Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google searches hijacked after removal of AV Suite


  • Please log in to reply
7 replies to this topic

#1 lingle873333

lingle873333

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 13 June 2010 - 04:00 PM

Operating System: Windows XP Pro SP3 on network
AV software: ESET NOD32 version 4.0.417.0 -- database last updated June 13, 2010 (installed on network and pushed to workstations)


Last week (June 9) my computer at work became infected with the AV Suite. After following directions on bleepingcomputer.com, I was able to remove it. Hurray! After I rebooted, however, I discovered that my Google searches were being hijacked in the manner described by several other posters on this forum. It first appeared in Firefox 3.6.3. I switched to IE8, then to Chrome but the problem continued. I installed and switched to Opera and everything was fine for 2-3 hours but then the hijacking began on Opera as well.

My question is this: should my issue be a separate thread or should I be following the directions given to others on the forum to rid myself of this plague?

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:56 PM

Posted 13 June 2010 - 05:26 PM

Hello and welcome ,let's first run these and see if it still exists.
Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Now TDDS Killer
Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)


    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • It may ask you to reboot the computer to complete the process. Allow it to do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.
Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 lingle873333

lingle873333
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 14 June 2010 - 01:05 PM

Well, I've done everything you suggested and, so far, everything is working well. I have done Google searches using both IE8 and Opera (I uninstalled Firefox at the beginning of this process and haven't installed it again) with no problems.

There are a couple of other issues that came up at the same time as the Google hijack problem that have not gone away. I have no idea whether or not they are connected to this or not but here they are:
1. Outlook will not allow me to connect using any clickable links in emails. I have to copy the address and paste it in the browser. this is the error message i receive -- "This operation has been canceled due to restrictions in effect on this computer. Please contact your system administrator."
2. Whenever I reboot, I now get the following error message -- "Error loading dirsgdmc.dll The specified module could not be found."

Here are the log files you wanted to see. Please let me know what, if anything, i need to do next. And THANK YOU THANK YOU THANK YOU:


--------------------------------------------------------------------------------------------------------------------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/14/2010 at 10:44 AM

Application Version : 4.39.1002

Core Rules Database Version : 5063
Trace Rules Database Version: 2875

Scan type : Complete Scan
Total Scan Time : 02:05:17

Memory items scanned : 284
Memory threats detected : 0
Registry items scanned : 9341
Registry threats detected : 3
File items scanned : 154204
File threats detected : 44

Trojan.Agent/Gen
HKU\S-1-5-21-2472173757-1120821206-786247379-1131\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4254E07D-1B18-446C-BA07-20A70E629F88}
HKCR\CLSID\{4254E07D-1B18-446C-BA07-20A70E629F88}

Adware.Flash Tracking Cookie
C:\Documents and Settings\jfitch\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\63YT3FDA\BC.YOUPORN.COM
C:\Documents and Settings\jfitch\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\63YT3FDA\STATIC.YOUPORN.COM
C:\Documents and Settings\jfitch\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\63YT3FDA\WWW.PORNHOST.COM
C:\Documents and Settings\jfitch\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\63YT3FDA\WWW.PORNOTUBE.COM
C:\Documents and Settings\jfitch\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\63YT3FDA\WWW.PORNRABBIT.COM
C:\Documents and Settings\jfitch\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\63YT3FDA\WWWSTATIC.MEGAPORN.COM
C:\Documents and Settings\jfitch\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\63YT3FDA\IA.MEDIA-IMDB.COM

Disabled.FolderOption
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED\FOLDER\HIDDEN\SHOWALL#CHECKEDVALUE

Adware.Tracking Cookie
bc.youporn.com [ C:\Documents and Settings\jfitch\Application Data\Macromedia\Flash Player\#SharedObjects\63YT3FDA ]
cdn-www.pornhub.com [ C:\Documents and Settings\jfitch\Application Data\Macromedia\Flash Player\#SharedObjects\63YT3FDA ]
ia.media-imdb.com [ C:\Documents and Settings\jfitch\Application Data\Macromedia\Flash Player\#SharedObjects\63YT3FDA ]
media10.washingtonpost.com [ C:\Documents and Settings\jfitch\Application Data\Macromedia\Flash Player\#SharedObjects\63YT3FDA ]
static.youporn.com [ C:\Documents and Settings\jfitch\Application Data\Macromedia\Flash Player\#SharedObjects\63YT3FDA ]
www.mofosex.com [ C:\Documents and Settings\jfitch\Application Data\Macromedia\Flash Player\#SharedObjects\63YT3FDA ]
www.porncor.com [ C:\Documents and Settings\jfitch\Application Data\Macromedia\Flash Player\#SharedObjects\63YT3FDA ]
www.pornhost.com [ C:\Documents and Settings\jfitch\Application Data\Macromedia\Flash Player\#SharedObjects\63YT3FDA ]
www.pornhub.com [ C:\Documents and Settings\jfitch\Application Data\Macromedia\Flash Player\#SharedObjects\63YT3FDA ]
www.pornotube.com [ C:\Documents and Settings\jfitch\Application Data\Macromedia\Flash Player\#SharedObjects\63YT3FDA ]
www.pornrabbit.com [ C:\Documents and Settings\jfitch\Application Data\Macromedia\Flash Player\#SharedObjects\63YT3FDA ]
wwwstatic.megaporn.com [ C:\Documents and Settings\jfitch\Application Data\Macromedia\Flash Player\#SharedObjects\63YT3FDA ]
convoad.technoratimedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\BCB93G8Q ]
core.insightexpressai.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\BCB93G8Q ]
media.mtvnservices.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\BCB93G8Q ]
media.onsugar.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\BCB93G8Q ]
media.scanscout.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\BCB93G8Q ]
objects.tremormedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\BCB93G8Q ]
secure-us.imrworldwide.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\BCB93G8Q ]
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.gossipcenter[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pubmatic[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertising[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@apmebf[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@bizzclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@bs.serving-sys[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@click.fastpartner[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@clickthrough.kanoodle[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@fastclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@realmedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[1].txt



--------------------------------------------------------------------------------------------------------------------------



13:32:49:060 1264 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
13:32:49:060 1264 ================================================================================
13:32:49:060 1264 SystemInfo:

13:32:49:060 1264 OS Version: 5.1.2600 ServicePack: 3.0
13:32:49:060 1264 Product type: Workstation
13:32:49:060 1264 ComputerName: ROBINIA
13:32:49:060 1264 UserName: jfitch
13:32:49:060 1264 Windows directory: C:\WINDOWS
13:32:49:060 1264 Processor architecture: Intel x86
13:32:49:060 1264 Number of processors: 2
13:32:49:060 1264 Page size: 0x1000
13:32:49:060 1264 Boot type: Normal boot
13:32:49:060 1264 ================================================================================
13:32:49:263 1264 Initialize success
13:32:49:263 1264
13:32:49:263 1264 Scanning Services ...
13:32:49:310 1264 Raw services enum returned 359 services
13:32:49:310 1264
13:32:49:310 1264 Scanning Drivers ...
13:32:49:654 1264 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
13:32:49:701 1264 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
13:32:49:732 1264 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
13:32:49:748 1264 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
13:32:49:779 1264 adpu320 (0ea9b1f0c6c90a509c8603775366adb7) C:\WINDOWS\system32\DRIVERS\adpu320.sys
13:32:49:810 1264 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
13:32:49:841 1264 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
13:32:49:888 1264 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
13:32:49:888 1264 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
13:32:50:029 1264 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
13:32:50:060 1264 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
13:32:50:123 1264 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
13:32:50:170 1264 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
13:32:50:201 1264 b57w2k (71509c9db1a4b2c05141563fbe3e18a0) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
13:32:50:216 1264 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
13:32:50:248 1264 Blfp (ed3763d2d54bf2c6180983e0201406cf) C:\WINDOWS\system32\DRIVERS\baspxp32.sys
13:32:50:279 1264 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
13:32:50:295 1264 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
13:32:50:341 1264 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
13:32:50:373 1264 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
13:32:50:513 1264 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
13:32:50:560 1264 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
13:32:50:607 1264 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
13:32:50:623 1264 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
13:32:50:654 1264 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
13:32:50:670 1264 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
13:32:50:701 1264 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
13:32:50:716 1264 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
13:32:50:748 1264 eamon (d4f94d45e25d764462a5b95bc426c8d0) C:\WINDOWS\system32\DRIVERS\eamon.sys
13:32:50:966 1264 ehdrv (9456462c1425d2bbf1616edabfaba5f4) C:\WINDOWS\system32\DRIVERS\ehdrv.sys
13:32:50:998 1264 epfwtdir (4b308624fadf5bb6490d8f8d7aebf5df) C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
13:32:51:029 1264 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
13:32:51:060 1264 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
13:32:51:091 1264 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
13:32:51:091 1264 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
13:32:51:123 1264 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
13:32:51:154 1264 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
13:32:51:185 1264 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
13:32:51:216 1264 GEARAspiWDM (f2f431d1573ee632975c524418655b84) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
13:32:51:248 1264 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
13:32:51:279 1264 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
13:32:51:310 1264 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
13:32:51:373 1264 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
13:32:51:435 1264 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
13:32:51:466 1264 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
13:32:51:513 1264 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
13:32:51:545 1264 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
13:32:51:560 1264 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
13:32:51:576 1264 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
13:32:51:607 1264 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
13:32:51:623 1264 iAimFP5 (0308aef61941e4af478fa1a0f83812f5) C:\WINDOWS\system32\DRIVERS\wADV07nt.sys
13:32:51:638 1264 iAimFP6 (714038a8aa5de08e12062202cd7eaeb5) C:\WINDOWS\system32\DRIVERS\wADV08nt.sys
13:32:51:654 1264 iAimFP7 (7bb3aa595e4507a788de1cdc63f4c8c4) C:\WINDOWS\system32\DRIVERS\wADV09nt.sys
13:32:51:670 1264 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
13:32:51:701 1264 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
13:32:51:748 1264 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
13:32:51:779 1264 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
13:32:51:826 1264 iAimTV5 (791cc45de6e50445be72e8ad6401ff45) C:\WINDOWS\system32\DRIVERS\wATV10nt.sys
13:32:51:857 1264 iAimTV6 (352fa0e98bc461ce1ce5d41f64db558d) C:\WINDOWS\system32\DRIVERS\wATV06nt.sys
13:32:51:904 1264 iaStor (2358c53f30cb9dcd1d3843c4e2f299b2) C:\WINDOWS\system32\DRIVERS\iaStor.sys
13:32:51:951 1264 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
13:32:52:076 1264 IntcAzAudAddService (915ce2a58c6917e3c53be1e91fa66ba8) C:\WINDOWS\system32\drivers\RtkHDAud.sys
13:32:52:138 1264 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
13:32:52:185 1264 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
13:32:52:201 1264 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
13:32:52:263 1264 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
13:32:52:310 1264 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
13:32:52:326 1264 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
13:32:52:357 1264 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
13:32:52:373 1264 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
13:32:52:404 1264 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
13:32:52:420 1264 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
13:32:52:451 1264 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
13:32:52:498 1264 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys
13:32:52:529 1264 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
13:32:52:576 1264 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
13:32:52:607 1264 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
13:32:52:638 1264 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
13:32:52:670 1264 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
13:32:52:685 1264 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
13:32:52:701 1264 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
13:32:52:748 1264 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
13:32:52:795 1264 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
13:32:52:826 1264 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
13:32:52:857 1264 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
13:32:52:904 1264 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
13:32:52:935 1264 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
13:32:52:982 1264 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
13:32:52:998 1264 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
13:32:53:013 1264 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
13:32:53:029 1264 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
13:32:53:045 1264 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
13:32:53:060 1264 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
13:32:53:076 1264 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
13:32:53:091 1264 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
13:32:53:107 1264 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
13:32:53:123 1264 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
13:32:53:170 1264 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
13:32:53:201 1264 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
13:32:53:357 1264 nv (ffef1b531a29d709d91be4f94027ce28) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
13:32:53:435 1264 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
13:32:53:451 1264 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
13:32:53:498 1264 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
13:32:53:529 1264 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
13:32:53:529 1264 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
13:32:53:560 1264 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
13:32:53:576 1264 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
13:32:53:607 1264 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
13:32:53:623 1264 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
13:32:53:763 1264 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
13:32:53:779 1264 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
13:32:53:795 1264 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
13:32:53:826 1264 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
13:32:53:935 1264 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
13:32:53:982 1264 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
13:32:53:998 1264 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
13:32:54:013 1264 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
13:32:54:029 1264 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
13:32:54:045 1264 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
13:32:54:060 1264 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
13:32:54:091 1264 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
13:32:54:123 1264 redbook (20d1ad2ea00417c7d80ef3d12a34e2cf) C:\WINDOWS\system32\DRIVERS\redbook.sys
13:32:54:123 1264 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\redbook.sys. Real md5: 20d1ad2ea00417c7d80ef3d12a34e2cf, Fake md5: f828dd7e1419b6653894a8f97a0094c5
13:32:54:123 1264 File "C:\WINDOWS\system32\DRIVERS\redbook.sys" infected by TDSS rootkit ... 13:32:55:185 1264 Backup copy found, using it..
13:32:55:232 1264 will be cured on next reboot
13:32:55:295 1264 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
13:32:55:326 1264 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
13:32:55:435 1264 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
13:32:55:466 1264 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
13:32:55:513 1264 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
13:32:55:545 1264 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
13:32:55:638 1264 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
13:32:55:670 1264 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
13:32:55:732 1264 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
13:32:55:748 1264 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
13:32:55:763 1264 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
13:32:55:826 1264 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
13:32:55:841 1264 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
13:32:55:841 1264 Symmpi (f2b7e8416f508368ac6730e2ae1c614f) C:\WINDOWS\system32\DRIVERS\symmpi.sys
13:32:55:857 1264 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
13:32:55:873 1264 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
13:32:55:920 1264 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
13:32:55:951 1264 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
13:32:55:998 1264 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
13:32:56:029 1264 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
13:32:56:045 1264 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
13:32:56:091 1264 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
13:32:56:154 1264 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
13:32:56:216 1264 usbbus (0678c457f49f20666ab16edda4d1391d) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
13:32:56:248 1264 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
13:32:56:295 1264 UsbDiag (7dd3eefc62a1ef44e5f940fa651ed9ed) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
13:32:56:341 1264 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
13:32:56:373 1264 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
13:32:56:404 1264 USBModem (290914c187c25b42e1c64d7cfad8b2fc) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
13:32:56:451 1264 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
13:32:56:466 1264 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
13:32:56:498 1264 usb_rndisx (b6cc50279d6cd28e090a5d33244adc9a) C:\WINDOWS\system32\DRIVERS\usb8023x.sys
13:32:56:513 1264 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
13:32:56:545 1264 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
13:32:56:607 1264 VirtDisk (eeaf5fd3706ddc4fa8856bd571eb0487) c:\windows\sminst\VirtDisk.sys
13:32:56:654 1264 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
13:32:56:670 1264 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
13:32:56:732 1264 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
13:32:56:763 1264 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
13:32:56:810 1264 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
13:32:56:888 1264 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
13:32:56:888 1264 Reboot required for cure complete..
13:32:56:920 1264 Cure on reboot scheduled successfully
13:32:56:920 1264
13:32:56:920 1264 Completed
13:32:56:920 1264
13:32:56:920 1264 Results:
13:32:56:920 1264 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
13:32:56:920 1264 File objects infected / cured / cured on reboot: 1 / 0 / 1
13:32:56:920 1264
13:32:56:920 1264 KLMD(ARK) unloaded successfully

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:56 PM

Posted 14 June 2010 - 01:20 PM

I think we have most if not all of it now.

1. Outlook will not allow me to connect using any clickable links in emails. I have to copy the address and paste it in the browser. this is the error message i receive -- "This operation has been canceled due to restrictions in effect on this computer. Please contact your system administrator."

This one you may need to start atopic in Web Browsing for an answer. If it persists after our last scan.

2. Whenever I reboot, I now get the following error message -- "Error loading dirsgdmc.dll The specified module could not be found."
This we can fix with Autoruns after the last scan ,in case we gat another.

Please run ESET
Please perform a scan with Eset Online Antiivirus Scanner.
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista users need to run Internet Explorer as Administrator. Right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
  • Click the green ESET Online Scanner button.
  • Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?"".
  • Answer Yes to download and install the ActiveX controls that allows the scan to run.
  • Click Start.
  • Check Remove found threats and Scan potentially unwanted applications.
  • Click Scan to start. (please be patient as the scan could take some time to complete)
  • If offered the option to get information or buy software. Just close the window.
  • When the scan has finished, a log.txt file will be created and automatically saved in the C:\Program Files\ESET\ESET Online Scanner\log.txt
    folder.
  • Click Posted Image > Run..., then copy and paste this command into the open box: C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad. Copy and paste the contents of log.txt in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.



AUTORUNS

Its not unusual to receive such an error after using specialized fix tools.

A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message is usually related to malware that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.

Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this.)
Open the folder and double-click on autoruns.exe to launch it.
Please be patient as it scans and populates the entries.
When done scanning, it will say Ready at the bottom.
Scroll through the list and look for a startup entry related to the file(s) in the error message.
Right-click on the entry and choose delete.
Reboot your computer and see if the startup error returns.

Edited by boopme, 14 June 2010 - 01:22 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 lingle873333

lingle873333
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 14 June 2010 - 02:26 PM

I am currently running ESET NOD32 v4 on my workstation; all updates have been installed. Should I run this or go to the online scanner?

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:56 PM

Posted 14 June 2010 - 02:39 PM

As you are currently updated I don't see any reason not to use yours.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 lingle873333

lingle873333
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:08:56 PM

Posted 14 June 2010 - 04:42 PM

Well......
All of the issues are resolved except the Outlook issue; I'll start a new topic as you suggested.

Again, thanks so very much for your help. You are an absolute champ.

All the best,
Jon Fitch

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:56 PM

Posted 14 June 2010 - 07:44 PM

You're welcome Jon;
I have one more step for you and you should do this now and then again after they fix your Outlook issue. I don't use Outlook and do not want to give you any bad advice. To each his own :thumbsup:


Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users