Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Google Search Redirect

  • This topic is locked This topic is locked
11 replies to this topic

#1 dryice1987


  • Members
  • 28 posts
  • Local time:04:51 PM

Posted 11 June 2010 - 04:39 PM

I have had Google search redirects the last couple days. Does not (yet) affect access to email, Word, or others. Sometimes, simply when viewing a website, I get a pop up from an unknown website. The first result in the Google search is generally ok, but clicking on any results under that starts the redirect.

Tried MBam, Ad Aware, AVG, Spybot S & D, SuperAntispyware and Trojan Remover. Mbam and SAS found a couple trojans, cleaned them off, but problem persisted.

I ran the DDS Scans and the results are below. Tried running the gmer scan at least 4 times. Each time, it seems to be running fine for 15 or 20 minutes, then it shuts off my computer.

Any help is greatly appreciated.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Mark Schramm at 14:30:51.23 on Fri 06/11/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.147 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning enabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Timeslips\TSTimer.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mark Schramm\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
mStart Page = hxxp://www.dell.com
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: McAfee AntiPhishing Filter: {41d68ed8-4cff-4115-88a6-6ebb8af19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [TSTimer] "c:\program files\timeslips\TSTimer.exe"
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
mRun: [OASClnt] c:\program files\mcafee.com\vso\oasclnt.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe
mRun: [MSKDetectorExe] c:\progra~1\mcafee\spamki~1\MSKDetct.exe /startup
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [MSKAGENTEXE] c:\progra~1\mcafee\spamki~1\MskAgent.exe
mRun: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - {7DD73374-7187-4103-8F29-622AA25E7C40} - c:\program files\mcafee\spamkiller\mcapfbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
Trusted Zone: musicmatch.com\online
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-10 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-27 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-27 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-27 242896]
R1 MPFIREWL;MPFIREWL;c:\windows\system32\drivers\MpFirewall.sys [2006-7-24 80640]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-12 308064]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352320]
R2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2006-7-24 126976]
R2 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2006-7-24 221184]
R2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2006-7-24 122368]
R3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hpfxfax.sys [2009-1-26 20504]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-7-24 114464]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-18 135664]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2006-7-24 245760]

=============== Created Last 30 ================

2010-06-11 19:23:23 0 ----a-w- c:\documents and settings\mark schramm\defogger_reenable
2010-06-10 18:56:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-10 18:55:45 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-10 18:45:17 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-10 18:43:10 0 d-----w- c:\program files\Lavasoft
2010-06-08 20:28:31 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-06-08 20:28:31 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-06-08 20:28:31 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-06-08 20:28:31 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-06-08 20:28:31 153088 ----a-w- c:\windows\system32\unrar3.dll
2010-06-08 18:25:02 0 d-----w- c:\docume~1\marksc~1\applic~1\SUPERAntiSpyware.com
2010-06-08 18:25:02 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-06-08 18:24:45 0 d-----w- c:\program files\SUPERAntiSpyware

==================== Find3M ====================

2010-06-10 13:13:09 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-02 16:07:35 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-12 13:27:19 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-01-26 22:42:50 608 --sha-w- c:\windows\system32\winzvprt5.sys

============= FINISH: 14:32:51.31 ===============

Attached Files

BC AdBot (Login to Remove)


#2 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:51 PM

Posted 15 June 2010 - 04:15 PM

Hi dryice1987,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

If the issue is not resolved please update me on the current condition of your computer.

#3 dryice1987

  • Topic Starter

  • Members
  • 28 posts
  • Local time:04:51 PM

Posted 15 June 2010 - 04:31 PM

Farbar: Thanks for helping. Yes, I agree not to run any scans tools or updates while you are helping me.

The issue is not resolved. Search results on Google through both IE and Firefox are still being redirected. I uninstalled Firefox. I run a Windows Pc running Windows XP. I am also getting popups when on legitmate websites.

Please check my scans and let me know what else you need to help me wiht this problem.


#4 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:51 PM

Posted 15 June 2010 - 04:41 PM

Hi again,
  1. You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do. This will only take a few seconds.
    1. First disable TeaTimer:
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck Resident TeaTimer and OK any prompts
      • Restart your computer.
      Instruction is also here: How to disable TeaTimer during HijackThis Cleanup
      Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
    2. Then download ResetTeaTimer.exe to your desktop.
      • Doubleclick ResetTeaTimer.exe and let it run.
    Note: The Teatimer should be kept disabled until I give you the clean sign.

  2. Run GMER, uncheck all boxes except the box next to Sections (C drive should remain checked), click Scan.
    When it finished press Save to save the log and post it to your reply. It will not take more than a minute.

  3. Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

    Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

    @echo off
    if exist mbr.log del mbr.log
    mbr.exe -t
    ping -n 1 -w 1000 >nul
    start mbr.log

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this:
    • Double-click to run it.
    • A notepad opens, copy and paste the content (log.txt) to your reply.

#5 dryice1987

  • Topic Starter

  • Members
  • 28 posts
  • Local time:04:51 PM

Posted 15 June 2010 - 05:30 PM

I uninstalled Spybot S & D yesterday, so teatimer should no longer be a problem.

My gmer and mbr logs are attached.

Thanks and let me know what else you need

MBR Notepad results:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

GMER scan results:

GMER - http://www.gmer.net
Rootkit scan 2010-06-15 17:08:17
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\MARKSC~1\LOCALS~1\Temp\kxloapod.sys

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!NtSetSecurityObject 805BED7A 5 Bytes JMP F07BFCC2 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!NtOpenProcess 805CA160 5 Bytes JMP F07BFC18 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!NtOpenThread 805CA3EC 5 Bytes JMP F07BFC2C \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwRenameKey 80621FE4 7 Bytes JMP F07BFC80 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwDeleteKey 80622A5A 7 Bytes JMP F07BFC6A \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80622C2A 7 Bytes JMP F07BFC96 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwOpenKey 80623960 5 Bytes JMP F07BFC40 \SystemRoot\system32\drivers\mfehidk.sys
? system32\drivers\mfehidk.sys The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1084] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007E000A
.text C:\WINDOWS\System32\svchost.exe[1084] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 007F000A
.text C:\WINDOWS\System32\svchost.exe[1084] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007D000C
.text C:\WINDOWS\System32\svchost.exe[1084] USER32.dll!GetCursorPos 7E41BD76 5 Bytes JMP 0152000A
.text C:\WINDOWS\System32\svchost.exe[1084] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 00A0000A
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[1140] WS2_32.dll!connect 71AB406A 5 Bytes JMP 010B3E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text C:\WINDOWS\system32\wuauclt.exe[1908] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00AB000A
.text C:\WINDOWS\system32\wuauclt.exe[1908] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00AC000A
.text C:\WINDOWS\system32\wuauclt.exe[1908] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 003D000C
.text C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe[1952] WS2_32.dll!connect 71AB406A 5 Bytes JMP 010B3E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text C:\WINDOWS\Explorer.EXE[2004] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A1000A
.text C:\WINDOWS\Explorer.EXE[2004] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00AF000A
.text C:\WINDOWS\Explorer.EXE[2004] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A0000C
.text C:\Documents and Settings\Mark Schramm\Desktop\gmer\gmer.exe[2028] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00D23E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text C:\WINDOWS\stsystra.exe[2100] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00C73E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[2120] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2136] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text C:\PROGRA~1\mcafee.com\agent\mcagent.exe[2160] WS2_32.dll!connect 71AB406A 5 Bytes JMP 011F3E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text ...
.text C:\Program Files\Timeslips\TSTimer.exe[2388] kernel32.dll!GetDiskFreeSpaceA 7C830309 5 Bytes JMP 0114BE10 C:\Program Files\Timeslips\TSDBAP32.dll (Timeslips API/Sage Software SB, Inc.)
.text C:\Program Files\Timeslips\TSTimer.exe[2388] WS2_32.dll!connect 71AB406A 5 Bytes JMP 052D3E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text C:\Program Files\DellSupport\DSAgnt.exe[2400] ws2_32.dll!connect 71AB406A 5 Bytes JMP 02303E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[2436] WS2_32.dll!connect 71AB406A 5 Bytes JMP 042D3E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[2480] WS2_32.dll!connect 71AB406A 5 Bytes JMP 07133E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text C:\Program Files\Digital Line Detect\DLG.exe[2540] WS2_32.dll!connect 71AB406A 5 Bytes JMP 01083E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text ...
.text C:\Program Files\Internet Explorer\iexplore.exe[4896] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B4000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4896] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00B5000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4896] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00AA000C
.text c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe[6024] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00A13E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

#6 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:51 PM

Posted 15 June 2010 - 05:36 PM

We are going to run this special tool.
  • Please download TDSSKiller.exe and save it to your desktop.
  • Run TDSSKiller.exe.
  • When it finished press any key to continue.
  • Let reboot if needed and tell me if it needed a reboot.
  • Also it makes a txt file on the C:\ directory (like TDSSKiller. Please attach it to your replay.

#7 dryice1987

  • Topic Starter

  • Members
  • 28 posts
  • Local time:04:51 PM

Posted 15 June 2010 - 05:52 PM

Yes, it did have me reboot and I did so.

Attached is the logfile

17:46:07:234 3932 TDSS rootkit removing tool May 31 2010 10:39:48
17:46:07:234 3932 ================================================================================
17:46:07:234 3932 SystemInfo:

17:46:07:234 3932 OS Version: 5.1.2600 ServicePack: 2.0
17:46:07:234 3932 Product type: Workstation
17:46:07:234 3932 ComputerName: D4QGFFB1
17:46:07:234 3932 UserName: Mark Schramm
17:46:07:234 3932 Windows directory: C:\WINDOWS
17:46:07:234 3932 Processor architecture: Intel x86
17:46:07:234 3932 Number of processors: 2
17:46:07:234 3932 Page size: 0x1000
17:46:07:250 3932 Boot type: Normal boot
17:46:07:250 3932 ================================================================================
17:46:07:718 3932 Initialize success
17:46:07:718 3932
17:46:07:718 3932 Scanning Services ...
17:46:08:015 3932 Raw services enum returned 355 services
17:46:08:031 3932
17:46:08:031 3932 Scanning Drivers ...
17:46:09:156 3932 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
17:46:09:203 3932 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
17:46:09:234 3932 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
17:46:09:265 3932 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
17:46:09:296 3932 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
17:46:09:328 3932 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
17:46:09:359 3932 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
17:46:09:375 3932 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
17:46:09:390 3932 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
17:46:09:406 3932 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
17:46:09:437 3932 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
17:46:09:453 3932 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
17:46:09:484 3932 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\system32\DRIVERS\alim1541.sys
17:46:09:500 3932 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\system32\DRIVERS\amdagp.sys
17:46:09:531 3932 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
17:46:09:546 3932 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
17:46:09:578 3932 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
17:46:09:593 3932 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
17:46:09:625 3932 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
17:46:09:640 3932 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
17:46:09:671 3932 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
17:46:09:718 3932 ati2mtag (03621f7f968ff63713943405deb777f9) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
17:46:09:812 3932 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
17:46:09:828 3932 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
17:46:09:875 3932 AvgLdx86 (9c0a7e6d3cb9a8a7ad4e4575d9a42e94) C:\WINDOWS\system32\Drivers\avgldx86.sys
17:46:09:953 3932 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\system32\Drivers\avgmfx86.sys
17:46:10:000 3932 AvgTdiX (6e11bbc8dc5af836adc9c5f682fa3186) C:\WINDOWS\system32\Drivers\avgtdix.sys
17:46:10:093 3932 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
17:46:10:125 3932 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
17:46:10:156 3932 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
17:46:10:171 3932 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
17:46:10:171 3932 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
17:46:10:187 3932 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
17:46:10:203 3932 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
17:46:10:218 3932 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
17:46:10:250 3932 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
17:46:10:296 3932 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
17:46:10:359 3932 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
17:46:10:562 3932 DLABOIOM (e2d0de31442390c35e3163c87cb6a9eb) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
17:46:10:687 3932 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
17:46:10:750 3932 DLADResN (83545593e297f50a8e2524b4c071a153) C:\WINDOWS\system32\DLA\DLADResN.SYS
17:46:10:828 3932 DLAIFS_M (96e01d901cdc98c7817155cc057001bf) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
17:46:10:890 3932 DLAOPIOM (0a60a39cc5e767980a31ca5d7238dfa9) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
17:46:10:984 3932 DLAPoolM (9fe2b72558fc808357f427fd83314375) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
17:46:11:031 3932 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
17:46:11:046 3932 DLAUDFAM (f08e1dafac457893399e03430a6a1397) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
17:46:11:062 3932 DLAUDF_M (e7d105ed1e694449d444a9933df8e060) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
17:46:11:125 3932 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
17:46:11:203 3932 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
17:46:11:234 3932 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
17:46:11:281 3932 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
17:46:11:296 3932 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
17:46:11:312 3932 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
17:46:11:359 3932 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
17:46:11:390 3932 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
17:46:11:468 3932 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
17:46:11:515 3932 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
17:46:11:562 3932 E100B (95974e66d3de4951d29e28e8bc0b644c) C:\WINDOWS\system32\DRIVERS\e100b325.sys
17:46:11:593 3932 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
17:46:11:640 3932 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
17:46:11:671 3932 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
17:46:11:671 3932 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
17:46:11:703 3932 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
17:46:11:734 3932 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
17:46:11:750 3932 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
17:46:11:765 3932 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
17:46:11:796 3932 HDAudBus (e31363d186b3e1d7c4e9117884a6aee5) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
17:46:11:843 3932 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
17:46:11:875 3932 HPFXBULK (299683d4c8aaa3f6f5d5d226a1782a6e) C:\WINDOWS\system32\drivers\hpfxbulk.sys
17:46:11:890 3932 HPFXFAX (f728db73a87231e27b6ba34d71ce2edb) C:\WINDOWS\system32\drivers\hpfxfax.sys
17:46:11:921 3932 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
17:46:11:953 3932 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
17:46:11:968 3932 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
17:46:12:031 3932 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
17:46:12:203 3932 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
17:46:12:234 3932 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
17:46:12:343 3932 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
17:46:12:375 3932 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys
17:46:12:406 3932 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\system32\DRIVERS\i2omp.sys
17:46:12:437 3932 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
17:46:12:500 3932 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
17:46:12:500 3932 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
17:46:12:531 3932 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
17:46:12:546 3932 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
17:46:12:562 3932 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
17:46:12:609 3932 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
17:46:12:609 3932 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
17:46:12:671 3932 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
17:46:12:687 3932 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
17:46:12:703 3932 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
17:46:12:750 3932 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
17:46:12:765 3932 Kbdclass (f23af391fcea7f0eec904da384624976) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
17:46:12:765 3932 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\kbdclass.sys. Real md5: f23af391fcea7f0eec904da384624976, Fake md5: ebdee8a2ee5393890a1acee971c4c246
17:46:12:765 3932 File "C:\WINDOWS\system32\DRIVERS\kbdclass.sys" infected by TDSS rootkit ... 17:46:15:671 3932 Backup copy found, using it..
17:46:15:671 3932 will be cured on next reboot
17:46:15:765 3932 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
17:46:15:812 3932 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys
17:46:15:859 3932 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
17:46:15:890 3932 KSecDD (1be7cc2535d760ae4d481576eb789f24) C:\WINDOWS\system32\drivers\KSecDD.sys
17:46:15:953 3932 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
17:46:16:000 3932 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
17:46:16:000 3932 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
17:46:16:031 3932 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
17:46:16:093 3932 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
17:46:16:109 3932 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
17:46:16:140 3932 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
17:46:16:156 3932 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
17:46:16:187 3932 MPFIREWL (537b049dbaba4febcdaae711c0f2805b) C:\WINDOWS\system32\Drivers\MpFirewall.sys
17:46:16:218 3932 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
17:46:16:250 3932 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
17:46:16:312 3932 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
17:46:16:359 3932 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
17:46:16:390 3932 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
17:46:16:421 3932 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
17:46:16:437 3932 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
17:46:16:453 3932 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
17:46:16:484 3932 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
17:46:16:515 3932 NaiAvFilter1 (affd46144d763d9046673dd2d012cff9) C:\WINDOWS\system32\drivers\naiavf5x.sys
17:46:16:546 3932 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
17:46:16:562 3932 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
17:46:16:578 3932 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
17:46:16:609 3932 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
17:46:16:625 3932 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
17:46:16:640 3932 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
17:46:16:656 3932 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
17:46:16:687 3932 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
17:46:16:718 3932 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
17:46:16:765 3932 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
17:46:16:859 3932 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
17:46:16:953 3932 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
17:46:16:968 3932 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
17:46:17:000 3932 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
17:46:17:031 3932 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
17:46:17:046 3932 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
17:46:17:078 3932 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
17:46:17:109 3932 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
17:46:17:125 3932 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
17:46:17:156 3932 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
17:46:17:171 3932 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
17:46:17:218 3932 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
17:46:17:250 3932 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
17:46:17:265 3932 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
17:46:17:312 3932 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
17:46:17:343 3932 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
17:46:17:359 3932 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
17:46:17:359 3932 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
17:46:17:375 3932 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
17:46:17:390 3932 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
17:46:17:406 3932 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
17:46:17:437 3932 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
17:46:17:468 3932 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
17:46:17:515 3932 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
17:46:17:562 3932 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
17:46:17:578 3932 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
17:46:17:609 3932 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
17:46:17:671 3932 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
17:46:17:703 3932 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
17:46:17:796 3932 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
17:46:17:796 3932 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
17:46:17:875 3932 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
17:46:17:906 3932 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
17:46:17:921 3932 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
17:46:17:937 3932 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
17:46:17:953 3932 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\system32\DRIVERS\sisagp.sys
17:46:17:968 3932 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
17:46:18:000 3932 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
17:46:18:031 3932 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
17:46:18:078 3932 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
17:46:18:156 3932 STHDA (2a2dc39623adef8ab3703ab9fac4b440) C:\WINDOWS\system32\drivers\sthda.sys
17:46:18:234 3932 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
17:46:18:250 3932 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
17:46:18:296 3932 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
17:46:18:328 3932 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
17:46:18:343 3932 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
17:46:18:359 3932 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
17:46:18:390 3932 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
17:46:18:421 3932 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
17:46:18:437 3932 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
17:46:18:453 3932 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
17:46:18:468 3932 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
17:46:18:500 3932 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
17:46:18:531 3932 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
17:46:18:546 3932 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
17:46:18:593 3932 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
17:46:18:625 3932 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
17:46:18:640 3932 usbehci (708579b01fed227aadb393cb0c3b4a2c) C:\WINDOWS\system32\DRIVERS\usbehci.sys
17:46:18:671 3932 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
17:46:18:671 3932 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
17:46:18:718 3932 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
17:46:18:765 3932 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:46:18:765 3932 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
17:46:18:796 3932 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
17:46:18:828 3932 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\system32\DRIVERS\viaagp.sys
17:46:18:859 3932 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
17:46:18:906 3932 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
17:46:18:921 3932 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
17:46:18:968 3932 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
17:46:19:031 3932 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
17:46:19:046 3932 Reboot required for cure complete..
17:46:19:343 3932 Cure on reboot scheduled successfully
17:46:19:343 3932
17:46:19:343 3932 Completed
17:46:19:343 3932
17:46:19:343 3932 Results:
17:46:19:343 3932 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
17:46:19:343 3932 File objects infected / cured / cured on reboot: 1 / 0 / 1
17:46:19:343 3932
17:46:19:343 3932 KLMD(ARK) unloaded successfully

#8 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:51 PM

Posted 15 June 2010 - 05:57 PM

The rootkit was is cleaned and the issue should have been resoleved. thumbup2.gif
  1. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 20 (JDK or JRE)".
    • Click the Download JRE button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.

  2. This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.

  3. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

  4. Tell me also how is your computer running.

#9 dryice1987

  • Topic Starter

  • Members
  • 28 posts
  • Local time:04:51 PM

Posted 16 June 2010 - 11:25 AM

Ok, farbar, I think the TDSS killer did the trick. I have been going thru googel searches so far without a problem today. Also updated java and ran the other thigns you recommended. MBAm log came out clean. Log is below

Malwarebytes' Anti-Malware 1.39
Database version: 2526
Windows 5.1.2600 Service Pack 2

6/16/2010 11:13:58 AM
mbam-log-2010-06-16 (11-13-58).txt

Scan type: Quick Scan
Objects scanned: 93528
Time elapsed: 11 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I am hoping this is the end of this problem, adn thank you very much for your solutions.

Do you know whether this was a virus, a trojan, or what it is named?

#10 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:51 PM

Posted 16 June 2010 - 01:31 PM

This is TDL/TDSS rootkit. It patches a legit driver and loads from there.

It looks good. thumbup2.gif
  1. You may delete any log or tool we used from your computer.

  2. First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

    To remove the old restore points:
    • Go to Start > Run then type: Cleanmgr in the box and click "OK".
    • You get a window to select the drive to clean, the default is already set to (C:) drive. Click OK.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    • Click OK and Yes.

  1. Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office.
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC. Windows XP Service Pack 2 is now outdated. Microsoft has released Service Pack 3 which has more features and is more secure than Service Pack 2.

    In order to update Windows go to Start -> All Programs -> Windows Update wait the page to be loaded, then press Custom button. Windows searches your computer and gives you possible updates.

    Prior to installing SP3 it is better to disable your antivirus and enable it after SP3 is installed.

  2. I strongly recommend updating Internet 6 to Internet explorer 7 or Internet Explorer 8 as it has more functionality and is much safer.

  3. I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.

  4. I recommend installing this small application for safe surfing: Javacoolsİ SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
    • Download and install it.
    • Update it manually by clicking on Updates in the left pane and then Check for Updates.
    • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
    • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.

Happy Surfing dryice. smile.gif

#11 dryice1987

  • Topic Starter

  • Members
  • 28 posts
  • Local time:04:51 PM

Posted 16 June 2010 - 03:18 PM

Thanks again, farbar. Best of luck to the Netherlands in World Cup !

#12 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:51 PM

Posted 16 June 2010 - 03:31 PM

Thanks and you are most welcome. smile.gif

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users