Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help Please!


  • This topic is locked This topic is locked
31 replies to this topic

#1 ssp0929

ssp0929

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 16 June 2010 - 10:36 AM

THIS IS THE ORIGINAL TOPIC... .

http://www.bleepingcomputer.com/forums/t/324213/need-help-please/


DDS (Ver_10-03-17.01) - NTFSx86
Run by Stephen at 10:22:59.74 on Wed 06/16/2010
Internet Explorer: 8.0.6001.18928 BrowserJavaVersion: 1.6.0_17

============== Running Processes ===============

C:Windowssystem32wininit.exe
C:Windowssystem32lsm.exe
C:Program FilesMicrosoft Security EssentialsMsMpEng.exe
C:Windowssystem32Ati2evxx.exe
C:Windowssystem32SLsvc.exe
C:Windowssystem32Ati2evxx.exe
C:WindowsSystem32spoolsv.exe
C:Windowssystem32Dwm.exe
C:WindowsExplorer.EXE
C:WindowsRtHDVCpl.exe
C:Program FilesPure NetworksNetwork Magicnmapp.exe
C:Program FilesMicrosoft Security Essentialsmsseces.exe
C:Windowsehomeehtray.exe
C:Program FilesPando NetworksMedia BoosterPMB.exe
C:Program FilesJavajre6binjqs.exe
C:Program FilesPure NetworksNetwork Magicnmsrvc.exe
C:Program FilesATI TechnologiesATI.ACECore-StaticMOM.exe
C:Program FilesCommon FilesMicrosoft SharedWindows LiveWLIDSVC.EXE
C:Windowssystem32SearchIndexer.exe
C:Program FilesCommon FilesMicrosoft SharedWindows LiveWLIDSvcM.exe
C:Windowsehomeehmsas.exe
C:Program FilesWindows Media Playerwmpnscfg.exe
C:Program FilesWindows Media Playerwmpnetwk.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesATI TechnologiesATI.ACECore-StaticCCC.exe
C:Windowssystem32SearchProtocolHost.exe
C:Windowssystem32SearchFilterHost.exe
C:Program FilesMicrosoft Security EssentialsMpCmdRun.exe
C:UsersStephenDesktopdds.scr
C:Windowssystem32svchost.exe -k DcomLaunch
C:Windowssystem32svchost.exe -k rpcss
C:WindowsSystem32svchost.exe -k LocalServiceNetworkRestricted
C:WindowsSystem32svchost.exe -k LocalSystemNetworkRestricted
C:Windowssystem32svchost.exe -k GPSvcGroup
C:Windowssystem32svchost.exe -k LocalService
C:Windowssystem32svchost.exe -k NetworkService
C:Windowssystem32svchost.exe -k LocalServiceNoNetwork
C:Windowssystem32svchost.exe -k NetworkServiceNetworkRestricted
C:Windowssystem32svchost.exe -k imgsvc
C:WindowsSystem32svchost.exe -k WerSvcGroup

============== Pseudo HJT Report ===============

uInternet Settings,ProxyServer = http=127.0.0.1:49750
uInternet Settings,ProxyOverride =
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:program filesadobe/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:program filesavgavg8avgssie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:program filescommon filesmicrosoft sharedwindows liveWindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:program filesgooglegoogletoolbarnotifier5.1.1309.3572swg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:program filesadobe/Adobe Contribute CS4/contributeieplugin.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [Sidebar] c:program fileswindows sidebarsidebar.exe /autoRun
uRun: [ehTray.exe] c:windowsehomeehTray.exe
uRun: [Auto EPSON Stylus Photo R280 Series on CHANG-PC] c:windowssystem32spooldriversw32x863e_faticka.exe /fu "c:windowstempE_SD9.tmp" /EF "HKCU"
uRun: [Google Update] "c:usersstephenappdatalocalgoogleupdateGoogleUpdate.exe" /c
uRun: [Pando Media Booster] c:program filespando networksmedia boosterPMB.exe
uRun: [WMPNSCFG] c:program fileswindows media playerWMPNSCFG.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [Adobe Acrobat Speed Launcher] "c:program filesadobeacrobat 9.0acrobatAcrobat_sl.exe"
mRun: []
mRun: [StartCCC] "c:program filesati technologiesati.acecore-staticCLIStart.exe" MSRun
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [nmapp] "c:program filespure networksnetwork magicnmapp.exe" -autorun -nosplash
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AdobeCS4ServiceManager] "c:program filescommon filesadobecs4servicemanagerCS4ServiceManager.exe" -launchedbylogin
mRun: [MSSE] "c:program filesmicrosoft security essentialsmsseces.exe" -hide -runkey
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-16 10:32:24
Windows 6.0.6002 Service Pack 2
Running: szz7bbvt.exe; Driver: C:UsersStephenAppDataLocalTempkwndrpog.sys


---- System - GMER 1.0.15 ----

SSDT ??C:Program FilesSUPERAntiSpywareSASKUTIL.SYS ZwTerminateProcess [0x9073C620]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 621 81EBDD84 4 Bytes [20, C6, 73, 90] {AND DH, AL; JAE 0xffffffffffffff94}
.text C:Windowssystem32DRIVERSatikmdag.sys section is writeable [0x8F609000, 0x23097E, 0xE8000020]
.text C:Windowssystem32DRIVERSatksgt.sys section is writeable [0xA540E300, 0x3AE88, 0xE8000020]
.text C:Windowssystem32DRIVERSlirsgt.sys section is writeable [0xA5451300, 0x1B7E, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:WindowsExplorer.EXE[2140] ntdll.dll!NtProtectVirtualMemory 77404D34 5 Bytes JMP 007D000A
.text C:WindowsExplorer.EXE[2140] ntdll.dll!NtWriteVirtualMemory 77405674 5 Bytes JMP 007E000A
.text C:WindowsExplorer.EXE[2140] ntdll.dll!KiUserExceptionDispatcher 77405DC8 5 Bytes JMP 007C000A
.text C:Program FilesMozilla Firefoxfirefox.exe[3916] ntdll.dll!NtProtectVirtualMemory 77404D34 5 Bytes JMP 002C000A
.text C:Program FilesMozilla Firefoxfirefox.exe[3916] ntdll.dll!NtWriteVirtualMemory 77405674 5 Bytes JMP 002D000A
.text C:Program FilesMozilla Firefoxfirefox.exe[3916] ntdll.dll!KiUserExceptionDispatcher 77405DC8 5 Bytes JMP 002B000A

---- Registry - GMER 1.0.15 ----

Reg HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:Program FilesDAEMON Tools Lite
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD3 0x09 0x41 0x46 ...
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001@hdf12 0x62 0xCF 0x0C 0xC4 ...
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001gdq0
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001gdq0@hdf12 0xE4 0x17 0xFB 0x10 ...
Reg HKLMSYSTEMControlSet002ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLMSYSTEMControlSet002ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:Program FilesDAEMON Tools Lite
Reg HKLMSYSTEMControlSet002ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLMSYSTEMControlSet002ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD3 0x09 0x41 0x46 ...
Reg HKLMSYSTEMControlSet002ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001 (not active ControlSet)
Reg HKLMSYSTEMControlSet002ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLMSYSTEMControlSet002ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001@hdf12 0x62 0xCF 0x0C 0xC4 ...
Reg HKLMSYSTEMControlSet002ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001gdq0 (not active ControlSet)
Reg HKLMSYSTEMControlSet002ServicessptdCfg14919EA49A8F3B4AA3CF1058D9A64CEC00000001gdq0@hdf12 0xE4 0x17 0xFB 0x10 ...




Attached File  Attach.txt   9.74KB   5 downloads

Edited by ssp0929, 16 June 2010 - 03:47 PM.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:46 AM

Posted 21 June 2010 - 02:15 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 ssp0929

ssp0929
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 21 June 2010 - 11:31 PM

Alrighty, I'll get on it first thing in the morning!

Posted Image


#4 ssp0929

ssp0929
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 23 June 2010 - 12:14 PM


DDS (Ver_10-03-17.01) - NTFSx86
Run by Stephen at 11:17:55.65 on Wed 06/23/2010
Internet Explorer: 8.0.6001.18928 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3070.2014 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\svchost.exe -k Akamai
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Java\jre6\bin\jqs.exe
D:\Autodesk\3dsmax\mentalimages\satellite\raysat_3dsmax2011_32server.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Stephen\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyServer = http=127.0.0.1:49750
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Auto EPSON Stylus Photo R280 Series on CHANG-PC] c:\windows\system32\spool\drivers\w32x86\3\e_faticka.exe /fu "c:\windows\temp\E_SD9.tmp" /EF "HKCU"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRunOnce: [Uninstall Adobe Download Manager] "c:\windows\system32\rundll32.exe" "c:\program files\nos\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClie

Attached Files



#5 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:46 AM

Posted 25 June 2010 - 12:04 PM

Hello, ssp0929
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 4-5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.





Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#6 ssp0929

ssp0929
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 26 June 2010 - 03:02 PM

Thanks for the quick response Tom! I'll get on this first thing tomorrow, I have some business today and unfortunately will not be able to follow any of these steps at the moment. Sorry. sad.gif

Posted Image


#7 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:46 AM

Posted 27 June 2010 - 06:58 AM

Ok smile.gif
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#8 ssp0929

ssp0929
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 28 June 2010 - 01:06 PM

Uh... ComboFix was stuck at the loading screen for like hours for me. sad.gif

Posted Image


#9 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:46 AM

Posted 30 June 2010 - 01:06 PM

Did you disable your security software?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#10 ssp0929

ssp0929
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 02 July 2010 - 10:57 PM

I disabled all of it. Combofix did this to me before too. I was instructed to use it like 3 weeks ago. Failed on me then too.

Posted Image


#11 ssp0929

ssp0929
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 04 July 2010 - 11:12 AM

Just got infected with AV Soft again... I wiped it from my computer again, but this Google Redirect rootkit is not letting me update my Microsoft Security Essentials anti-virus. I need to wipe the rootkit first...

Posted Image


#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:46 AM

Posted 06 July 2010 - 03:43 PM

Hi smile.gif
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 ssp0929

ssp0929
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 08 July 2010 - 10:36 PM

Sorry for the slow response... will post results in morning.

Posted Image


#14 ssp0929

ssp0929
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 09 July 2010 - 10:14 AM

09:53:48:796 4048 TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49
09:53:48:796 4048 ================================================================================
09:53:48:796 4048 SystemInfo:

09:53:48:796 4048 OS Version: 6.0.6002 ServicePack: 2.0
09:53:48:796 4048 Product type: Workstation
09:53:48:796 4048 ComputerName: STEPHEN-7IFOXYZ
09:53:48:796 4048 UserName: Stephen
09:53:48:796 4048 Windows directory: C:\Windows
09:53:48:796 4048 System windows directory: C:\Windows
09:53:48:796 4048 Processor architecture: Intel x86
09:53:48:796 4048 Number of processors: 2
09:53:48:796 4048 Page size: 0x1000
09:53:48:798 4048 Boot type: Normal boot
09:53:48:798 4048 ================================================================================
09:53:49:189 4048 Initialize success
09:53:49:189 4048
09:53:49:189 4048 Scanning Services ...
09:53:49:877 4048 Raw services enum returned 425 services
09:53:49:883 4048
09:53:49:883 4048 Scanning Drivers ...
09:53:51:041 4048 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
09:53:51:132 4048 adfs (ece68655d81d662bc961abc05ba9680e) C:\Windows\system32\drivers\adfs.sys
09:53:51:179 4048 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
09:53:51:210 4048 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
09:53:51:229 4048 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
09:53:51:254 4048 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
09:53:51:333 4048 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
09:53:51:421 4048 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
09:53:51:475 4048 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
09:53:51:519 4048 aliide (3a99cb23a2d326fd532618705d6e3048) C:\Windows\system32\drivers\aliide.sys
09:53:51:545 4048 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
09:53:51:557 4048 amdide (4333c133dbd71c7d7fe4fb1b83f9ee3e) C:\Windows\system32\drivers\amdide.sys
09:53:51:581 4048 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
09:53:51:686 4048 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
09:53:51:754 4048 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
09:53:51:802 4048 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
09:53:51:838 4048 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
09:53:51:869 4048 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
09:53:51:897 4048 AtiHdmiService (d9bc8892b9440a2551b8148c57aa039e) C:\Windows\system32\drivers\AtiHdmi.sys
09:53:52:027 4048 atikmdag (d2e9acb68fa61c911cc21e07f87705bf) C:\Windows\system32\DRIVERS\atikmdag.sys
09:53:52:174 4048 atksgt (3c4b9850a2631c2263507400d029057b) C:\Windows\system32\DRIVERS\atksgt.sys
09:53:52:213 4048 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
09:53:52:244 4048 BIOS (be5d50529799b9bab6be879ec768b6cf) C:\WINDOWS\System32\drivers\BIOS.sys
09:53:52:292 4048 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
09:53:52:328 4048 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
09:53:52:348 4048 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
09:53:52:373 4048 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
09:53:52:386 4048 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
09:53:52:403 4048 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
09:53:52:426 4048 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
09:53:52:452 4048 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
09:53:52:485 4048 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
09:53:52:513 4048 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
09:53:52:555 4048 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
09:53:52:597 4048 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
09:53:52:640 4048 cmdide (dfb94a6fc3a26972b0461ab5f1d8272b) C:\Windows\system32\drivers\cmdide.sys
09:53:52:680 4048 Compbatt (82b8c91d327cfecf76cb58716f7d4997) C:\Windows\system32\drivers\compbatt.sys
09:53:52:701 4048 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
09:53:52:727 4048 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
09:53:52:768 4048 CSC (9bdb2e89be8d0ef37b1f25c3d3fc192c) C:\Windows\system32\drivers\csc.sys
09:53:52:794 4048 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
09:53:52:824 4048 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
09:53:52:857 4048 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
09:53:52:899 4048 DXGKrnl (5c7e2097b91d689ded7a6ff90f0f3a25) C:\Windows\System32\drivers\dxgkrnl.sys
09:53:52:954 4048 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
09:53:52:996 4048 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
09:53:53:034 4048 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
09:53:53:083 4048 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
09:53:53:122 4048 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
09:53:53:150 4048 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
09:53:53:187 4048 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
09:53:53:222 4048 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
09:53:53:235 4048 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
09:53:53:259 4048 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
09:53:53:274 4048 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
09:53:53:292 4048 fvevol (fecf4c2e42440a8d132bf94eee3c3fc9) C:\Windows\system32\DRIVERS\fvevol.sys
09:53:53:334 4048 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
09:53:53:377 4048 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
09:53:53:429 4048 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
09:53:53:463 4048 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
09:53:53:477 4048 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
09:53:53:500 4048 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
09:53:53:528 4048 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
09:53:53:579 4048 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
09:53:53:596 4048 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
09:53:53:630 4048 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
09:53:53:657 4048 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
09:53:53:683 4048 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
09:53:53:759 4048 IntcAzAudAddService (f6e17c275666a4402588a30e36565910) C:\Windows\system32\drivers\RTKVHDA.sys
09:53:53:838 4048 intelide (1c60617d54bc9f035671a44b75d9f7cc) C:\Windows\system32\drivers\intelide.sys
09:53:53:874 4048 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
09:53:53:903 4048 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
09:53:53:949 4048 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
09:53:53:995 4048 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
09:53:54:038 4048 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
09:53:54:060 4048 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
09:53:54:102 4048 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
09:53:54:115 4048 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
09:53:54:140 4048 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
09:53:54:174 4048 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
09:53:54:207 4048 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
09:53:54:249 4048 klmd23 (316353165feba3d0538eaa9c2f60c5b7) C:\Windows\system32\drivers\klmd.sys
09:53:54:282 4048 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
09:53:54:314 4048 lirsgt (4127e8b6ddb4090e815c1f8852c277d3) C:\Windows\system32\DRIVERS\lirsgt.sys
09:53:54:346 4048 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
09:53:54:387 4048 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
09:53:54:414 4048 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
09:53:54:440 4048 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
09:53:54:478 4048 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
09:53:54:508 4048 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
09:53:54:541 4048 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
09:53:54:578 4048 monitor (7446e104a5fe5987ca9e4983fbac4f97) C:\Windows\system32\DRIVERS\monitor.sys
09:53:54:597 4048 mouclass (9b0f339b713606bed8847d433b9d35a1) C:\Windows\system32\DRIVERS\mouclass.sys
09:53:54:598 4048 Suspicious file (Forged): C:\Windows\system32\DRIVERS\mouclass.sys. Real md5: 9b0f339b713606bed8847d433b9d35a1, Fake md5: 5bf6a1326a335c5298477754a506d263
09:53:54:598 4048 File "C:\Windows\system32\DRIVERS\mouclass.sys" infected by TDSS rootkit ... 09:54:00:636 4048 Backup copy not found, trying to cure infected file..
09:54:00:636 4048 Cure success, using it..
09:54:00:681 4048 will be cured on next reboot
09:54:00:819 4048 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
09:54:00:865 4048 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
09:54:00:928 4048 MpFilter (dfa1cd670ea50a21c87c92c727c50950) C:\Windows\system32\DRIVERS\MpFilter.sys
09:54:00:965 4048 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
09:54:00:991 4048 MpNWMon (77075a384a94b83e19d78efbcf8a832e) C:\Windows\system32\DRIVERS\MpNWMon.sys
09:54:01:022 4048 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
09:54:01:052 4048 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
09:54:01:085 4048 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
09:54:01:133 4048 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
09:54:01:249 4048 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
09:54:01:289 4048 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
09:54:01:404 4048 msahci (f0ec3a4e0693a34b148723b4da31668c) C:\Windows\system32\drivers\msahci.sys
09:54:01:425 4048 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
09:54:01:463 4048 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
09:54:01:492 4048 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
09:54:01:528 4048 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
09:54:01:554 4048 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
09:54:01:576 4048 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
09:54:01:613 4048 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
09:54:01:653 4048 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
09:54:01:683 4048 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
09:54:01:713 4048 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
09:54:01:760 4048 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
09:54:01:809 4048 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
09:54:01:840 4048 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
09:54:01:875 4048 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
09:54:01:902 4048 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
09:54:01:923 4048 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
09:54:01:948 4048 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
09:54:01:983 4048 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
09:54:02:019 4048 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
09:54:02:060 4048 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
09:54:02:078 4048 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
09:54:02:135 4048 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
09:54:02:378 4048 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
09:54:02:525 4048 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
09:54:02:650 4048 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
09:54:02:677 4048 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
09:54:02:703 4048 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
09:54:02:747 4048 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
09:54:02:786 4048 Parport (8a79fdf04a73428597e2caf9d0d67850) C:\Windows\system32\DRIVERS\parport.sys
09:54:02:816 4048 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
09:54:02:836 4048 Parvdm (6c580025c81caf3ae9e3617c22cad00e) C:\Windows\system32\DRIVERS\parvdm.sys
09:54:02:856 4048 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
09:54:02:880 4048 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
09:54:02:924 4048 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
09:54:02:974 4048 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
09:54:03:038 4048 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
09:54:03:085 4048 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
09:54:03:129 4048 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
09:54:03:246 4048 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
09:54:03:281 4048 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
09:54:03:381 4048 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
09:54:03:415 4048 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
09:54:03:444 4048 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
09:54:03:472 4048 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
09:54:03:485 4048 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
09:54:03:519 4048 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
09:54:03:555 4048 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
09:54:03:591 4048 rdpdr (943b18305eae3935598a9b4a3d560b4c) C:\Windows\system32\DRIVERS\rdpdr.sys
09:54:03:609 4048 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
09:54:03:635 4048 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
09:54:03:672 4048 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
09:54:03:705 4048 RTL8169 (abbe0f54ba3a378262c9cb86cf7d91f8) C:\Windows\system32\DRIVERS\Rtlh86.sys
09:54:03:757 4048 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
09:54:03:796 4048 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
09:54:03:924 4048 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
09:54:03:976 4048 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
09:54:04:009 4048 Serenum (ce9ec966638ef0b10b864ddedf62a099) C:\Windows\system32\DRIVERS\serenum.sys
09:54:04:032 4048 Serial (6d663022db3e7058907784ae14b69898) C:\Windows\system32\DRIVERS\serial.sys
09:54:04:063 4048 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
09:54:04:100 4048 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
09:54:04:139 4048 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
09:54:04:185 4048 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
09:54:04:200 4048 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
09:54:04:225 4048 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
09:54:04:250 4048 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
09:54:04:276 4048 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
09:54:04:314 4048 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
09:54:04:344 4048 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
09:54:04:389 4048 sptd (cdddec541bc3c96f91ecb48759673505) C:\Windows\system32\Drivers\sptd.sys
09:54:04:440 4048 srv (0debafcc0e3591fca34f077cab62f7f7) C:\Windows\system32\DRIVERS\srv.sys
09:54:04:472 4048 srv2 (6b6f3658e0a58c6c50c5f7fbdf3df633) C:\Windows\system32\DRIVERS\srv2.sys
09:54:04:513 4048 srvnet (0c5ab1892ae0fa504218db094bf6d041) C:\Windows\system32\DRIVERS\srvnet.sys
09:54:04:547 4048 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
09:54:04:582 4048 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
09:54:04:602 4048 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
09:54:04:627 4048 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
09:54:04:680 4048 Tcpip (48cbe6d53632d0067c2d6b20f90d84ca) C:\Windows\system32\drivers\tcpip.sys
09:54:04:739 4048 Tcpip6 (48cbe6d53632d0067c2d6b20f90d84ca) C:\Windows\system32\DRIVERS\tcpip.sys
09:54:04:782 4048 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
09:54:04:817 4048 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
09:54:04:850 4048 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
09:54:04:885 4048 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
09:54:04:920 4048 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
09:54:04:969 4048 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
09:54:04:997 4048 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
09:54:05:045 4048 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
09:54:05:082 4048 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
09:54:05:129 4048 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
09:54:05:184 4048 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
09:54:05:218 4048 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
09:54:05:234 4048 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
09:54:05:248 4048 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
09:54:05:283 4048 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
09:54:05:324 4048 UMPass (88bd96a1baeed33ee8bdf9499c07a841) C:\Windows\system32\DRIVERS\umpass.sys
09:54:05:362 4048 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
09:54:05:404 4048 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
09:54:05:534 4048 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
09:54:05:552 4048 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
09:54:05:580 4048 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
09:54:05:596 4048 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\drivers\usbprint.sys
09:54:05:636 4048 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
09:54:05:673 4048 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
09:54:05:701 4048 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
09:54:05:743 4048 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
09:54:05:763 4048 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
09:54:05:796 4048 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
09:54:05:838 4048 viaide (58c8d5ac5c3eef40e7e704a5ced7987d) C:\Windows\system32\drivers\viaide.sys
09:54:05:878 4048 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
09:54:05:914 4048 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
09:54:05:940 4048 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
09:54:05:979 4048 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
09:54:06:006 4048 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
09:54:06:044 4048 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
09:54:06:047 4048 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
09:54:06:071 4048 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
09:54:06:141 4048 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
09:54:06:258 4048 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
09:54:06:319 4048 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\Windows\system32\DRIVERS\wpdusb.sys
09:54:06:364 4048 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
09:54:06:401 4048 WudfPf (13b5f255e90624a5ba0441d39cfb6be2) C:\Windows\system32\DRIVERS\WudfPf.sys
09:54:06:438 4048 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
09:54:06:441 4048 Reboot required for cure complete..
09:54:06:784 4048 Cure on reboot scheduled successfully
09:54:06:784 4048
09:54:06:785 4048 Completed
09:54:06:785 4048
09:54:06:785 4048 Results:
09:54:06:785 4048 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
09:54:06:785 4048 File objects infected / cured / cured on reboot: 1 / 0 / 1
09:54:06:785 4048
09:54:06:795 4048 KLMD(ARK) unloaded successfully

Hmmm... after running this, I can now update my windows, my Windows Server Host is not crashing, and the google redirect have seemed to stop! Wow!

Posted Image


#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:46 AM

Posted 10 July 2010 - 08:10 AM

Good smile.gif


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt





  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemdrive%\*.sys /90 /md5
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users