: 16

    ESET log

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=af331b6d0beef14b896cb095e8e75ef3
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2010-12-01 01:53:16
    # local_time=2010-12-01 08:53:16 (-0500, Eastern Standard Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=70361
    # found=0
    # cleaned=0
    # scan_time=2050
  10. crunchie

    crunchie Malware Helper Posts: 761

    That looks good. Give it a couple of days and then let me know how it is please.
  11. Evangelical

    Evangelical TS Rookie Topic Starter Posts: 16

    So far, so good.
    Redirects / hijacks have ceased.
     
  12. crunchie

    crunchie Malware Helper Posts: 761

    Good news and thanks for getting back :).

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC by OldTimer:
    Save it to your Desktop.
    Double click OTC.exe.
    Click the CleanUp! button.
    If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.