Inactive Google redirect problems, 8 steps done, logs posted

Status
Not open for further replies.
J

Jace0207

Posts: 32   +0
Having a problem with google redirect. I have completed the 8 steps the logs are below. Thanks in advance for the help

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5176

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

11/23/2010 10:47:57 AM
mbam-log-2010-11-23 (10-47-57).txt

Scan type: Quick scan
Objects scanned: 143068
Time elapsed: 6 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2010-11-23 11:04:29
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\iaStor0 WDC_WD16 rev.11.0
Running: gmer.exe; Driver: C:\Users\JOYMIL~1\AppData\Local\Temp\pxrcrkoc.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 29: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 39: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 49: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 312581552 (+255): rootkit-like behavior;

---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8CDB4BAE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x8CDB49D2]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x8CDB4B0C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \Driver\iaStor -> DriverStartIo \Device\Ide\iaStor0 8702A292
Device \Driver\iaStor -> DriverStartIo \Device\Ide\IAAStorageDevice-0 8702A292
Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskWDC_WD1600BEVS-26VAT0___________________11.01A11#4&939d6c5&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- EOF - GMER 1.0.15 ----
 
DDS (Ver_10-11-10.01) - NTFSx86
Run by Joy Milam at 11:07:30.82 on Tue 11/23/2010
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_22
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1915.819 [GMT -8:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Joy Milam\AppData\Local\Autobahn\mlb-nexdef-autobahn.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\explorer.exe
C:\Users\Joy Milam\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
uInternet Settings,ProxyServer = http=127.0.0.1:5555
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [jswtrayutil] "c:\program files\jumpstart\jswtrayutil.exe"
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NDSTray.exe] NDSTray.exe
mRun: [cfFncEnabler.exe] cfFncEnabler.exe
mRun: [ToshibaServiceStation] c:\program files\toshiba\toshiba service station\ToshibaServiceStation.exe /hide:60
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [Skytel] Skytel.exe
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\joymil~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\mlbtvn~1.lnk - c:\users\joy milam\appdata\local\autobahn\mlb-nexdef-autobahn.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\joymil~1\appdata\roaming\mozilla\firefox\profiles\qhx4z701.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.klove.com/
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\users\joy milam\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-2 165584]
R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2009-1-15 20384]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-2 17744]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-6-2 50768]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-2 40384]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-4-16 40960]
R2 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2008-8-18 62776]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-2 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-2 40384]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-8-18 7168]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\jumpstart\jswpsapi.exe [2009-1-15 954368]
S3 SVRPEDRV;SVRPEDRV;c:\windows\system32\sysprep\PEDRV.SYS [2008-8-21 9216]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-11-23 09:44:28 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{d8342f02-9b5c-473c-a8c1-69004f1410e7}\mpengine.dll
2010-11-10 18:08:31 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2010-11-10 04:24:26 -------- d-----w- c:\users\joymil~1\appdata\local\Xenocode
2010-11-06 19:37:34 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2010-11-06 19:37:34 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2010-10-27 04:58:58 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-10-27 04:58:57 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-10-27 04:58:56 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

==================== Find3M ====================

2010-10-19 18:41:44 222080 ----a-w- c:\windows\system32\MpSigStub.exe
2010-09-15 12:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-13 13:56:41 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 17:23:42 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-08 17:07:35 834048 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 15:23:27 389632 ----a-w- c:\windows\system32\html.iec
2010-09-07 15:12:17 38848 ----a-w- c:\windows\avastSS.scr
2010-09-06 16:20:29 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19:06 17920 ----a-w- c:\windows\system32\netevent.dll
2010-08-31 15:46:37 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46:37 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44:31 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27:38 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-08-26 16:37:45 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-08-26 16:33:06 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:33:04 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2010-08-26 16:33:04 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:33:04 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: WDC_WD16 rev.11.0 -> Harddisk0\DR0 -> \Device\Ide\iaStor0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8702A446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x87030504]; MOV EAX, [0x87030580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82858962] -> \Device\Harddisk0\DR0[0x86A91780]
3 CLASSPNP[0x8330C8B3] -> ntkrnlpa!IofCallDriver[0x82858962] -> [0x87088880]
\Driver\iaStor[0x8700FCF8] -> IRP_MJ_CREATE -> 0x8702A446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskWDC_WD1600BEVS-26VAT0___________________11.01A11#4&939d6c5&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\iaStor DriverStartIo -> 0x8702A292
user != kernel MBR !!!
sectors 312581806 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 11:08:20.57 ===============
 
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-11-10.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 1/15/2009 10:22:49 PM
System Uptime: 11/23/2010 10:32:33 AM (1 hours ago)

Motherboard: TOSHIBA | | Portable PC
Processor: Intel(R) Pentium(R) Dual CPU T3400 @ 2.16GHz | CPU | 2166/667mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 140 GiB total, 38.961 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================


==== Installed Programs ======================

µTorrent
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.1
Adobe Shockwave Player 11.5
Atheros Driver Installation Program
Atheros Wi-Fi Protected Setup Library
avast! Free Antivirus
BurnAware Free 2.4.7
CD/DVD Drive Acoustic Silencer
CDisplay 1.8
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Compatibility Pack for the 2007 Office system
DC Universe Online
DVD MovieFactory for TOSHIBA
Facebook Plug-In
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
Java Auto Updater
Java(TM) 6 Update 22
Java(TM) 6 Update 6
K-Lite Codec Pack 4.7.0 (Standard)
LeapFrog Connect
LeapFrog Leapster2 Plugin
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
Microsoft XML Parser
MLBScoreboard
Mozilla Firefox (3.6.12)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
QuickBooks Financial Center
Realtek 8169 8168 8101E 8102E Ethernet Driver
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Encoder (KB979332)
Spelling Dictionaries Support For Adobe Reader 8
Synaptics Pointing Device Driver
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Desktop Links
TOSHIBA Disc Creator
TOSHIBA DVD PLAYER
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Hardware Setup
TOSHIBA Recovery Disc Creator
Toshiba Registration
TOSHIBA Service Station
TOSHIBA Software Modem
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Office 2007 (KB934528)
Update for Office System 2007 Setup (KB929722)
Use the entry named LeapFrog Connect to uninstall (LeapFrog Leapster2 Plugin)
Ventrilo Client
Windows Media Encoder 9 Series
Windows Media Player Firefox Plugin
WinRAR archiver
Yahoo! Toolbar
Zune
Zune Language Pack (DE)
Zune Language Pack (ES)
Zune Language Pack (FR)
Zune Language Pack (IT)

==== End Of File ===========================
 
Please download ComboFix by sUBs from HERE or HERE
  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply.
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

===========

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.
 
ComboFix 10-11-23.01 - Joy Milam 11/23/2010 14:17:10.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1915.1242 [GMT -8:00]
Running from: c:\users\Joy Milam\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://updates.swarmcast.net
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-10-23 to 2010-11-23 )))))))))))))))))))))))))))))))
.

2010-11-23 22:23 . 2010-11-23 22:23 -------- d-----w- c:\users\Joy Milam\AppData\Local\temp
2010-11-23 22:23 . 2010-11-23 22:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-23 09:44 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D8342F02-9B5C-473C-A8C1-69004F1410E7}\mpengine.dll
2010-11-23 09:18 . 2010-11-23 09:18 -------- d-----w- c:\windows\Sun
2010-11-10 18:08 . 2010-10-07 11:37 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2010-11-10 04:24 . 2010-11-10 04:24 -------- d-----w- c:\users\Joy Milam\AppData\Local\Xenocode
2010-11-06 19:37 . 2010-11-06 19:37 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-11-06 19:37 . 2010-11-06 19:37 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2010-10-27 04:58 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-10-27 04:58 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-10-27 04:58 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 18:41 . 2009-12-04 18:22 222080 ----a-w- c:\windows\system32\MpSigStub.exe
2010-09-15 12:50 . 2010-06-04 05:41 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-13 13:56 . 2010-10-13 23:10 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 17:23 . 2010-10-13 23:09 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-08 17:07 . 2010-10-13 23:09 834048 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 15:23 . 2010-10-13 23:09 389632 ----a-w- c:\windows\system32\html.iec
2010-09-07 15:12 . 2010-09-24 02:54 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2010-06-03 05:12 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2010-06-03 05:13 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2010-06-03 05:13 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2010-06-03 05:13 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2010-06-03 05:13 50768 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-09-07 14:47 . 2010-06-03 05:13 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-06 16:20 . 2010-10-13 22:44 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19 . 2010-10-13 22:44 17920 ----a-w- c:\windows\system32\netevent.dll
2010-09-06 13:45 . 2010-10-13 22:44 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-09-06 13:45 . 2010-10-13 22:44 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-09-06 13:45 . 2010-10-13 22:44 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-08-31 15:46 . 2010-10-13 23:09 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46 . 2010-10-13 23:09 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44 . 2010-10-13 22:20 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27 . 2010-10-13 22:38 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-08-26 16:37 . 2010-10-13 22:25 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-08-26 16:33 . 2010-10-27 04:58 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:33 . 2010-10-27 04:58 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2010-08-26 16:33 . 2010-10-27 04:58 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:33 . 2010-10-27 04:58 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-07 1029416]
"NDSTray.exe"="NDSTray.exe" [BU]
"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-04-02 1283384]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-11-10 443728]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

c:\users\Joy Milam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MLB.TV NexDef Plug-in.lnk - c:\users\Joy Milam\AppData\Local\Autobahn\mlb-nexdef-autobahn.exe [2009-4-1 801032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2008-04-16 954368]
R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDrv.sys [2008-01-18 9216]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 aswSP;aswSP; [x]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-29 20384]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
S2 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-04-02 62776]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
uInternet Settings,ProxyServer = http=127.0.0.1:5555
FF - ProfilePath - c:\users\Joy Milam\AppData\Roaming\Mozilla\Firefox\Profiles\qhx4z701.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.klove.com/
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Joy Milam\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
HKLM-Run-jswtrayutil - c:\program files\Jumpstart\jswtrayutil.exe
HKLM-Run-TPwrMain - %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
HKLM-Run-HSON - %ProgramFiles%\TOSHIBA\TBS\HSON.exe
HKLM-Run-SmoothView - %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
HKLM-Run-00TCrdMain - %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
HKLM-Run-cfFncEnabler.exe - cfFncEnabler.exe
SafeBoot-WudfPf
SafeBoot-WudfRd



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-23 14:23
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i???????? ?m??h?????????????????

scanning hidden files ...


c:\windows\TEMP\TMP00000041E5FE16DD07EDD0E5 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-11-23 14:24:55
ComboFix-quarantined-files.txt 2010-11-23 22:24

Pre-Run: 41,812,312,064 bytes free
Post-Run: 41,749,499,904 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=10 Sets=1,2,3,4,5,6,7,8,9,10
- - End Of File - - F188399E402CD9CA9479EC8187F7C733

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: TOSHIBA
BIOS Manufacturer: INSYDE
System Manufacturer: TOSHIBA
System Product Name: Satellite L305
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 146):
0x82850000 \SystemRoot\system32\ntkrnlpa.exe
0x8281D000 \SystemRoot\system32\hal.dll
0x80405000 \SystemRoot\system32\kdcom.dll
0x8040C000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8047C000 \SystemRoot\system32\PSHED.dll
0x8048D000 \SystemRoot\system32\BOOTVID.dll
0x80495000 \SystemRoot\system32\CLFS.SYS
0x804D6000 \SystemRoot\system32\CI.dll
0x80605000 \SystemRoot\system32\drivers\Wdf01000.sys
0x80676000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x80684000 \SystemRoot\system32\drivers\acpi.sys
0x806CA000 \SystemRoot\system32\drivers\WMILIB.SYS
0x806D3000 \SystemRoot\system32\drivers\msisadrv.sys
0x806DB000 \SystemRoot\system32\drivers\pci.sys
0x80702000 \SystemRoot\System32\drivers\partmgr.sys
0x80711000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x80714000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x8071E000 \SystemRoot\system32\drivers\volmgr.sys
0x8072D000 \SystemRoot\System32\drivers\volmgrx.sys
0x80777000 \SystemRoot\System32\drivers\mountmgr.sys
0x82E00000 \SystemRoot\system32\DRIVERS\iaStor.sys
0x82ECE000 \SystemRoot\system32\drivers\atapi.sys
0x82ED6000 \SystemRoot\system32\drivers\ataport.SYS
0x82EF4000 \SystemRoot\system32\drivers\fltmgr.sys
0x82F26000 \SystemRoot\system32\drivers\fileinfo.sys
0x82F36000 \SystemRoot\System32\Drivers\PxHelp20.sys
0x82F3F000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8800C000 \SystemRoot\system32\drivers\ndis.sys
0x88117000 \SystemRoot\system32\drivers\msrpc.sys
0x88142000 \SystemRoot\system32\drivers\NETIO.SYS
0x88202000 \SystemRoot\System32\drivers\tcpip.sys
0x882EC000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8840A000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8851A000 \SystemRoot\system32\drivers\volsnap.sys
0x88553000 \SystemRoot\system32\DRIVERS\TVALZ_O.SYS
0x88558000 \SystemRoot\system32\DRIVERS\tos_sps32.sys
0x8859B000 \SystemRoot\System32\Drivers\spldr.sys
0x885A3000 \SystemRoot\System32\Drivers\mup.sys
0x885B2000 \SystemRoot\System32\drivers\ecache.sys
0x885D9000 \SystemRoot\system32\drivers\disk.sys
0x88307000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x885EA000 \SystemRoot\system32\drivers\crcdisk.sys
0x8817D000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x88400000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x883F6000 \SystemRoot\system32\DRIVERS\FwLnk.sys
0x88188000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x88197000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x8C403000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
0x8CAE7000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8CB88000 \SystemRoot\System32\drivers\watchdog.sys
0x8CB94000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x8CB9F000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8CBDD000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8CE0C000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8CE99000 \SystemRoot\system32\DRIVERS\Rtlh86.sys
0x8CEBA000 \SystemRoot\system32\DRIVERS\athr.sys
0x8CFA1000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8CFB4000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8CFBF000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x8CFEE000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8CFF0000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8CE00000 \SystemRoot\system32\DRIVERS\tdcmdpst.sys
0x8819B000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x881B3000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x82FB0000 \SystemRoot\system32\DRIVERS\storport.sys
0x8CBEC000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x881E2000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x88000000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x80787000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x82FF1000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x807AA000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x807BE000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x807D3000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8CE0A000 \SystemRoot\system32\DRIVERS\swenum.sys
0x805B6000 \SystemRoot\system32\DRIVERS\ks.sys
0x807E3000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x807ED000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8D000000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8D035000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8D200000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x8D046000 \SystemRoot\system32\drivers\portcls.sys
0x8D073000 \SystemRoot\system32\drivers\drmk.sys
0x8D098000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0x8D1B4000 \SystemRoot\system32\drivers\modem.sys
0x8D1C1000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8D1CA000 \SystemRoot\System32\Drivers\Null.SYS
0x8D1D1000 \SystemRoot\System32\Drivers\Beep.SYS
0x8D1D8000 \SystemRoot\System32\drivers\vga.sys
0x8D404000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8D425000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8D42D000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8D435000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8D440000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8D44E000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8D457000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8D46D000 \SystemRoot\System32\Drivers\aswTdi.SYS
0x8D477000 \SystemRoot\system32\DRIVERS\smb.sys
0x8D48B000 \SystemRoot\system32\drivers\afd.sys
0x8D4D3000 \SystemRoot\System32\Drivers\aswRdr.SYS
0x8D4D8000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8D50A000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8D520000 \SystemRoot\system32\DRIVERS\jswpslwf.sys
0x8D525000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8D533000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8D546000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8D582000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8D58C000 \SystemRoot\System32\Drivers\dfsc.sys
0x8D5A3000 \SystemRoot\System32\Drivers\aswSP.SYS
0x8D5CA000 \SystemRoot\System32\Drivers\crashdmp.sys
0x88328000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x8D5D7000 \SystemRoot\system32\drivers\RTSTOR.SYS
0x94E90000 \SystemRoot\System32\win32k.sys
0x8D5EB000 \SystemRoot\System32\drivers\Dxapi.sys
0x8D5F5000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x8D1E4000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x8D1F4000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x8CBF7000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x805E0000 \SystemRoot\system32\DRIVERS\monitor.sys
0x950B0000 \SystemRoot\System32\TSDDD.dll
0x950D0000 \SystemRoot\System32\cdd.dll
0xA8000000 \SystemRoot\system32\drivers\luafv.sys
0xA801B000 \??\C:\Windows\system32\drivers\aswMonFlt.sys
0xA8052000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xA8055000 \SystemRoot\system32\drivers\WudfPf.sys
0xA806F000 \SystemRoot\system32\DRIVERS\lltdio.sys
0xA807F000 \SystemRoot\system32\DRIVERS\nwifi.sys
0xA80A9000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA80B3000 \SystemRoot\system32\DRIVERS\rspndr.sys
0xA80C6000 \SystemRoot\system32\drivers\spsys.sys
0xA8176000 \SystemRoot\system32\drivers\HTTP.sys
0xA81E3000 \SystemRoot\System32\DRIVERS\srvnet.sys
0xAA801000 \SystemRoot\system32\DRIVERS\bowser.sys
0xAA81A000 \SystemRoot\System32\drivers\mpsdrv.sys
0xAA82F000 \SystemRoot\system32\drivers\mrxdav.sys
0xAA850000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xAA86F000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0xAA8A8000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0xAA8C0000 \SystemRoot\System32\DRIVERS\srv2.sys
0xAA8E8000 \SystemRoot\System32\DRIVERS\srv.sys
0xAB000000 \SystemRoot\system32\drivers\peauth.sys
0xAB0DE000 \SystemRoot\System32\Drivers\secdrv.SYS
0xAB0E8000 \SystemRoot\System32\drivers\tcpipreg.sys
0xAB0F4000 \SystemRoot\system32\DRIVERS\cdfs.sys
0xAB10A000 \??\C:\Users\JOYMIL~1\AppData\Local\Temp\catchme.sys
0xAB112000 \??\C:\Windows\system32\Drivers\PROCEXP113.SYS
0x76F70000 \Windows\System32\ntdll.dll

Processes (total 49):
0 System Idle Process
4 System
464 C:\Windows\System32\smss.exe
596 csrss.exe
644 C:\Windows\System32\wininit.exe
656 csrss.exe
688 C:\Windows\System32\services.exe
744 C:\Windows\System32\winlogon.exe
772 C:\Windows\System32\lsass.exe
780 C:\Windows\System32\lsm.exe
932 C:\Windows\System32\svchost.exe
988 C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
1032 C:\Windows\System32\svchost.exe
1072 C:\Windows\System32\svchost.exe
1164 C:\Windows\System32\svchost.exe
1220 C:\Windows\System32\svchost.exe
1240 C:\Windows\System32\svchost.exe
1316 C:\Windows\System32\audiodg.exe
1348 C:\Windows\System32\SLsvc.exe
1396 C:\Windows\System32\svchost.exe
1548 C:\Windows\System32\svchost.exe
1752 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1760 C:\Windows\System32\wlanext.exe
280 C:\Windows\System32\spoolsv.exe
312 C:\Windows\System32\svchost.exe
1080 C:\Windows\System32\agrsmsvc.exe
1448 C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
2060 C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
2104 C:\Windows\System32\svchost.exe
2120 C:\Windows\System32\svchost.exe
2168 C:\Program Files\Toshiba\TOSHIBA Service Station\TMachInfo.exe
2260 C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
2276 C:\Windows\System32\TODDSrv.exe
2296 C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
2364 C:\Program Files\Toshiba\SMARTLogService\TosIPCSrv.exe
2392 C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
2408 C:\Windows\System32\svchost.exe
2428 C:\Windows\System32\SearchIndexer.exe
2488 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
1692 C:\Windows\System32\taskeng.exe
876 C:\Windows\System32\dwm.exe
1620 C:\Windows\explorer.exe
2740 C:\Users\Joy Milam\AppData\Local\Autobahn\mlb-nexdef-autobahn.exe
2252 C:\Windows\System32\SearchProtocolHost.exe
3096 C:\Windows\System32\SearchFilterHost.exe
3164 C:\Program Files\Mozilla Firefox\firefox.exe
3600 C:\Program Files\Mozilla Firefox\plugin-container.exe
2968 C:\Windows\explorer.exe
3920 C:\Users\Joy Milam\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`5dd00000 (NTFS)

PhysicalDrive0 Model Number: WDCWD1600BEVS-26VAT0, Rev: 11.01A11

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
SHA1: BBAD517F7EAC529451E4B9586C847AE190574F61


Done!
 
How are things at the moment?

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:


netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT


* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
Status
Not open for further replies.

Similar threads

D
New LogoFAIL exploit leaves Windows and Linux users vulnerable to remote attacks
Replies
1
Views
286
Gezzer
G
C
Solved Malware \ProductData + possibly more, on two devices
Replies
4
Views
7K
Broni
Broni
A
Solved My computer was hit by unknown malware
2
Replies
30
Views
11K
Broni
Broni

Latest posts

Back