Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox redirect


  • Please log in to reply
9 replies to this topic

#1 whacked

whacked

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 10 August 2010 - 08:41 AM

Hello, I have a redirect issue.

When I key in bleeping computer it redirects to another site.

I logged on to Bleeping Computer from another computer.

Scanning the various posts I saw where some users ran a Kapsersky utility called TDSSkiller

Ran it and it did find an issue with "C:\WINDOWS\system32\drivers\dmload.sys. Real md5: bd0e4e0c99fe9ad078dc074206549d52, Fake md5: e9317282a63ca4d188c0df5e09c6ac5f"

Ran the utility and it cleaned it after reboot.

I did run Malwarebyte's Anti Malware and Super AntiSpyware who both found nothing.

How can I be sure I have cleaned this computer of all viruses/malware/junk that is making this computer run so slow?

Thanks to you all.

Edited by whacked, 10 August 2010 - 08:44 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,969 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:37 PM

Posted 11 August 2010 - 10:48 AM

There are no guarantees or shortcuts when it comes to malware removal and the use of specialized fix tools, especially when dealing with backdoor Trojans, Botnets, IRCBots or rootkit components that can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Infections will vary and some will cause more harm to your system then others as a result of it having the ability to download more malicious files. Thus, sometimes it takes several efforts with different, the same or more powerful tools to do the job. Even then, with some types of malware infections, the task can be arduous.

TDSSkiller found and cured the primary infection but I would like to review the complete log. A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) would have been created and saved to the root directory (usually Local Disk C:). Open that file in notepad, then copy and paste the contents of that file in your next reply.

Also try another scan to see if you find anything else (i.e. remanants).

Please perform a scan with Eset Online Antiivirus Scanner.
This scan requires Internet Explorer to work. Vista/Windows 7 users need to run Internet Explorer as Administrator.
To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • If offered the option to get information or buy software at any point, just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply.
Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 whacked

whacked
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 17 August 2010 - 05:00 PM

Thank you Quietman7. Here's the logs.

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=bf9c454003c62746aaf79be2ca134934
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-08-17 09:21:45
# local_time=2010-08-17 05:21:45 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=768 16777175 100 0 4962930 4962930 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=53475
# found=6
# cleaned=3
# scan_time=3421
C:\Documents and Settings\Dave\Local Settings\Application Data\Identities\{636CF603-4F12-43F1-AA6C-917154508B53}\Microsoft\Outlook Express\Family Emails (1).dbx HTML/Phishing.gen trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Dave\Local Settings\Application Data\Identities\{636CF603-4F12-43F1-AA6C-917154508B53}\Microsoft\Outlook Express\Family Emails.dbx HTML/Phishing.gen trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Dave\Local Settings\Application Data\Identities\{636CF603-4F12-43F1-AA6C-917154508B53}\Microsoft\Outlook Express\Sent Items.dbx HTML/Phishing.gen trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\3\4e84bf83-62c27d91 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\44\34db286c-20309449 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Downs\unlocker1.8.7.exe a variant of Win32/Adware.ADON application (deleted - quarantined) 00000000000000000000000000000000 C

2010/08/10 09:25:23.0406 TDSS rootkit removing tool 2.4.1.1 Aug 10 2010 14:48:09
2010/08/10 09:25:23.0406 ================================================================================
2010/08/10 09:25:23.0406 SystemInfo:
2010/08/10 09:25:23.0406
2010/08/10 09:25:23.0406 OS Version: 5.1.2600 ServicePack: 3.0
2010/08/10 09:25:23.0406 Product type: Workstation
2010/08/10 09:25:23.0406 ComputerName: DAVE-85FY9K843U
2010/08/10 09:25:23.0406 UserName: Dave
2010/08/10 09:25:23.0406 Windows directory: C:\WINDOWS
2010/08/10 09:25:23.0406 System windows directory: C:\WINDOWS
2010/08/10 09:25:23.0406 Processor architecture: Intel x86
2010/08/10 09:25:23.0406 Number of processors: 1
2010/08/10 09:25:23.0406 Page size: 0x1000
2010/08/10 09:25:23.0406 Boot type: Normal boot
2010/08/10 09:25:23.0406 ================================================================================
2010/08/10 09:25:23.0625 Initialize success
2010/08/10 09:25:28.0796 ================================================================================
2010/08/10 09:25:28.0796 Scan started
2010/08/10 09:25:28.0796 Mode: Manual;
2010/08/10 09:25:28.0796 ================================================================================
2010/08/10 09:25:30.0875 Aavmker4 (a5246ed2586aa807af0bcf63165a71cc) C:\WINDOWS\system32\drivers\Aavmker4.sys
2010/08/10 09:25:31.0218 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/08/10 09:25:31.0390 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/08/10 09:25:31.0578 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/08/10 09:25:31.0796 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/08/10 09:25:31.0968 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/08/10 09:25:32.0390 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/08/10 09:25:32.0765 aswFsBlk (1b6ed99291ddf5d2501554cc5757aab6) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2010/08/10 09:25:32.0921 aswMon2 (81432b1a4b31036c822eb967decf613c) C:\WINDOWS\system32\drivers\aswMon2.sys
2010/08/10 09:25:33.0062 aswRdr (3e2b6112d2766f87eda8466fde86a986) C:\WINDOWS\system32\drivers\aswRdr.sys
2010/08/10 09:25:33.0218 aswSP (d78b644816db540e103d0b0766fd9967) C:\WINDOWS\system32\drivers\aswSP.sys
2010/08/10 09:25:33.0390 aswTdi (606d731008d98b6ef946730c597c1642) C:\WINDOWS\system32\drivers\aswTdi.sys
2010/08/10 09:25:33.0531 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/08/10 09:25:33.0703 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/08/10 09:25:33.0921 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/08/10 09:25:34.0078 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/08/10 09:25:34.0250 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/08/10 09:25:34.0406 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/08/10 09:25:34.0609 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/08/10 09:25:34.0781 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/08/10 09:25:34.0890 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/08/10 09:25:35.0250 ctac32k (39e4d8f8e627eca4a76d9843606bae0a) C:\WINDOWS\system32\drivers\ctac32k.sys
2010/08/10 09:25:35.0468 ctaud2k (de80bd73c255f8fecaf271c04a022a2f) C:\WINDOWS\system32\drivers\ctaud2k.sys
2010/08/10 09:25:35.0671 ctdvda2k (18779d6877a2f4ff2f23193fee44b095) C:\WINDOWS\system32\drivers\ctdvda2k.sys
2010/08/10 09:25:35.0875 ctprxy2k (a07820a06bfdbffa1d207c7778205a4d) C:\WINDOWS\system32\drivers\ctprxy2k.sys
2010/08/10 09:25:36.0031 ctsfm2k (d29b3eeb5155a06b94f8d75c126a9c0c) C:\WINDOWS\system32\drivers\ctsfm2k.sys
2010/08/10 09:25:36.0328 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/08/10 09:25:36.0531 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/08/10 09:25:36.0750 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/08/10 09:25:36.0890 dmload (bd0e4e0c99fe9ad078dc074206549d52) C:\WINDOWS\system32\drivers\dmload.sys
2010/08/10 09:25:36.0890 Suspicious file (Forged): C:\WINDOWS\system32\drivers\dmload.sys. Real md5: bd0e4e0c99fe9ad078dc074206549d52, Fake md5: e9317282a63ca4d188c0df5e09c6ac5f
2010/08/10 09:25:36.0906 dmload - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/08/10 09:25:37.0078 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/08/10 09:25:37.0312 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/08/10 09:25:37.0500 emupia (39fbced3e762b85846b3da494fcd33fe) C:\WINDOWS\system32\drivers\emupia2k.sys
2010/08/10 09:25:37.0671 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/08/10 09:25:37.0859 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/08/10 09:25:38.0000 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/08/10 09:25:38.0156 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/08/10 09:25:38.0343 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/08/10 09:25:38.0468 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/08/10 09:25:38.0640 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/08/10 09:25:38.0781 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2010/08/10 09:25:38.0953 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/08/10 09:25:39.0156 ha10kx2k (848f9033ad1c2c6f7ee7e65c2daf45f1) C:\WINDOWS\system32\drivers\ha10kx2k.sys
2010/08/10 09:25:39.0312 hap16v2k (d2fe992041527ef54e438a3fc82d3b23) C:\WINDOWS\system32\drivers\hap16v2k.sys
2010/08/10 09:25:39.0437 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/08/10 09:25:39.0718 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/08/10 09:25:40.0046 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\drivers\Imapi.sys
2010/08/10 09:25:40.0296 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/08/10 09:25:40.0468 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/08/10 09:25:40.0609 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/08/10 09:25:40.0718 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/08/10 09:25:40.0875 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/08/10 09:25:41.0031 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/08/10 09:25:41.0203 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/08/10 09:25:41.0359 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/08/10 09:25:41.0531 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/08/10 09:25:41.0687 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/08/10 09:25:41.0859 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/08/10 09:25:42.0015 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/08/10 09:25:42.0187 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/08/10 09:25:42.0343 LBeepKE (e254e5b2c5227ddbb47d045940a0a559) C:\WINDOWS\system32\Drivers\LBeepKE.sys
2010/08/10 09:25:42.0562 LHidFilt (7f9c7b28cf1c859e1c42619eea946dc8) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
2010/08/10 09:25:42.0750 LMouFilt (ab33792a87285344f43b5ce23421bab0) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
2010/08/10 09:25:42.0890 LUsbFilt (77030525cd86a93f1af34fa9b96d33ce) C:\WINDOWS\system32\Drivers\LUsbFilt.Sys
2010/08/10 09:25:43.0015 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/08/10 09:25:43.0140 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/08/10 09:25:43.0281 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/08/10 09:25:43.0421 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/08/10 09:25:43.0718 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/08/10 09:25:43.0937 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/08/10 09:25:44.0187 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/08/10 09:25:44.0390 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/08/10 09:25:44.0562 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/08/10 09:25:44.0609 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/08/10 09:25:44.0734 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/08/10 09:25:44.0890 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/08/10 09:25:45.0046 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/08/10 09:25:45.0156 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/08/10 09:25:45.0281 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/08/10 09:25:45.0359 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/08/10 09:25:45.0484 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/08/10 09:25:45.0625 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/08/10 09:25:45.0781 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/08/10 09:25:45.0890 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/08/10 09:25:46.0062 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/08/10 09:25:46.0234 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/08/10 09:25:46.0343 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/08/10 09:25:46.0515 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/08/10 09:25:46.0734 nv (1685a86ce8dc5a70d307dca625fb50e7) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/08/10 09:25:47.0031 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/08/10 09:25:47.0171 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/08/10 09:25:47.0328 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/08/10 09:25:47.0484 ossrv (64631723b13cbcc153294347535844be) C:\WINDOWS\system32\drivers\ctoss2k.sys
2010/08/10 09:25:47.0656 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/08/10 09:25:47.0812 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/08/10 09:25:47.0953 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/08/10 09:25:48.0109 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/08/10 09:25:48.0328 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/08/10 09:25:48.0812 pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys
2010/08/10 09:25:48.0968 PfDetNT (c8a2d6ff660ac601b7bb9a9b16a5c25e) C:\WINDOWS\System32\drivers\PfModNT.sys
2010/08/10 09:25:49.0093 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/08/10 09:25:49.0234 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/08/10 09:25:49.0406 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/08/10 09:25:49.0531 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/08/10 09:25:49.0640 PxHelp20 (30cbae0a34359f1cd19d1576245149ed) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/08/10 09:25:50.0046 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/08/10 09:25:50.0203 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/08/10 09:25:50.0375 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/08/10 09:25:50.0531 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/08/10 09:25:50.0671 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/08/10 09:25:50.0796 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/08/10 09:25:50.0968 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/08/10 09:25:51.0156 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/08/10 09:25:51.0312 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/08/10 09:25:51.0500 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2010/08/10 09:25:51.0640 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/08/10 09:25:51.0703 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2010/08/10 09:25:51.0890 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/08/10 09:25:52.0078 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/08/10 09:25:52.0218 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/08/10 09:25:52.0375 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/08/10 09:25:52.0687 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/08/10 09:25:52.0890 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/08/10 09:25:53.0078 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/08/10 09:25:53.0296 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/08/10 09:25:53.0453 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/08/10 09:25:53.0859 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/08/10 09:25:54.0078 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/08/10 09:25:54.0281 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/08/10 09:25:54.0421 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/08/10 09:25:54.0562 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/08/10 09:25:54.0812 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/08/10 09:25:55.0046 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/08/10 09:25:55.0328 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/08/10 09:25:55.0468 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/08/10 09:25:55.0625 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/08/10 09:25:55.0765 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/08/10 09:25:55.0859 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/08/10 09:25:55.0953 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/08/10 09:25:56.0062 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/08/10 09:25:56.0140 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/08/10 09:25:56.0265 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/08/10 09:25:56.0375 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/08/10 09:25:56.0515 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2010/08/10 09:25:56.0734 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/08/10 09:25:56.0937 ================================================================================
2010/08/10 09:25:56.0937 Scan finished
2010/08/10 09:25:56.0937 ================================================================================
2010/08/10 09:25:56.0968 Detected object count: 1
2010/08/10 09:26:10.0218 dmload (bd0e4e0c99fe9ad078dc074206549d52) C:\WINDOWS\system32\drivers\dmload.sys
2010/08/10 09:26:10.0218 Suspicious file (Forged): C:\WINDOWS\system32\drivers\dmload.sys. Real md5: bd0e4e0c99fe9ad078dc074206549d52, Fake md5: e9317282a63ca4d188c0df5e09c6ac5f
2010/08/10 09:26:15.0828 Backup copy found, using it..
2010/08/10 09:26:15.0859 C:\WINDOWS\system32\drivers\dmload.sys - will be cured after reboot
2010/08/10 09:26:15.0859 Rootkit.Win32.TDSS.tdl3(dmload) - User select action: Cure
2010/08/10 09:26:20.0484 Deinitialize success

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,969 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:37 PM

Posted 17 August 2010 - 08:29 PM

How is your computer running now? Are there any more signs of infection, strange audio ads, bogus security alerts or browser redirects?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 whacked

whacked
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 19 August 2010 - 08:50 AM

It's running fine as of now.

The speed is dramatically up and no suspicious hijacks or redirects are occurring.

Could you see anything that looks out of order from the logs?

I was wondering if I should take all the outlook files and migrate to a separate folder? This is my wife's PC and she email from the previous millennium - I saw several folders that were tagged but couldn't be cleaned. I wondered if those files were the reason why this keeps re-occurring?

Thank you for taking the time to review my problem and offering guidance. It's truly appreciated.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,969 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:37 PM

Posted 19 August 2010 - 09:27 AM

This is the relevant part of the log which shows the infection was found and cured.

2010/08/10 09:25:56.0968 Detected object count: 1
2010/08/10 09:26:10.0218 dmload (bd0e4e0c99fe9ad078dc074206549d52) C:\WINDOWS\system32\drivers\dmload.sys
2010/08/10 09:26:10.0218 Suspicious file (Forged): C:\WINDOWS\system32\drivers\dmload.sys. Real md5: bd0e4e0c99fe9ad078dc074206549d52, Fake md5: e9317282a63ca4d188c0df5e09c6ac5f
2010/08/10 09:26:15.0828 Backup copy found, using it..
2010/08/10 09:26:15.0859 C:\WINDOWS\system32\drivers\dmload.sys - will be cured after reboot
2010/08/10 09:26:15.0859 Rootkit.Win32.TDSS.tdl3(dmload) - User select action: Cure


TDL3 is the third generation of TDSS which uses rootkit technology to hide itself on a system by infecting drivers like atapi.sys, iastor.sys and others. Atapi.sys is a common target for this rootkit because it loads early during the boot process and is difficult to detect. Common symptoms/signs of this infection include:
  • Google search results redirected as TDL3 modifies DNS query results.
  • Infected (patched) files like atapi.sys, iastor.sys and others in the Windows drivers folder.
  • Slowness of the computer and poor performance.
  • Multiple instances of IEXPLORE.exe in Task Manager.
  • Internet Explorer opens on its own.
  • BSODs that occur immediately after splash screen appears.
For more specific analysis and explanation of the infection, please refer to:Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. Rootkits are used by backdoor Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Although the infection has been identified and removed, your machine has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed all components of a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
Reimaging the system
Restoring the entire system using a full system backup from before the backdoor infection
Reformatting and reinstalling the system

Backdoors and What They Mean to You
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 whacked

whacked
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 21 August 2010 - 12:53 PM

Well things were running great then another slow down hit.

I ran the ESET software again and it found this:

C:\Documents and Settings\Dave\Local Settings\Application Data\Identities\{636CF603-4F12-43F1-AA6C-917154508B53}\Microsoft\Outlook Express\Family Emails (1).dbx HTML/Phishing.gen trojan unable to clean
C:\Documents and Settings\Dave\Local Settings\Application Data\Identities\{636CF603-4F12-43F1-AA6C-917154508B53}\Microsoft\Outlook Express\Family Emails.dbx HTML/Phishing.gen trojan unable to clean
C:\Documents and Settings\Dave\Local Settings\Application Data\Identities\{636CF603-4F12-43F1-AA6C-917154508B53}\Microsoft\Outlook Express\Sent Items.dbx HTML/Phishing.gen trojan unable to clean
C:\Downs\SDFix.exe Win32/PrcView application deleted - quarantined
C:\Downs\SmitfraudFix.exe multiple threats deleted - quarantined

I think I mentioned before that my wife has a tremendous amount of old email and it looks like perhaps this computer is getting reinfected by having some mail that still has infected attachments.

I'm going to delete these emails and that fails then I'll rebuild the system.

If you have any better ideas I'm listening.

Thanks again for all your help.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,969 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:37 PM

Posted 21 August 2010 - 04:05 PM

Yes, go ahead and delete all those Outlook emails.

These two are not malware but older specialized fix too tools used by Helpers for cleaning infections.

C:\Downs\SDFix.exe Win32/PrcView application deleted - quarantined
C:\Downs\SmitfraudFix.exe multiple threats deleted - quarantined


Certain embedded files that are part of legitimate programs or specialized fix tools, may at times be detected by some anti-virus and anti-malware scanners as a "Risk Tool", "Hacking Tool", "Potentially Unwanted Program", or even "Malware" (virus/trojan) when that is not the case. This occurs for a variety of reasons to include the tool's compiler, the files it uses, registry fixes, malware strings it contains and the type of security engine that was used during the scan.

Common detections of embedded files include process.exe, pev.exe, PrcView, nircmd.exe, ncmd.cfxxe, restart.exe, reboot.exe, and catchme.exe.

Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. When flagged by an anti-virus or security scanner, it's because the program includes features, behavior or files that appear suspicious or which can potentially be used for malicious purposes. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others or that it was simply detected as suspicious due to the security program's heuristic analysis engine which provides the ability to detect possible new variants of malware. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. In these cases the detection is a "false positive" but it won't hurt to remove them so such detections do not occur again.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 whacked

whacked
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 22 August 2010 - 07:56 AM

Thanks for your help.

I have all my discs organized and ready for a rebuild if necessary.

I'll let you know if I have to rebuild.

Thanks again.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,969 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:37 PM

Posted 22 August 2010 - 09:02 AM

You're welcome and good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users