Solved Need help with Google redirect

Status
Not open for further replies.
E

Evangelical

Posts: 16   +0
i have a Win XP Pro laptop with the redirect issue. I have applied the 6 step suggested in the forum. The resulting logs follow.
Thanks in advance for your help!

Malwarebytes log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5184

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/24/2010 1:07:20 PM
mbam-log-2010-11-24 (13-07-20).txt

Scan type: Quick scan
Objects scanned: 163923
Time elapsed: 8 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\kmiller\Application Data\Microsoft\stor.cfg (Malware.Trace) -> Quarantined and deleted successfully.


GMER log:
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2010-11-24 13:25:33
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 TOSHIBA_MK1246GSX rev.LB213M
Running: ftob31p1.exe; Driver: C:\DOCUME~1\KENMIL~1\LOCALS~1\Temp\kxddqpob.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sectors 234441392 (+254): rootkit-like behavior;

---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9DBC9A6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xB9DBC940]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB9DBC954]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9DBC9BA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9DBC9E6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB9DBCA54]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB9DBCA3E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwLoadKey2 [0xB9DBCA6A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9DBCAFE]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB9DBCA96]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9DBC992]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9DBC904]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9DBC918]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryKey [0xB9DBCAD2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB9DBCA28]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB9DBCA12]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9DBC9D0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0xB9DBCABE]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0xB9DBCAAA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xB9DBC97E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB9DBC96A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9DBC9FC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9DBCB2D]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnloadKey [0xB9DBCA80]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9DBCB14]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9DBCAE8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A606AEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A606AEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8A606AEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8A606AEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP2T0L0-12 8A606AEA

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK1246GSX_______________________LB213M__#5&22499e11&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- EOF - GMER 1.0.15 ----

DDS.txt:

DDS (Ver_10-11-10.01) - NTFSx86
Run by Ken Miller at 13:32:30.34 on Wed 11/24/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1374 [GMT -5:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
svchost.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Atheros\ACU.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Ken Miller\Application Data\U3\00001680D773D557\LaunchPad.exe
C:\Documents and Settings\Ken Miller\Desktop\logs\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://msn.com
mDefault_Search_URL = hxxp://msn.com
mSearch Page = hxxp://google.com
mStart Page = hxxp://msn.com
uInternet Settings,ProxyServer = jal.lmf.net:8013
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
mRun: [TPSMain] TPSMain.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [ACU] "c:\program files\atheros\ACU.exe" -nogui
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [CFSServ.exe] CFSServ.exe -NoClient
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kenmil~1\applic~1\mozilla\firefox\profiles\i90y8dfj.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: network.proxy.ftp - jal.lmf.net
FF - prefs.js: network.proxy.ftp_port - 8013
FF - prefs.js: network.proxy.gopher - jal.lmf.net
FF - prefs.js: network.proxy.gopher_port - 8013
FF - prefs.js: network.proxy.http - jal.lmf.net
FF - prefs.js: network.proxy.http_port - 8013
FF - prefs.js: network.proxy.socks - jal.lmf.net
FF - prefs.js: network.proxy.socks_port - 8013
FF - prefs.js: network.proxy.ssl - jal.lmf.net
FF - prefs.js: network.proxy.ssl_port - 8013
FF - prefs.js: network.proxy.type - 0
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {033D3051-0DA4-4AA6-9A8E-86651C3568CF} - c:\documents and settings\ken miller\local settings\application data\{033D3051-0DA4-4AA6-9A8E-86651C3568CF}
FF - HiddenExtension: XULRunner: {40C0C7D2-D432-4459-9AD3-75ABCC68B95C} - c:\documents and settings\ken miller\local settings\application data\{40C0C7D2-D432-4459-9AD3-75ABCC68B95C}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2010-8-25 147984]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-4-21 344712]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2010-8-25 22816]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-3-14 103744]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2010-8-25 66880]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2008-12-12 69192]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2007-10-5 5888]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-4-21 91896]
S3 IO_Memory;IO_Memory;\??\c:\sysprep\drivers\ioport.sys --> c:\sysprep\drivers\ioport.sys [?]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-4-21 43192]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2008-12-12 66536]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2010-8-3 50704]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\up_date\pedrv.sys --> c:\sysprep\up_date\PEDrv.sys [?]

=============== Created Last 30 ================

2010-11-24 17:45:14 -------- d-----w- c:\windows\system32\wbem\Logs
2010-10-26 19:07:50 -------- d-----w- C:\Microsoft

==================== Find3M ====================

2010-09-24 07:49:12 8704 ----a-w- c:\windows\system32\bootexctrl.exe
2010-09-24 07:49:04 11776 ----a-w- c:\windows\system32\wgx.dll
2010-09-24 07:49:02 24576 ----a-w- c:\windows\system32\udefrag.exe
2010-09-24 07:49:00 14848 ----a-w- c:\windows\system32\lua5.1a_gui.exe
2010-09-24 07:49:00 10752 ----a-w- c:\windows\system32\lua5.1a.exe
2010-09-24 07:48:58 92160 ----a-w- c:\windows\system32\lua5.1a.dll
2010-09-24 07:48:52 8192 ----a-w- c:\windows\system32\udefrag.dll
2010-09-24 07:48:52 6144 ----a-w- c:\windows\system32\hibernate4win.exe
2010-09-24 07:48:50 48640 ----a-w- c:\windows\system32\udefrag-kernel.dll
2010-09-24 07:48:46 47104 ----a-w- c:\windows\system32\zenwinx.dll
2010-09-24 07:48:40 88064 ----a-w- c:\windows\system32\defrag_native.exe
2010-08-30 14:12:04 0 ----a-w- c:\windows\Qgicigobab.bin

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK1246GSX rev.LB213M -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A606EC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x88be4872; SUB DWORD [EBP-0x4], 0x88be412e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A801AB8]
3 CLASSPNP[0xBA118FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000079[0x8A7C2E98]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A864940]
[0x8A72B7D0] -> IRP_MJ_CREATE -> 0x8A606EC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK1246GSX_______________________LB213M__#5&22499e11&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A606AEA
user & kernel MBR OK
sectors 234441646 (+255): user != kernel
Warning: possible TDL3 rootkit infection !

============= FINISH: 13:34:02.61 ===============


Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-11-10.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/21/2008 12:39:47 PM
System Uptime: 11/24/2010 1:07:55 PM (0 hours ago)

Motherboard: ATI | | SB600
Processor: AMD Turion(tm) 64 X2 Mobile Technology TL-60 | Socket M2/S1G1 | 1995/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 103 GiB total, 78.309 GiB free.
D: is CDROM ()
E: is CDROM (CDFS)
G: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Synaptics PS/2 Port TouchPad
Device ID: ACPI\SYN1909\4&839A984&0
Manufacturer: Synaptics
Name: Synaptics PS/2 Port TouchPad
PNP Device ID: ACPI\SYN1909\4&839A984&0
Service: i8042prt

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\33327EA580D1E
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\33327EA580D1E
Service: NIC1394

Class GUID: {72631E54-78A4-11D0-BCF7-00AA00B7B32A}
Description: Microsoft ACPI-Compliant Control Method Battery
Device ID: ACPI\PNP0C0A\1
Manufacturer: Microsoft
Name: Microsoft ACPI-Compliant Control Method Battery
PNP Device ID: ACPI\PNP0C0A\1
Service: CmBatt

Class GUID: {72631E54-78A4-11D0-BCF7-00AA00B7B32A}
Description: Microsoft AC Adapter
Device ID: ACPI\ACPI0003\2&DABA3FF&0
Manufacturer: Microsoft
Name: Microsoft AC Adapter
PNP Device ID: ACPI\ACPI0003\2&DABA3FF&0
Service: CmBatt

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Audio Codecs
Device ID: ROOT\MEDIA\MS_MMACM
Manufacturer: (Standard system devices)
Name: Audio Codecs
PNP Device ID: ROOT\MEDIA\MS_MMACM
Service: audstub

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Legacy Audio Drivers
Device ID: ROOT\MEDIA\MS_MMDRV
Manufacturer: (Standard system devices)
Name: Legacy Audio Drivers
PNP Device ID: ROOT\MEDIA\MS_MMDRV
Service: audstub

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Media Control Devices
Device ID: ROOT\MEDIA\MS_MMMCI
Manufacturer: (Standard system devices)
Name: Media Control Devices
PNP Device ID: ROOT\MEDIA\MS_MMMCI
Service: audstub

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Legacy Video Capture Devices
Device ID: ROOT\MEDIA\MS_MMVCD
Manufacturer: (Standard system devices)
Name: Legacy Video Capture Devices
PNP Device ID: ROOT\MEDIA\MS_MMVCD
Service: audstub

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Video Codecs
Device ID: ROOT\MEDIA\MS_MMVID
Manufacturer: (Standard system devices)
Name: Video Codecs
PNP Device ID: ROOT\MEDIA\MS_MMVID
Service: audstub

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Direct Parallel
Device ID: ROOT\MS_PTIMINIPORT\0000
Manufacturer: Microsoft
Name: Direct Parallel
PNP Device ID: ROOT\MS_PTIMINIPORT\0000
Service: Raspti

Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Description: Microsoft System Management BIOS Driver
Device ID: ROOT\SYSTEM\0002
Manufacturer: (Standard system devices)
Name: Microsoft System Management BIOS Driver
PNP Device ID: ROOT\SYSTEM\0002
Service: mssmbios

==== System Restore Points ===================

RP306: 8/30/2010 2:39:22 PM - System Checkpoint
RP307: 8/31/2010 3:01:44 PM - System Checkpoint
RP308: 9/2/2010 5:53:49 PM - System Checkpoint
RP309: 9/7/2010 11:24:23 AM - System Checkpoint
RP310: 9/9/2010 12:59:43 PM - System Checkpoint
RP311: 9/10/2010 6:58:17 PM - System Checkpoint
RP312: 9/13/2010 10:45:57 AM - System Checkpoint
RP313: 9/14/2010 2:03:54 PM - System Checkpoint
RP314: 9/16/2010 12:40:47 PM - System Checkpoint
RP315: 9/20/2010 5:00:00 PM - System Checkpoint
RP316: 9/21/2010 5:11:44 PM - System Checkpoint
RP317: 9/28/2010 10:42:15 AM - System Checkpoint
RP318: 9/30/2010 5:58:52 PM - System Checkpoint
RP319: 10/4/2010 5:31:07 PM - System Checkpoint
RP320: 10/12/2010 2:23:18 PM - Configured 2007 Microsoft Office system
RP321: 10/13/2010 9:33:39 AM - Removed Ad-Aware
RP322: 10/13/2010 2:13:33 PM - Restore Operation
RP323: 10/13/2010 2:28:46 PM - Removed Ad-Aware
RP324: 10/18/2010 11:29:30 AM - System Checkpoint
RP325: 11/8/2010 12:37:13 PM - System Checkpoint
RP326: 11/9/2010 3:07:23 PM - System Checkpoint
RP327: 11/11/2010 9:26:02 AM - System Checkpoint
RP328: 11/15/2010 2:53:58 PM - System Checkpoint
RP329: 11/16/2010 3:02:25 PM - System Checkpoint
RP330: 11/18/2010 10:42:14 AM - System Checkpoint
RP331: 11/22/2010 3:14:07 PM - System Checkpoint
RP332: 11/23/2010 3:57:19 PM - System Checkpoint

==== Installed Programs ======================

2007 Microsoft Office system
Acrobat.com
Activation Assistant for the 2007 Microsoft Office suites
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1
AMD Processor Driver
Apple Mobile Device Support
Apple Software Update
Atheros Client Utility
Atheros Driver Installation Program
ATI Catalyst Control Center
ATI Display Driver
Bluetooth Stack for Windows by Toshiba
Bonjour
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Czech
Catalyst Control Center Localization Danish
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Greek
Catalyst Control Center Localization Hungarian
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Norwegian
Catalyst Control Center Localization Polish
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Russian
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
Catalyst Control Center Localization Thai
Catalyst Control Center Localization Turkish
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CCleaner
CD/DVD Drive Acoustic Silencer
Compatibility Pack for the 2007 Office system
CutePDF Writer 2.7
Foxit Reader
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
InterVideo WinDVD for TOSHIBA
iTunes
Java(TM) 6 Update 11
Java(TM) 6 Update 3
Kyocera FS-C1020MFP Twain
Kyocera Product Library
Malwarebytes' Anti-Malware
McAfee Agent
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Edition 2003
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Mozilla Firefox (3.6.12)
Mozilla Thunderbird (3.1.6)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
NICI (Shared) U.S./Worldwide (128 bit) (2.6.6-1)
OGA Notifier 2.0.0048.0
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB980376)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB982135)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Skins
Synaptics Pointing Device Driver
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Controls
TOSHIBA Direct Disc Writer
TOSHIBA Disc Creator
TOSHIBA Hotkey Utility
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
TOSHIBA Recovery Disc Creator
Toshiba Registration
TOSHIBA SD Memory Utilities
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA TouchPad ON/Off Utility
TOSHIBA Utilities
TOSHIBA Zooming Utility
Ultra Defragmenter
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Outlook 2007 Junk Email Filter (kb2202131)
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

11/24/2010 12:17:54 PM, error: Dhcp [1002] - The IP address lease 192.168.10.148 for the Network Card with network address 001B9EB757A5 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
11/24/2010 1:23:57 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
11/24/2010 1:08:28 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
11/23/2010 2:51:45 PM, error: Dhcp [1002] - The IP address lease 192.168.2.34 for the Network Card with network address 001B9EB757A5 has been denied by the DHCP server 192.168.10.1 (The DHCP Server sent a DHCPNACK message).
11/23/2010 2:50:40 PM, error: Dhcp [1002] - The IP address lease 192.168.10.148 for the Network Card with network address 001B9EB757A5 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
11/23/2010 12:42:15 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
11/23/2010 12:42:15 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
11/18/2010 10:43:19 AM, error: NETLOGON [5719] - No Domain Controller is available for domain AD due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

==== End Of File ===========================
 
Hi and welcome to TechSpot forums :).

====

Please download ComboFix by sUBs from HERE or HERE
  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply.
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!
 
ComboFix log

ComboFix 10-11-25.05 - Ken Miller 11/26/2010 9:32.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1437 [GMT -5:00]
Running from: c:\documents and settings\Ken Miller\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Ken Miller\Local Settings\Application Data\{033D3051-0DA4-4AA6-9A8E-86651C3568CF}
c:\documents and settings\Ken Miller\Local Settings\Application Data\{033D3051-0DA4-4AA6-9A8E-86651C3568CF}\chrome.manifest
c:\documents and settings\Ken Miller\Local Settings\Application Data\{033D3051-0DA4-4AA6-9A8E-86651C3568CF}\chrome\content\overlay.xul
c:\documents and settings\Ken Miller\Local Settings\Application Data\{033D3051-0DA4-4AA6-9A8E-86651C3568CF}\install.rdf
c:\documents and settings\Ken Miller\Local Settings\Application Data\{40C0C7D2-D432-4459-9AD3-75ABCC68B95C}
c:\documents and settings\Ken Miller\Local Settings\Application Data\{40C0C7D2-D432-4459-9AD3-75ABCC68B95C}\chrome.manifest
c:\documents and settings\Ken Miller\Local Settings\Application Data\{40C0C7D2-D432-4459-9AD3-75ABCC68B95C}\chrome\content\overlay.xul
c:\documents and settings\Ken Miller\Local Settings\Application Data\{40C0C7D2-D432-4459-9AD3-75ABCC68B95C}\install.rdf
C:\Microsoft
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2010-10-26 to 2010-11-26 )))))))))))))))))))))))))))))))
.

2010-11-24 17:45 . 2010-11-26 14:31 -------- d-----w- c:\windows\system32\wbem\Logs
2010-11-01 16:31 . 2010-11-01 16:31 -------- d-----w- c:\documents and settings\kmiller\Local Settings\Application Data\Microsoft Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-24 07:49 . 2010-09-24 07:49 8704 ----a-w- c:\windows\system32\bootexctrl.exe
2010-09-24 07:49 . 2010-09-24 07:49 11776 ----a-w- c:\windows\system32\wgx.dll
2010-09-24 07:49 . 2010-09-24 07:49 24576 ----a-w- c:\windows\system32\udefrag.exe
2010-09-24 07:49 . 2010-09-24 07:49 14848 ----a-w- c:\windows\system32\lua5.1a_gui.exe
2010-09-24 07:49 . 2010-09-24 07:49 10752 ----a-w- c:\windows\system32\lua5.1a.exe
2010-09-24 07:48 . 2010-09-24 07:48 92160 ----a-w- c:\windows\system32\lua5.1a.dll
2010-09-24 07:48 . 2010-09-24 07:48 8192 ----a-w- c:\windows\system32\udefrag.dll
2010-09-24 07:48 . 2010-09-24 07:48 6144 ----a-w- c:\windows\system32\hibernate4win.exe
2010-09-24 07:48 . 2010-09-24 07:48 48640 ----a-w- c:\windows\system32\udefrag-kernel.dll
2010-09-24 07:48 . 2010-09-24 07:48 47104 ----a-w- c:\windows\system32\zenwinx.dll
2010-09-24 07:48 . 2010-09-24 07:48 88064 ----a-w- c:\windows\system32\defrag_native.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2007-01-09 191552]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"TPSMain"="TPSMain.exe" [2007-10-08 262144]
"NDSTray.exe"="NDSTray.exe" [BU]
"ACU"="c:\program files\Atheros\ACU.exe" [2007-08-03 376921]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2007-08-28 356352]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-14 311296]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-10 159744]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-03 16841216]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2007-01-26 136816]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-08-26 124224]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [8/25/2010 7:07 PM 22816]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [12/12/2008 10:50 AM 69192]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [3/26/2007 2:22 PM 105856]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2/19/2007 2:15 PM 134016]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [10/5/2007 7:08 AM 5888]
S3 IO_Memory;IO_Memory;\??\c:\sysprep\Drivers\ioport.sys --> c:\sysprep\Drivers\ioport.sys [?]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [12/12/2008 10:50 AM 66536]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\UP_date\PEDrv.sys --> c:\sysprep\UP_date\PEDrv.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-11-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-11-01 c:\windows\Tasks\CleanXP.job
- c:\utilities\CleanXP.bat [2008-04-21 18:36]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://msn.com
uInternet Settings,ProxyServer = jal.lmf.net:8013
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Ken Miller\Application Data\Mozilla\Firefox\Profiles\i90y8dfj.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: network.proxy.ftp - jal.lmf.net
FF - prefs.js: network.proxy.ftp_port - 8013
FF - prefs.js: network.proxy.gopher - jal.lmf.net
FF - prefs.js: network.proxy.gopher_port - 8013
FF - prefs.js: network.proxy.http - jal.lmf.net
FF - prefs.js: network.proxy.http_port - 8013
FF - prefs.js: network.proxy.socks - jal.lmf.net
FF - prefs.js: network.proxy.socks_port - 8013
FF - prefs.js: network.proxy.ssl - jal.lmf.net
FF - prefs.js: network.proxy.ssl_port - 8013
FF - prefs.js: network.proxy.type - 0
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-26 09:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK1246GSX rev.LB213M -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A605EC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x88be4872; SUB DWORD [EBP-0x4], 0x88be412e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A83A9A0]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000007a[0x8A7F2260]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A7CFD98]
[0x8A6E3D58] -> IRP_MJ_CREATE -> 0x8A605EC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK1246GSX_______________________LB213M__#5&22499e11&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A605AEA
user & kernel MBR OK
sectors 234441646 (+255): user != kernel
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(944)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1004)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3068)
c:\windows\system32\WININET.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\acs.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\system32\wdfmgr.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
c:\windows\system32\TPSMain.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\TPSBattM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-11-26 09:49:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-26 14:49

Pre-Run: 83,958,190,080 bytes free
Post-Run: 83,858,132,992 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - 6938ACA524EBB8115A8C53943653F1EF
 
Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

  • If an infected file is detected, the default action will be Cure, click on Continue.

  • If a suspicious file is detected, the default action will be Skip, click on Continue.

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
 
TDSSKiller Log

2010/11/29 08:50:01.0546 TDSS rootkit removing tool 2.4.10.0 Nov 28 2010 18:35:56
2010/11/29 08:50:01.0546 ================================================================================
2010/11/29 08:50:01.0546 SystemInfo:
2010/11/29 08:50:01.0546
2010/11/29 08:50:01.0546 OS Version: 5.1.2600 ServicePack: 3.0
2010/11/29 08:50:01.0546 Product type: Workstation
2010/11/29 08:50:01.0546 ComputerName: K_MILLER
2010/11/29 08:50:01.0546 UserName: Ken Miller
2010/11/29 08:50:01.0546 Windows directory: C:\WINDOWS
2010/11/29 08:50:01.0546 System windows directory: C:\WINDOWS
2010/11/29 08:50:01.0546 Processor architecture: Intel x86
2010/11/29 08:50:01.0546 Number of processors: 2
2010/11/29 08:50:01.0546 Page size: 0x1000
2010/11/29 08:50:01.0546 Boot type: Normal boot
2010/11/29 08:50:01.0546 ================================================================================
2010/11/29 08:50:01.0921 Initialize success
2010/11/29 08:50:56.0015 ================================================================================
2010/11/29 08:50:56.0015 Scan started
2010/11/29 08:50:56.0015 Mode: Manual;
2010/11/29 08:50:56.0015 ================================================================================
2010/11/29 08:50:56.0484 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/11/29 08:50:56.0515 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2010/11/29 08:50:56.0578 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/11/29 08:50:56.0640 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/11/29 08:50:56.0890 AgereSoftModem (ce91b158fa490cf4c4d487a4130f4660) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2010/11/29 08:50:57.0078 AmdK8 (efbb0956baed786e137351b5ca272aef) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2010/11/29 08:50:57.0187 AR5211 (89873aebbf0309393f0737e26d891209) C:\WINDOWS\system32\DRIVERS\ar5211.sys
2010/11/29 08:50:57.0359 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/11/29 08:50:57.0468 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/11/29 08:50:57.0500 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/11/29 08:50:57.0625 ati2mtag (3b88b6466896cc1a3a7e3287d72aca85) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/11/29 08:50:57.0828 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/11/29 08:50:57.0843 audstub (0316b8d040485aea50bc60d4c58d79a6) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/11/29 08:50:57.0937 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/11/29 08:50:58.0000 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/11/29 08:50:58.0031 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/11/29 08:50:58.0203 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/11/29 08:50:58.0265 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/11/29 08:50:58.0312 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/11/29 08:50:58.0375 CmBatt (cfaa868f6038fd41f3aae5ebbe577d89) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/11/29 08:50:58.0640 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/11/29 08:50:58.0812 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/11/29 08:50:59.0062 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/11/29 08:50:59.0140 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/11/29 08:50:59.0312 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/11/29 08:50:59.0484 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/11/29 08:50:59.0703 dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
2010/11/29 08:50:59.0765 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
2010/11/29 08:50:59.0890 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys
2010/11/29 08:51:00.0156 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/11/29 08:51:00.0203 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/11/29 08:51:00.0265 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/11/29 08:51:00.0296 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/11/29 08:51:00.0343 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/11/29 08:51:00.0531 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/11/29 08:51:00.0562 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/11/29 08:51:00.0609 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/11/29 08:51:00.0625 FwLnk (4d52c52101492c450518124c592d8925) C:\WINDOWS\system32\DRIVERS\FwLnk.sys
2010/11/29 08:51:00.0828 GEARAspiWDM (ab8a6a87d9d7255c3884d5b9541a6e80) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/11/29 08:51:00.0968 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/11/29 08:51:01.0109 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/11/29 08:51:01.0156 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/11/29 08:51:01.0328 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/11/29 08:51:01.0437 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/11/29 08:51:01.0484 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/11/29 08:51:01.0703 IntcAzAudAddService (8c65fcf7ab3389e7c224ea2ec4456f2d) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/11/29 08:51:02.0078 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/11/29 08:51:02.0125 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/11/29 08:51:02.0187 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/11/29 08:51:02.0234 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/11/29 08:51:02.0421 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/11/29 08:51:02.0468 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/11/29 08:51:02.0515 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/11/29 08:51:02.0593 Kbdclass (fd13429e2beac0010eb269461450a6be) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/11/29 08:51:02.0593 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\kbdclass.sys. Real md5: fd13429e2beac0010eb269461450a6be, Fake md5: 463c1ec80cd17420a542b7f36a36f128
2010/11/29 08:51:02.0593 Kbdclass - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/11/29 08:51:02.0625 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/11/29 08:51:02.0812 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/11/29 08:51:02.0875 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/11/29 08:51:03.0000 mfeapfk (a8d2c54c2f71f5cba7ca2734341e57e6) C:\WINDOWS\system32\drivers\mfeapfk.sys
2010/11/29 08:51:03.0093 mfeavfk (28bb783d85df19e9e007e81daf40adcc) C:\WINDOWS\system32\drivers\mfeavfk.sys
2010/11/29 08:51:03.0328 mfebopk (8e43e242073e9db5aa165ebe273ffd09) C:\WINDOWS\system32\drivers\mfebopk.sys
2010/11/29 08:51:03.0375 mfehidk (e94d35a2a9b175b34b995ab37216c73e) C:\WINDOWS\system32\drivers\mfehidk.sys
2010/11/29 08:51:03.0421 mferkdet (f68c9cda15114b360727fe622e4aec6f) C:\WINDOWS\system32\drivers\mferkdet.sys
2010/11/29 08:51:03.0531 mfetdik (78efa6fd2a486c476045eaa1d2f218b7) C:\WINDOWS\system32\drivers\mfetdik.sys
2010/11/29 08:51:03.0656 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/11/29 08:51:03.0734 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/11/29 08:51:03.0906 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/11/29 08:51:03.0968 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/11/29 08:51:04.0015 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/11/29 08:51:04.0062 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/11/29 08:51:04.0140 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/11/29 08:51:04.0328 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/11/29 08:51:04.0515 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/11/29 08:51:04.0625 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/11/29 08:51:04.0656 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/11/29 08:51:04.0718 mssmbios (bc3c1c3d36711161d7c6f5d52b6486b2) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/11/29 08:51:04.0781 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/11/29 08:51:04.0984 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/11/29 08:51:05.0031 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/11/29 08:51:05.0093 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/11/29 08:51:05.0187 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/11/29 08:51:05.0281 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/11/29 08:51:05.0328 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/11/29 08:51:05.0359 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/11/29 08:51:05.0375 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/11/29 08:51:05.0406 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/11/29 08:51:05.0468 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/11/29 08:51:05.0531 Netdevio (1265eb253ed4ebe4acb3bd5f548ff796) C:\WINDOWS\system32\DRIVERS\netdevio.sys
2010/11/29 08:51:05.0703 NIC1394 (c03a4601dc3a23e9dd4d75e046ed490e) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/11/29 08:51:05.0875 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/11/29 08:51:05.0937 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/11/29 08:51:06.0031 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/11/29 08:51:06.0078 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/11/29 08:51:06.0109 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/11/29 08:51:06.0218 NwlnkIpx (8b8b1be2dba4025da6786c645f77f123) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
2010/11/29 08:51:06.0265 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
2010/11/29 08:51:06.0296 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
2010/11/29 08:51:06.0406 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/11/29 08:51:06.0468 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2010/11/29 08:51:06.0578 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/11/29 08:51:06.0640 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/11/29 08:51:06.0734 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/11/29 08:51:06.0781 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/11/29 08:51:06.0890 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/11/29 08:51:07.0078 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/11/29 08:51:07.0093 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/11/29 08:51:07.0187 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/11/29 08:51:07.0328 Ptilink (e91ec7958f178cb758cebaf427c62729) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/11/29 08:51:07.0406 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ptilink.sys. Real md5: e91ec7958f178cb758cebaf427c62729, Fake md5: fa040d17f355759229fa08e1f9735ad8
2010/11/29 08:51:07.0406 Ptilink - detected Forged file (1)
2010/11/29 08:51:07.0546 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/11/29 08:51:07.0609 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/11/29 08:51:07.0687 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/11/29 08:51:07.0781 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/11/29 08:51:07.0812 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/11/29 08:51:07.0875 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/11/29 08:51:07.0906 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/11/29 08:51:07.0968 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/11/29 08:51:08.0093 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/11/29 08:51:08.0171 rimmptsk (355aac141b214bef1dbc1483afd9bd50) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
2010/11/29 08:51:08.0312 rimsptsk (a4216c71dd4f60b26418ccfd99cd0815) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
2010/11/29 08:51:08.0468 rismxdp (d231b577024aa324af13a42f3a807d10) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
2010/11/29 08:51:08.0531 RTLE8023xp (badabe0940c01619e8510b90fb314929) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2010/11/29 08:51:08.0656 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2010/11/29 08:51:08.0750 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/11/29 08:51:08.0875 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2010/11/29 08:51:08.0921 Sfloppy (df7c158d631f61b1f67161d47ac9bc5a) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/11/29 08:51:09.0109 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/11/29 08:51:09.0203 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/11/29 08:51:09.0281 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/11/29 08:51:09.0359 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/11/29 08:51:09.0453 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/11/29 08:51:09.0546 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/11/29 08:51:09.0593 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/11/29 08:51:09.0765 SynTP (7b36f8ac636168184bab1aa20db1150b) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2010/11/29 08:51:09.0796 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/11/29 08:51:09.0906 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/11/29 08:51:10.0031 tdcmdpst (2f8bfbdb5824c71f672779b4b8cf8b01) C:\WINDOWS\system32\DRIVERS\tdcmdpst.sys
2010/11/29 08:51:10.0140 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/11/29 08:51:10.0171 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/11/29 08:51:10.0234 tdudf (f56a9327c58ff985616c5e197472932c) C:\WINDOWS\system32\DRIVERS\tdudf.sys
2010/11/29 08:51:10.0328 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/11/29 08:51:10.0578 tosrfec (5c4103544612e5011ef46301b93d1aa6) C:\WINDOWS\system32\DRIVERS\tosrfec.sys
2010/11/29 08:51:10.0703 trudf (3f9ba8878aa26d0831116733f9bc53ff) C:\WINDOWS\system32\DRIVERS\trudf.sys
2010/11/29 08:51:10.0765 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/11/29 08:51:10.0953 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/11/29 08:51:11.0031 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/11/29 08:51:11.0078 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/11/29 08:51:11.0250 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/11/29 08:51:11.0312 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/11/29 08:51:11.0359 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/11/29 08:51:11.0421 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/11/29 08:51:11.0546 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2010/11/29 08:51:11.0609 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/11/29 08:51:11.0671 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/11/29 08:51:11.0718 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/11/29 08:51:11.0828 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/11/29 08:51:11.0937 WSIMD (2ea107f535b0b7bfb1d8d6bd79325dbb) C:\WINDOWS\system32\DRIVERS\wsimd.sys
2010/11/29 08:51:12.0109 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/11/29 08:51:12.0328 ================================================================================
2010/11/29 08:51:12.0328 Scan finished
2010/11/29 08:51:12.0328 ================================================================================
2010/11/29 08:51:12.0343 Detected object count: 2
2010/11/29 08:51:35.0953 Kbdclass (fd13429e2beac0010eb269461450a6be) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/11/29 08:51:35.0953 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\kbdclass.sys. Real md5: fd13429e2beac0010eb269461450a6be, Fake md5: 463c1ec80cd17420a542b7f36a36f128
2010/11/29 08:51:36.0453 Backup copy found, using it..
2010/11/29 08:51:36.0546 C:\WINDOWS\system32\DRIVERS\kbdclass.sys - will be cured after reboot
2010/11/29 08:51:36.0546 Rootkit.Win32.TDSS.tdl3(Kbdclass) - User select action: Cure
2010/11/29 08:51:36.0546 Forged file(Ptilink) - User select action: Skip
2010/11/29 08:51:50.0828 Deinitialize success
 
Looking better.

The redirects are not occuring at the moment.
Is it possible that some email messages would have gotten deleted during the process? (Outlook Express)
I did not run any applications other than Firefox during the time you were assisting me.

Thanks again for your help!
 
I cannot see in the logs that any outlook items were deleted, but thats not to say that it did not happen at some stage, although I cannot remember having that happen before.

==

Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.
  • You will need to use Internet Explorer to complete this scan.
  • You will need to temporarily Disable your current Anti-virus program.
  • Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
  • When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

NOTE: If you are unable to complete the ESET scan, please try another from the list below:

 
ESET log

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=af331b6d0beef14b896cb095e8e75ef3
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-12-01 01:53:16
# local_time=2010-12-01 08:53:16 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=70361
# found=0
# cleaned=0
# scan_time=2050
 
Good news and thanks for getting back :).

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC by OldTimer:
Save it to your Desktop.
Double click OTC.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes.
 
Status
Not open for further replies.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
794
uber_beetle
uber_beetle
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni

Latest posts

Back