Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

im infected with a redirect virus.


  • Please log in to reply
16 replies to this topic

#1 Dragonlady24

Dragonlady24

  • Members
  • 703 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Fox Lake,WI
  • Local time:11:09 AM

Posted 22 August 2010 - 12:58 PM

i have been having issues with my internet pages getting redirected to some weird sites since i removed anvirus suite about a month ago. i have windows xp. i keep getting redirected when i get online and when i use these two search engines google and ask. i click on a link and it takes me to another site most of the time, unless its for yahoo then i get to the site i need. i have malware bytes and hjt to help me with the removal of most of this stuff but malware bytes and hjt havent found the source of the problem because i still get redirects even after cleaning my system with them.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:09 PM

Posted 23 August 2010 - 12:10 PM

Please post the results of your last MBAM scan for review (even if nothing was found).

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Logs are saved to the following locations:
-- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
-- Vista, Windows 7, 2008: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs


Please download the TDSS Rootkit Removing Tool (TDSSKiller.zip) and save it to your Desktop. <-Important!!!
Be sure to print out and follow all instructions for performing a scan or refer to these instructions with screenshots.
  • Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the Desktop. Vista/Windows 7 users refer to these instructions.
  • If you don't have an extracting program, you can download TDSSKiller.exe and use that instead.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • When the program opens, click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.

-- For any files detected as 'Suspicious', get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Dragonlady24

Dragonlady24
  • Topic Starter

  • Members
  • 703 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Fox Lake,WI
  • Local time:11:09 AM

Posted 23 August 2010 - 05:30 PM

ok i will. its been a few days since i scanned though.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4436

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/20/2010 10:49:51 PM
mbam-log-2010-08-20 (22-49-51).txt

Scan type: Full scan (C:\|)
Objects scanned: 212041
Time elapsed: 57 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\NetworkControl\nc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9B490D6C-7874-433A-B6CF-E39E64F13A0F}\RP464\A0101672.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9B490D6C-7874-433A-B6CF-E39E64F13A0F}\RP464\A0101673.exe (Trojan.VB) -> Quarantined and deleted successfully.
C:\WINDOWS\exe.exe (Trojan.VB) -> Quarantined and deleted successfully.
C:\NetworkControl\checker.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\NetworkControl\tmp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\NetworkControl\tpm.dll (Trojan.Agent) -> Quarantined and deleted successfully.

2010/08/23 17:45:15.0750 TDSS rootkit removing tool 2.4.1.2 Aug 16 2010 09:46:23
2010/08/23 17:45:15.0750 ================================================================================
2010/08/23 17:45:15.0750 SystemInfo:
2010/08/23 17:45:15.0750
2010/08/23 17:45:15.0750 OS Version: 5.1.2600 ServicePack: 3.0
2010/08/23 17:45:15.0750 Product type: Workstation
2010/08/23 17:45:15.0750 ComputerName: NANCY-PC
2010/08/23 17:45:15.0750 UserName: Nancy
2010/08/23 17:45:15.0750 Windows directory: C:\WINDOWS
2010/08/23 17:45:15.0750 System windows directory: C:\WINDOWS
2010/08/23 17:45:15.0750 Processor architecture: Intel x86
2010/08/23 17:45:15.0750 Number of processors: 1
2010/08/23 17:45:15.0750 Page size: 0x1000
2010/08/23 17:45:15.0750 Boot type: Normal boot
2010/08/23 17:45:15.0750 ================================================================================
2010/08/23 17:45:16.0156 Initialize success
2010/08/23 17:45:23.0171 ================================================================================
2010/08/23 17:45:23.0171 Scan started
2010/08/23 17:45:23.0171 Mode: Manual;
2010/08/23 17:45:23.0171 ================================================================================
2010/08/23 17:45:25.0531 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/08/23 17:45:25.0640 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/08/23 17:45:25.0812 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/08/23 17:45:25.0906 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/08/23 17:45:26.0265 ALCXSENS (ba88534a3ceb6161e7432438b9ea4f54) C:\WINDOWS\system32\drivers\ALCXSENS.SYS
2010/08/23 17:45:26.0375 ALCXWDM (6725434f5eb0a975b7716d68566e5d86) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2010/08/23 17:45:26.0578 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
2010/08/23 17:45:27.0046 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/08/23 17:45:27.0125 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/08/23 17:45:27.0281 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/08/23 17:45:27.0390 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/08/23 17:45:27.0515 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/08/23 17:45:27.0640 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/08/23 17:45:27.0734 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/08/23 17:45:27.0796 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/08/23 17:45:27.0828 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/08/23 17:45:28.0093 Disk (4cd0add3f88393d25ac78de2d4faabf7) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/08/23 17:45:28.0093 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\disk.sys. Real md5: 4cd0add3f88393d25ac78de2d4faabf7, Fake md5: 044452051f3e02e7963599fc8f4f3e25
2010/08/23 17:45:28.0109 Disk - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/08/23 17:45:28.0187 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/08/23 17:45:28.0281 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/08/23 17:45:28.0343 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/08/23 17:45:28.0406 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/08/23 17:45:28.0484 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/08/23 17:45:28.0578 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/08/23 17:45:28.0640 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/08/23 17:45:28.0687 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/08/23 17:45:28.0718 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/08/23 17:45:28.0781 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/08/23 17:45:28.0843 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/08/23 17:45:28.0890 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/08/23 17:45:28.0984 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/08/23 17:45:29.0046 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/08/23 17:45:29.0140 HSFHWBS2 (b6b0721a86e51d141ec55c3cc1ca5686) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
2010/08/23 17:45:29.0265 HSF_DP (b2dfc168d6f7512faea085253c5a37ad) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2010/08/23 17:45:29.0359 HSF_DPV (698204d9c2832e53633e53a30a53fc3d) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2010/08/23 17:45:29.0468 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/08/23 17:45:29.0640 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/08/23 17:45:29.0687 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/08/23 17:45:29.0828 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/08/23 17:45:29.0890 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/08/23 17:45:29.0968 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/08/23 17:45:30.0031 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/08/23 17:45:30.0093 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/08/23 17:45:30.0156 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/08/23 17:45:30.0234 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/08/23 17:45:30.0265 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/08/23 17:45:30.0312 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/08/23 17:45:30.0390 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/08/23 17:45:30.0546 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/08/23 17:45:30.0625 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/08/23 17:45:30.0687 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/08/23 17:45:30.0734 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/08/23 17:45:30.0812 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/08/23 17:45:30.0859 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/08/23 17:45:30.0968 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/08/23 17:45:31.0062 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/08/23 17:45:31.0156 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/08/23 17:45:31.0203 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/08/23 17:45:31.0218 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/08/23 17:45:31.0281 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/08/23 17:45:31.0343 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/08/23 17:45:31.0421 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/08/23 17:45:31.0468 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/08/23 17:45:31.0515 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/08/23 17:45:31.0562 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/08/23 17:45:31.0593 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/08/23 17:45:31.0640 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/08/23 17:45:31.0687 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/08/23 17:45:31.0718 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/08/23 17:45:31.0875 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/08/23 17:45:32.0062 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/08/23 17:45:32.0171 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/08/23 17:45:32.0234 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/08/23 17:45:32.0265 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/08/23 17:45:32.0312 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/08/23 17:45:32.0359 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/08/23 17:45:32.0390 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/08/23 17:45:32.0437 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/08/23 17:45:32.0625 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/08/23 17:45:32.0765 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/08/23 17:45:33.0109 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/08/23 17:45:33.0156 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/08/23 17:45:33.0203 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/08/23 17:45:33.0250 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/08/23 17:45:33.0453 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/08/23 17:45:33.0515 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/08/23 17:45:33.0625 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/08/23 17:45:33.0718 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/08/23 17:45:33.0765 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/08/23 17:45:33.0796 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/08/23 17:45:33.0875 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/08/23 17:45:33.0984 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/08/23 17:45:34.0265 RTL8023xp (cf84b1f0e8b14d4120aaf9cf35cbb265) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
2010/08/23 17:45:34.0484 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2010/08/23 17:45:34.0671 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/08/23 17:45:34.0796 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/08/23 17:45:34.0968 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/08/23 17:45:35.0156 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/08/23 17:45:35.0531 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/08/23 17:45:35.0656 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/08/23 17:45:35.0843 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/08/23 17:45:36.0046 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/08/23 17:45:36.0171 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/08/23 17:45:36.0640 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/08/23 17:45:36.0828 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/08/23 17:45:36.0984 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/08/23 17:45:37.0125 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/08/23 17:45:37.0281 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/08/23 17:45:37.0562 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/08/23 17:45:38.0109 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/08/23 17:45:38.0531 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/08/23 17:45:38.0640 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/08/23 17:45:38.0734 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/08/23 17:45:38.0953 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/08/23 17:45:39.0125 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/08/23 17:45:39.0187 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/08/23 17:45:39.0250 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/08/23 17:45:39.0359 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/08/23 17:45:39.0421 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/08/23 17:45:39.0531 viaagp1 (4b039bbd037b01f5db5a144c837f283a) C:\WINDOWS\system32\DRIVERS\viaagp1.sys
2010/08/23 17:45:39.0703 viagfx (68ae4a5c058c25ccbdb338bdebb15cf1) C:\WINDOWS\system32\DRIVERS\vtmini.sys
2010/08/23 17:45:39.0796 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/08/23 17:45:39.0890 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/08/23 17:45:40.0046 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/08/23 17:45:40.0140 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/08/23 17:45:40.0312 winachsf (74cf3f2e4e40c4a2e18d39d6300a5c24) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2010/08/23 17:45:40.0546 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2010/08/23 17:45:40.0671 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/08/23 17:45:40.0828 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/08/23 17:45:40.0937 ================================================================================
2010/08/23 17:45:40.0937 Scan finished
2010/08/23 17:45:40.0937 ================================================================================
2010/08/23 17:45:40.0968 Detected object count: 1
2010/08/23 17:45:58.0062 Disk (4cd0add3f88393d25ac78de2d4faabf7) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/08/23 17:45:58.0062 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\disk.sys. Real md5: 4cd0add3f88393d25ac78de2d4faabf7, Fake md5: 044452051f3e02e7963599fc8f4f3e25
2010/08/23 17:46:04.0625 Backup copy found, using it..
2010/08/23 17:46:04.0703 C:\WINDOWS\system32\DRIVERS\disk.sys - will be cured after reboot
2010/08/23 17:46:04.0703 Rootkit.Win32.TDSS.tdl3(Disk) - User select action: Cure
2010/08/23 17:46:09.0281 Deinitialize success

Edited by Dragonlady24, 23 August 2010 - 05:51 PM.


#4 Dragonlady24

Dragonlady24
  • Topic Starter

  • Members
  • 703 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Fox Lake,WI
  • Local time:11:09 AM

Posted 23 August 2010 - 05:52 PM

so far after running that scan and rebooting i havent had any redirects yet. i did a search on google and i click a link and it seems i am cured because i havent been redirected after clicking any links. thanks for your help everything is running smoothly i dont even have cws either thanks alot.

Edited by Dragonlady24, 23 August 2010 - 06:05 PM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:09 PM

Posted 23 August 2010 - 09:15 PM

This is the pertinent section of the log which indicates a TDSS/TDL3 rootkit infection was found and successfully cured. was found and successfully cured.

2010/08/18 18:53:39.0250 Detected object count: 1
2010/08/18 19:29:11.0968 AmdK8 (f1ad4203a6ea113be01283ec68f6ffdc) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2010/08/18 19:29:11.0968 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\AmdK8.sys. Real md5: f1ad4203a6ea113be01283ec68f6ffdc, Fake md5: 59301936898ae62245a6f09c0aba9475
2010/08/18 19:29:13.0468 Backup copy found, using it..
2010/08/18 19:29:13.0625 C:\WINDOWS\system32\DRIVERS\AmdK8.sys - will be cured after reboot
2010/08/18 19:29:13.0625 Rootkit.Win32.TDSS.tdl3(AmdK8) - User select action: Cure


Rescan again with Malwarebytes Anti-Malware (Quick Scan) in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

The database in your previous log shows 4436. Last I checked it was 4465.

Try doing an online scan to see if it finds anything else (i.e. remanants) that the other scans may have missed.

Please perform a scan with Eset Online Anti-virus Scanner.
This scan requires Internet Explorer to work. Vista/Windows 7 users need to run Internet Explorer as Administrator.
To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • If offered the option to get information or buy software at any point, just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply.
Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Dragonlady24

Dragonlady24
  • Topic Starter

  • Members
  • 703 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Fox Lake,WI
  • Local time:11:09 AM

Posted 23 August 2010 - 10:20 PM

here is the latest scan from malware bytes. ill get the other one tommorow asap because it is getting late and i wont be able to get to it tonight.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4468

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/23/2010 10:18:18 PM
mbam-log-2010-08-23 (22-18-18).txt

Scan type: Quick scan
Objects scanned: 156322
Time elapsed: 16 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Dragonlady24, 23 August 2010 - 10:20 PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:09 PM

Posted 24 August 2010 - 09:55 AM

Looks clean.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Dragonlady24

Dragonlady24
  • Topic Starter

  • Members
  • 703 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Fox Lake,WI
  • Local time:11:09 AM

Posted 24 August 2010 - 11:28 AM

it looks clean but i bet once i get the scan done with eset there will be alot of stuff that will be found. ill have that done today.

Edited by Dragonlady24, 24 August 2010 - 11:29 AM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:09 PM

Posted 24 August 2010 - 12:10 PM

Not a problem.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Dragonlady24

Dragonlady24
  • Topic Starter

  • Members
  • 703 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Fox Lake,WI
  • Local time:11:09 AM

Posted 24 August 2010 - 08:38 PM

here is what the scan found:

C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\3\3b00a783-11d37150 multiple threats deleted - quarantined
C:\Documents and Settings\Nancy\easdjadej2.exe Win32/AutoRun.IRCBot.FL worm cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\easjadqaen5.exe Win32/AutoRun.IRCBot.FL worm cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\easjadqaet6.exe Win32/AutoRun.IRCBot.FL worm cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Desktop\backups\backup-20100721-122715-422-lgg70njuz.exe a variant of Win32/Injector.CQB trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Desktop\backups\backup-20100721-122715-427-dttjp66g86s.exe Win32/Lethic.AA trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Desktop\backups\backup-20100721-122715-566-upkaq0rhn6.exe Win32/Lethic.AA trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Application Data\{D569DD53-411C-4556-881F-E21F662A9ECF}\chrome\content\overlay.xul probably a variant of Win32/Agent.NVQFFQI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\10.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\116.exe Win32/Lethic.AA trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\12.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\13.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\14.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\145.exe Win32/Lethic.AA trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\165.exe Win32/Lethic.AA trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\17.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\18.tmp a variant of Win32/Kryptik.AK trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\1A.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\1B.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\1E.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\20.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\204.exe Win32/Lethic.AA trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\21.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\22.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\23.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\231.exe Win32/Lethic.AA trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\24.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\240.exe Win32/Lethic.AA trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\249.exe Win32/Lethic.AA trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\25.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\26.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\2E.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\2nal33ac.exe Win32/AutoRun.IRCBot.FL worm cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\3.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\30.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\31.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\320.exe Win32/Lethic.AA trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\356.exe Win32/Lethic.AA trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\360.exe Win32/Lethic.AA trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\3A.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\3B.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\3E.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\3F.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\41.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\42.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\432.exe a variant of Win32/Injector.CQB trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\440.exe Win32/Lethic.AA trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\45.tmp a variant of Win32/Kryptik.EVL trojan deleted - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\452.exe Win32/Lethic.AA trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\46.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\47.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\48.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\487.exe Win32/Lethic.AA trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\492.exe Win32/Lethic.AA trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\4C.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\4D.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\4E.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\4F.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\5.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\50.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\52.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\522.exe Win32/Lethic.AA trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\538.exe Win32/Lethic.AA trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\570.exe Win32/Lethic.AA trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\588.exe Win32/Lethic.AA trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\59.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\5A.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\5B.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\5C.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\6.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\611acye3d.exe Win32/Oficla.HW trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\67.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\68.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\684.exe Win32/Lethic.AA trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\69.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\6B.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\6C.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\6D.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\6F.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\70.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\704.exe Win32/Lethic.AA trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\732.exe Win32/Lethic.AA trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\738.exe Win32/Lethic.AA trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\82.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\83.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\830.exe Win32/Lethic.AA trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\86.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\9.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\900.exe Win32/Lethic.AA trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\91.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\924.exe Win32/Lethic.AA trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\927.exe Win32/Lethic.AA trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\93.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\94.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\96.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\98.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\9E.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\A0.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\A1.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\A2.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\A6.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\A8.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\AB.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\AC.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\AE.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\AF.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\B0.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\B3.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\C.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\D.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\E.tmp a variant of Win32/Kryptik.FPI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\m8s1u32o9.exe Win32/AutoRun.IRCBot.FL worm cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\sWv6.exe Win32/AutoRun.IRCBot.FL worm cleaned by deleting - quarantined
C:\Documents and Settings\Nancy\Local Settings\Temp\w2b2j99g9.exe a variant of Win32/Injector.CHS trojan cleaned by deleting - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\19\60c7b913-34e436da multiple threats deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\3\4e84bf83-5818c981 multiple threats deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\44\34db286c-185d1eb1 multiple threats deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\44\52ddf5ec-29f14148 Java/Mugademel.A trojan deleted - quarantined
C:\RECYCLER\S-1-5-21-1844237615-507921405-839522115-1004\Dc2.new Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\udeqicoxicakihev.dll a variant of Win32/Cimag.CK trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.bak Win32/Qhost trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\etc\hosts.old Win32/Qhost trojan cleaned by deleting (after the next restart) - quarantined
C:\WINDOWS\system32\spool\prtprocs\w32x86\17iQG7.dll Win32/Olmarik.ABS trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\spool\prtprocs\w32x86\79w1u9m.dll Win32/Olmarik.ABS trojan cleaned by deleting - quarantined
C:\WINDOWS\Temp\jar_cache3248283657238601002.tmp probably a variant of Win32/Agent.NXHSWPF trojan deleted - quarantined
C:\WINDOWS\Temp\jar_cache355403563013641138.tmp multiple threats deleted - quarantined
C:\WINDOWS\Temp\ngjngvjfds.js Win32/TrojanDownloader.Delf.PVT trojan cleaned by deleting - quarantined

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:09 PM

Posted 24 August 2010 - 08:45 PM

Eset did find a lot. I think you should try another online scan.

Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • TFC will clear out all temp folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.

Then perform a scan with Kaspersky Online Virus Scanner.
-- Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.
-- This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools.
  • Vista users need to right-click the IE or FF Start Menu or Quick Launch Bar icons and Run As Administrator from the context menu.
  • Read the "Advantages - Requirements and Limitations" then press the Posted Image... button.
  • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
  • When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the Posted Image... button.
  • Make sure these boxes are checked. By default, they should be. If not, please check them and click on the Posted Image... button afterwards:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
  • Click on My Computer under the Scan section. OK any warnings from your protection programs.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
  • Click on Save Report As... and change the Files of type to Text file (.txt)
  • Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
  • Copy and paste (Ctrl+C) the saved scan results from that file in your next reply.
-- Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished. If that's the case, please refer to How To Temporarily Disable Your Anti-virus.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Dragonlady24

Dragonlady24
  • Topic Starter

  • Members
  • 703 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Fox Lake,WI
  • Local time:11:09 AM

Posted 25 August 2010 - 02:13 PM

here is what kapersky found.

KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, August 25, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, August 25, 2010 12:26:43
Records in database: 4144122
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Objects scanned: 41897
Threats found: 2
Infected objects found: 16
Suspicious objects found: 0
Scan duration: 01:16:45


File name / Threat / Threats count
C:\Avenger\secupdat.dat Infected: Backdoor.Win32.Cetorp.p 1
C:\Avenger\secupdat.dat-ren-234 Infected: Backdoor.Win32.Cetorp.p 1
C:\Avenger\secupdat.dat-ren-238 Infected: Backdoor.Win32.Cetorp.p 1
C:\Avenger\secupdat.dat-ren-239 Infected: Backdoor.Win32.Cetorp.p 1
C:\Avenger\secupdat.dat-ren-243 Infected: Backdoor.Win32.Cetorp.p 1
C:\Avenger\secupdat.dat-ren-244 Infected: Backdoor.Win32.Cetorp.p 1
C:\Avenger\secupdat.dat-ren-258 Infected: Backdoor.Win32.Cetorp.p 1
C:\Avenger\secupdat.dat-ren-276 Infected: Backdoor.Win32.Cetorp.p 1
C:\Avenger\secupdat.dat-ren-283 Infected: Backdoor.Win32.Cetorp.p 1
C:\Avenger\secupdat.dat-ren-284 Infected: Backdoor.Win32.Cetorp.p 1
C:\Avenger\secupdat.dat-ren-288 Infected: Backdoor.Win32.Cetorp.p 1
C:\Avenger\secupdat.dat-ren-546 Infected: Backdoor.Win32.Cetorp.p 1
C:\Avenger\secupdat.dat-ren-584 Infected: Backdoor.Win32.Cetorp.p 1
C:\Avenger\secupdat.dat-ren-594 Infected: Backdoor.Win32.Cetorp.p 1
C:\Avenger\secupdat.dat-ren-596 Infected: Backdoor.Win32.Cetorp.p 1
C:\Avenger\wmsapsbl.dll Infected: Packed.Win32.Krap.hc 1

Selected area has been scanned.

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:09 PM

Posted 25 August 2010 - 02:30 PM

Those are not a threat but files previously removing by using Avenger and placed in its holding area. There is no need to keep it on your machine so do this:

Please download OTC by OldTimer and save to your Desktop.
  • Connect to the Internet and double-click on OTC.exe to start the program.
  • Click on the green CleanUp! button.
  • If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.
  • When it has finished, OTC will ask you to reboot so it can remove itself.
-- Doing this will remove any specialized tools downloaded and used. If OTC does not delete itself, then delete the file manually when done.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 Dragonlady24

Dragonlady24
  • Topic Starter

  • Members
  • 703 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Fox Lake,WI
  • Local time:11:09 AM

Posted 25 August 2010 - 03:00 PM

what do you mean by specialised tools? does that mean that it just removes that program when the computer reboots?
ill get to that as soon as possible.

Edited by Dragonlady24, 25 August 2010 - 03:00 PM.


#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:09 PM

Posted 25 August 2010 - 04:21 PM

OTC is a clean up utility that will look for downloaded files and any files/folders created by various specialized fix tools used during malware removal. These specialized tools include any of OT's tools (OTL, OTM, OTS), Avenger, BFU, SDFix, Combofix, SmitfraudFix, VundoFix, etc, and their embedded files. Some of these are older tools that may have been left behind after a previous bout with a malware infection where you may have asked for assistance. However, if left on your system they may be detected by some anti-virus and anti-malware scanners as a "Risk Tool", "Hacking Tool", "Potentially Unwanted Program", or even "Malware" (virus/trojan) when that is not the case.

Such programs have legitimate uses in contexts where an user has installed them under the direction of a malware removal Helper. When flagged by an anti-virus or security scanner, it's because the program includes features, behavior or files that appear suspicious or which can potentially be used for malicious purposes. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others or that it was simply detected as suspicious due to the security program's heuristic analysis engine which provides the ability to detect possible new variants of malware. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you like Kaspersky did or even automatically remove them. In these cases the detection is a "false positive". To avoid such alerts on specialized fix tools, its best to just remove them as they are no longer needed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users