Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware That Redirects from Searches and Spontaneously Opens Tabs - Help!


  • Please log in to reply
8 replies to this topic

#1 LennyM

LennyM

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 15 September 2010 - 09:11 AM

My computer is running Windows XP Home Edition Version 2002 and Service Pack 3
My browser is Firefox 3.6.9. Sometimes I use Explorer 8.0.6001.18702.

No system changes have been made. It is possible that my house sitter during the summer may have visited one or more porno sites.

Almost all the redirection takes place from Google, though about half the time I can get to the desired site. I have also been redirected from Yahoo search. I noticed this morning for the first time that even when I typed in a URL, the browser was redirected. I then closed Firefox and opened Explorer, typed in the URL and went there with no problem. However, redirection from Google happens in Explorer also.

Often a new tab will open in Firefox spontaneously

Often the redirected sites open the window to the full screen, sometimes with audio. Sometimes I can't close the tabs on the redirected sites as new small windows open asking me if I really want to close and I can't simply X them out (for another window will open asking again) and fear to click on anything else. I may then wind up closing the browser using Task Manager.

Some of the sites I am redirected to are:

removed

The following sites came up repeatedly after recirection so I put them in my "hosts" file:

127.0.0.1 suitesmart.com
127.0.0.1 cdn.optmd.com
127.0.0.1 google-analytics.com
127.0.0.1 ads.bluelithium.com
127.0.0.1 7search.com
127.0.0.1 asklots.com
127.0.0.1 pixelstatservice.com
127.0.0.1 www.registrydefender.com
127.0.0.1 redirect.com
127.0.0.1 66.230.188.67
127.0.0.1 lpgen.info
127.0.0.1 newsdaily7.com
127.0.0.0 localtribune.org

I have never clicked on anything at a redirected site.

What I tried:

I have tried running Malwarebytes, Ad-Aware, and Spybot with no success. I have tried running system restore to a date before the summer.

I have downloaded a large file from mvps.org to my hosts file.

Thanks for any advice you can offer.

LennyM

Edited by quietman7, 15 September 2010 - 01:35 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:21 AM

Posted 15 September 2010 - 01:38 PM

Please do not post active links to malware or possible malware related sites. I have removed the one(s) you posted so others do not accidentally click on them.


Please post the results of your last MBAM scan for review (even if nothing was found).

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Logs are saved to the following locations:
-- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
-- Vista, Windows 7, 2008: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs



Please follow these instructions: How to remove Google Redirects or the TDSS, TDL3, Alureon rootkit using TDSSKiller
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • When the program opens, click the Start Scan button.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure is selected, then click Continue > Reboot now to finish the cleaning process. <- Important!!
    Note: If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection.
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- For any files detected as 'Suspicious', get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 LennyM

LennyM
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 15 September 2010 - 05:12 PM

Thank you for your assistance.

This log is from a MBAM quick scan. Should I do a full scan and submit?

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4546

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/15/2010 4:14:00 PM
mbam-log-2010-09-15 (16-14-00).txt

Scan type: Quick scan
Objects scanned: 152318
Time elapsed: 8 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


The TDSS log:

2010/09/15 17:33:04.0968 TDSS rootkit removing tool 2.4.2.1 Sep 7 2010 14:43:44
2010/09/15 17:33:04.0968 ================================================================================
2010/09/15 17:33:04.0968 SystemInfo:
2010/09/15 17:33:04.0968
2010/09/15 17:33:04.0968 OS Version: 5.1.2600 ServicePack: 3.0
2010/09/15 17:33:04.0968 Product type: Workstation
2010/09/15 17:33:04.0968 ComputerName: OFFICE
2010/09/15 17:33:04.0968 UserName: Mel
2010/09/15 17:33:04.0968 Windows directory: C:\WINDOWS
2010/09/15 17:33:04.0968 System windows directory: C:\WINDOWS
2010/09/15 17:33:04.0968 Processor architecture: Intel x86
2010/09/15 17:33:04.0968 Number of processors: 2
2010/09/15 17:33:04.0968 Page size: 0x1000
2010/09/15 17:33:04.0968 Boot type: Normal boot
2010/09/15 17:33:04.0968 ================================================================================
2010/09/15 17:33:05.0515 Initialize success
2010/09/15 17:33:32.0718 ================================================================================
2010/09/15 17:33:32.0718 Scan started
2010/09/15 17:33:32.0718 Mode: Manual;
2010/09/15 17:33:32.0718 ================================================================================
2010/09/15 17:33:33.0218 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2010/09/15 17:33:33.0296 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/09/15 17:33:33.0328 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/09/15 17:33:33.0359 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2010/09/15 17:33:33.0390 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/09/15 17:33:33.0421 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\WINDOWS\system32\drivers\Afc.sys
2010/09/15 17:33:33.0468 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/09/15 17:33:33.0531 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/09/15 17:33:33.0546 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2010/09/15 17:33:33.0625 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2010/09/15 17:33:33.0671 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2010/09/15 17:33:33.0750 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2010/09/15 17:33:33.0812 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2010/09/15 17:33:33.0875 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2010/09/15 17:33:33.0906 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2010/09/15 17:33:33.0968 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2010/09/15 17:33:34.0015 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2010/09/15 17:33:34.0093 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2010/09/15 17:33:34.0171 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2010/09/15 17:33:34.0234 Aspi32 (b979979ab8027f7f53fb16ec4229b7db) C:\WINDOWS\system32\drivers\Aspi32.sys
2010/09/15 17:33:34.0296 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/09/15 17:33:34.0328 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/09/15 17:33:34.0421 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/09/15 17:33:34.0453 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/09/15 17:33:34.0546 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2010/09/15 17:33:34.0656 avgntflt (a88d29d928ad2b830e87b53e3f9bc182) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2010/09/15 17:33:34.0718 avipbb (1289e9a5d9118a25a13c0009519088e3) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2010/09/15 17:33:34.0734 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/09/15 17:33:34.0781 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2010/09/15 17:33:34.0796 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/09/15 17:33:34.0828 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2010/09/15 17:33:34.0859 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/09/15 17:33:34.0906 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/09/15 17:33:34.0953 cdrbsdrv (e0042bd5bef17a6a3ef1df576bde24d1) C:\WINDOWS\system32\drivers\cdrbsdrv.sys
2010/09/15 17:33:34.0984 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/09/15 17:33:35.0093 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2010/09/15 17:33:35.0140 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2010/09/15 17:33:35.0218 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2010/09/15 17:33:35.0234 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2010/09/15 17:33:35.0281 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/09/15 17:33:35.0328 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/09/15 17:33:35.0437 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/09/15 17:33:35.0500 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/09/15 17:33:35.0562 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/09/15 17:33:35.0609 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2010/09/15 17:33:35.0640 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/09/15 17:33:35.0750 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
2010/09/15 17:33:35.0890 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
2010/09/15 17:33:35.0921 E100B (95974e66d3de4951d29e28e8bc0b644c) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/09/15 17:33:35.0968 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/09/15 17:33:36.0015 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/09/15 17:33:36.0046 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/09/15 17:33:36.0078 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/09/15 17:33:36.0125 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/09/15 17:33:36.0156 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/09/15 17:33:36.0187 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/09/15 17:33:36.0265 ggflt (ae8f90f4de5746e5cb1b095701165863) C:\WINDOWS\system32\DRIVERS\ggflt.sys
2010/09/15 17:33:36.0343 ggsemc (4973d7c1c1d81d11e5e8fa974c2ae8cb) C:\WINDOWS\system32\DRIVERS\ggsemc.sys
2010/09/15 17:33:36.0390 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/09/15 17:33:36.0468 HCF_MSFT (4236e014632f4163f53ebb717f41594c) C:\WINDOWS\system32\DRIVERS\HCF_MSFT.sys
2010/09/15 17:33:36.0531 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/09/15 17:33:36.0578 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/09/15 17:33:36.0640 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2010/09/15 17:33:36.0718 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/09/15 17:33:36.0765 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/09/15 17:33:36.0796 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2010/09/15 17:33:36.0843 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/09/15 17:33:36.0890 ialm (5a8e05f1d5c36abd58cffa111eb325ea) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2010/09/15 17:33:36.0984 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/09/15 17:33:37.0031 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2010/09/15 17:33:37.0156 IntelC51 (7509c548400f4c9e0211e3f6e66abbe6) C:\WINDOWS\system32\DRIVERS\IntelC51.sys
2010/09/15 17:33:37.0250 IntelC52 (9584ffdd41d37f2c239681d0dac2513e) C:\WINDOWS\system32\DRIVERS\IntelC52.sys
2010/09/15 17:33:37.0281 IntelC53 (cf0b937710cec6ef39416edecd803cbb) C:\WINDOWS\system32\DRIVERS\IntelC53.sys
2010/09/15 17:33:37.0312 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/09/15 17:33:37.0375 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/09/15 17:33:37.0406 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/09/15 17:33:37.0546 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/09/15 17:33:37.0593 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/09/15 17:33:37.0625 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/09/15 17:33:37.0671 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/09/15 17:33:37.0765 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/09/15 17:33:37.0812 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/09/15 17:33:37.0859 Kbdclass (0f2a979e8c427380eb0629aa1942b10f) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/09/15 17:33:37.0859 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\kbdclass.sys. Real md5: 0f2a979e8c427380eb0629aa1942b10f, Fake md5: 463c1ec80cd17420a542b7f36a36f128
2010/09/15 17:33:37.0859 Kbdclass - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/09/15 17:33:37.0875 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/09/15 17:33:37.0906 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/09/15 17:33:37.0984 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/09/15 17:33:38.0109 Lavasoft Kernexplorer (32da3fde01f1bb080c2e69521dd8881e) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
2010/09/15 17:33:38.0156 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2010/09/15 17:33:38.0218 lgatbus (ed8854a04430f17a4a237d14ca707cc0) C:\WINDOWS\system32\DRIVERS\lgatbus.sys
2010/09/15 17:33:38.0250 lgatmdm (0e869725086064ff6695a9cb71f27869) C:\WINDOWS\system32\DRIVERS\lgatmdm.sys
2010/09/15 17:33:38.0328 lgatserd (ddfa2e84af1a804aaa24d3d5b6291778) C:\WINDOWS\system32\DRIVERS\lgatserd.sys
2010/09/15 17:33:38.0390 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/09/15 17:33:38.0468 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/09/15 17:33:38.0515 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/09/15 17:33:38.0593 mohfilt (59b8b11ff70728eec60e72131c58b716) C:\WINDOWS\system32\DRIVERS\mohfilt.sys
2010/09/15 17:33:38.0640 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/09/15 17:33:38.0687 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/09/15 17:33:38.0718 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/09/15 17:33:38.0765 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2010/09/15 17:33:38.0812 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/09/15 17:33:38.0875 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/09/15 17:33:38.0921 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/09/15 17:33:38.0953 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/09/15 17:33:38.0984 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/09/15 17:33:39.0000 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/09/15 17:33:39.0031 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/09/15 17:33:39.0062 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/09/15 17:33:39.0109 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/09/15 17:33:39.0140 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/09/15 17:33:39.0171 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/09/15 17:33:39.0203 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/09/15 17:33:39.0234 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/09/15 17:33:39.0265 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/09/15 17:33:39.0281 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/09/15 17:33:39.0375 netwg311 (95694fc00ba1a488f2987c3db926e19f) C:\WINDOWS\system32\DRIVERS\netwg311.sys
2010/09/15 17:33:39.0453 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/09/15 17:33:39.0484 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/09/15 17:33:39.0531 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/09/15 17:33:39.0609 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/09/15 17:33:39.0718 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/09/15 17:33:39.0765 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/09/15 17:33:39.0828 odysseyIM3 (5dcc587deba479b1f8e33aa8fb079b8a) C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys
2010/09/15 17:33:39.0875 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
2010/09/15 17:33:39.0921 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/09/15 17:33:39.0968 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/09/15 17:33:39.0984 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/09/15 17:33:40.0000 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/09/15 17:33:40.0046 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/09/15 17:33:40.0062 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/09/15 17:33:40.0218 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2010/09/15 17:33:40.0265 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2010/09/15 17:33:40.0343 pfc (6c1618a07b49e3873582b6449e744088) C:\WINDOWS\system32\drivers\pfc.sys
2010/09/15 17:33:40.0406 Point32 (dcdf0421a1c14f2923e298a30fd7636d) C:\WINDOWS\system32\DRIVERS\point32.sys
2010/09/15 17:33:40.0453 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/09/15 17:33:40.0484 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/09/15 17:33:40.0531 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/09/15 17:33:40.0578 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/09/15 17:33:40.0609 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2010/09/15 17:33:40.0656 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2010/09/15 17:33:40.0703 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2010/09/15 17:33:40.0750 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2010/09/15 17:33:40.0796 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2010/09/15 17:33:40.0828 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/09/15 17:33:40.0859 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/09/15 17:33:40.0890 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/09/15 17:33:40.0921 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/09/15 17:33:40.0968 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/09/15 17:33:40.0984 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/09/15 17:33:41.0015 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/09/15 17:33:41.0046 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/09/15 17:33:41.0125 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/09/15 17:33:41.0203 s0016bus (59509ad6cbc28f2c73056268985b3e48) C:\WINDOWS\system32\DRIVERS\s0016bus.sys
2010/09/15 17:33:41.0265 s0016mdfl (b98c3a6f91f4fba285af9606a240c6b4) C:\WINDOWS\system32\DRIVERS\s0016mdfl.sys
2010/09/15 17:33:41.0328 s0016mdm (8a83426f4fb7b5212825d9de76368b1a) C:\WINDOWS\system32\DRIVERS\s0016mdm.sys
2010/09/15 17:33:41.0390 s0016mgmt (7a78bba97feb5e6d24c49e93a3bf7287) C:\WINDOWS\system32\DRIVERS\s0016mgmt.sys
2010/09/15 17:33:41.0406 s0016nd5 (34ef7b5f611957b73e7219dd5a222ad1) C:\WINDOWS\system32\DRIVERS\s0016nd5.sys
2010/09/15 17:33:41.0453 s0016obex (36792935847143e4a3cda0dc87248487) C:\WINDOWS\system32\DRIVERS\s0016obex.sys
2010/09/15 17:33:41.0500 s0016unic (927208754fb27fc3e7a659e77500c5d1) C:\WINDOWS\system32\DRIVERS\s0016unic.sys
2010/09/15 17:33:41.0562 s616bus (ef4b5a8d53f15cb269469dd4e4bb0109) C:\WINDOWS\system32\DRIVERS\s616bus.sys
2010/09/15 17:33:41.0625 s616mdfl (96187731eefcf83e844bc1ce6617aaeb) C:\WINDOWS\system32\DRIVERS\s616mdfl.sys
2010/09/15 17:33:41.0671 s616mdm (d2dd87368bfecfa099e50dc120f3f513) C:\WINDOWS\system32\DRIVERS\s616mdm.sys
2010/09/15 17:33:41.0734 s616mgmt (5f0be24e4d4fa134b0b2fef35d3a9d90) C:\WINDOWS\system32\DRIVERS\s616mgmt.sys
2010/09/15 17:33:41.0781 s616nd5 (b9b507fcc67e204ef38e05ffd4176345) C:\WINDOWS\system32\DRIVERS\s616nd5.sys
2010/09/15 17:33:41.0812 s616obex (f123a1f2a04a0e8dba80b64f0072475a) C:\WINDOWS\system32\DRIVERS\s616obex.sys
2010/09/15 17:33:41.0859 s616unic (e7e55048ebd5c17bfa791b4a6ec3d54b) C:\WINDOWS\system32\DRIVERS\s616unic.sys
2010/09/15 17:33:41.0953 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/09/15 17:33:42.0000 seehcri (e5b56569a9f79b70314fede6c953641e) C:\WINDOWS\system32\DRIVERS\seehcri.sys
2010/09/15 17:33:42.0046 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/09/15 17:33:42.0109 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/09/15 17:33:42.0156 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/09/15 17:33:42.0234 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2010/09/15 17:33:42.0265 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2010/09/15 17:33:42.0312 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/09/15 17:33:42.0343 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/09/15 17:33:42.0390 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/09/15 17:33:42.0453 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2010/09/15 17:33:42.0546 STHDA (2a2dc39623adef8ab3703ab9fac4b440) C:\WINDOWS\system32\drivers\sthda.sys
2010/09/15 17:33:42.0609 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/09/15 17:33:42.0640 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/09/15 17:33:42.0671 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2010/09/15 17:33:42.0687 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2010/09/15 17:33:42.0734 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2010/09/15 17:33:42.0796 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2010/09/15 17:33:42.0843 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/09/15 17:33:42.0937 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/09/15 17:33:42.0968 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/09/15 17:33:43.0000 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/09/15 17:33:43.0031 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/09/15 17:33:43.0093 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2010/09/15 17:33:43.0140 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/09/15 17:33:43.0203 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2010/09/15 17:33:43.0250 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/09/15 17:33:43.0281 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/09/15 17:33:43.0343 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/09/15 17:33:43.0359 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/09/15 17:33:43.0406 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/09/15 17:33:43.0453 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/09/15 17:33:43.0484 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/09/15 17:33:43.0500 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/09/15 17:33:43.0546 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2010/09/15 17:33:43.0578 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/09/15 17:33:43.0609 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/09/15 17:33:43.0656 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/09/15 17:33:43.0734 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2010/09/15 17:33:43.0843 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/09/15 17:33:43.0968 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/09/15 17:33:44.0000 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/09/15 17:33:44.0062 ================================================================================
2010/09/15 17:33:44.0062 Scan finished
2010/09/15 17:33:44.0062 ================================================================================
2010/09/15 17:33:44.0078 Detected object count: 1
2010/09/15 17:35:10.0187 Kbdclass (0f2a979e8c427380eb0629aa1942b10f) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/09/15 17:35:10.0187 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\kbdclass.sys. Real md5: 0f2a979e8c427380eb0629aa1942b10f, Fake md5: 463c1ec80cd17420a542b7f36a36f128
2010/09/15 17:35:17.0375 Backup copy found, using it..
2010/09/15 17:35:17.0453 C:\WINDOWS\system32\DRIVERS\kbdclass.sys - will be cured after reboot
2010/09/15 17:35:17.0453 Rootkit.Win32.TDSS.tdl3(Kbdclass) - User select action: Cure
2010/09/15 17:35:53.0078 Deinitialize success


I submitted the "suspicious" file "C:\WINDOWS\system32\DRIVERS\kbdclass.sys" to Jotti's Viruscan and got all negative results.
Then to VirusTotal and got negatives except for:
McAfee-GW-Edition 2010.1C 2010.09.15 Heuristic.LooksLike.Trojan.Patched.I

Thanks again,

LennyM

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:21 AM

Posted 15 September 2010 - 05:40 PM

This is the pertinent section of the log which indicates a TDSS/TDL3 rootkit infection. The forged file was identified and will be cured after reboot.

2010/09/15 17:33:44.0078 Detected object count: 1
2010/09/15 17:35:10.0187 Kbdclass (0f2a979e8c427380eb0629aa1942b10f) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/09/15 17:35:10.0187 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\kbdclass.sys. Real md5: 0f2a979e8c427380eb0629aa1942b10f, Fake md5: 463c1ec80cd17420a542b7f36a36f128
2010/09/15 17:35:17.0375 Backup copy found, using it..
2010/09/15 17:35:17.0453 C:\WINDOWS\system32\DRIVERS\kbdclass.sys - will be cured after reboot
2010/09/15 17:35:17.0453 Rootkit.Win32.TDSS.tdl3(Kbdclass) - User select action: Cure

Please reboot if you have not done so already.


Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • TFC will clear out all temp folders (temp, IE temp, Java, FF, Opera, Chrome, Safari) for all user accounts including:
    • Administrator.
    • All Users.
    • LocalService.
    • NetworkService.
    • and any other accounts in the user folder.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.


Try doing an online scan to see if it finds anything else (i.e. remanants) that the other scans may have missed.

Please perform a scan with Eset Online Anti-virus Scanner.
  • This scan requires Internet Explorer to work. If using a different browser, you will be given the option to download and use the ESET Smart Installer.
  • Vista/Windows 7 users need to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • If offered the option to get information or buy software at any point, just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply.
Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.


Now rescan again with Malwarebytes Anti-Malware, but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 LennyM

LennyM
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 16 September 2010 - 07:20 AM

I think I need some help here.

I ran TFC.

Then I ran the Eset online scanner. It stopped only after doing 14% and about 11600 files and left the following log:
[By "stopped" I mean the clock kept on going for at least an hour but nothing else changed.]

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=53a0707f8e004a42aefb08fa30cb6527
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-09-16 04:02:27
# local_time=2010-09-16 12:02:27 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1797 16775125 100 100 7275 58547005 28489 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=11598
# found=2
# cleaned=2
# scan_time=12509
C:\Documents and Settings\Mel\Application Data\Mozilla\Profiles\mel\bp7jdsr7.slt\Mail\127.0.0.1\Sent WM/CAP.A virus (contained infected files) 00000000000000000000000000000000 C
C:\Documents and Settings\Mel\Application Data\Mozilla\Profiles\mel\bp7jdsr7.slt\Mail\Local Folders\Trash JS/TrojanDownloader.gen trojan (contained infected files) 00000000000000000000000000000000 C

I ran it again after deactivating Avira, which Eset had recognized as being present. It ran again only up to 14% and 11626 files and left the following log:

# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=53a0707f8e004a42aefb08fa30cb6527
# end=stopped
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-09-16 12:07:13
# local_time=2010-09-16 08:07:13 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1797 16775141 100 100 45859 58585589 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=11627
# found=0
# cleaned=0
# scan_time=3011

What do you suggest I do now?

Would it help to remove Avira from the computer?

Should I run Eset again or the full Malwarebytes scan?

Thank you again for your help.

LennyM

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:21 AM

Posted 16 September 2010 - 08:45 AM

The speed and ability to complete an anti-virus or anti-malware scan depends on a variety of factors.
  • The program itself and how its scanning engine is designed to scan: using a signature database vs heuristic scanning or a combination of both.
  • Options to scan for spyware, adware, riskware and potentially unwanted programs (PUPS).
  • Options to scan memory, boot sectors, registry and alternate data streams (ADS).
  • Type of scan performed: Deep, Quick or Custom scanning.
  • What action has to be performed when malware is detected.
  • A computer's hard drive size.
  • Disk used capacity (number of files to include temporary files) that have to be scanned.
  • Types of files (.exe, .dll, .sys, .cab, archived, compressed, packed, email, etc) that are scanned.
  • Whether external drives are included in the scan.
  • Competition for and utilization of system resources by the scanner.
  • Other running processes and programs in the background.
  • Interference from malware.
  • Interference from the user.
Try doing a different online scan.

Please perform a scan with Kaspersky Online Virus Scanner.
-- Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.
-- This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools.
  • Vista/Windows 7 users need to run Internet Explorer as Administrator.
    To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Read the "Advantages - Requirements and Limitations" then press the Posted Image... button.
  • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
  • When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the Posted Image... button.
  • Make sure these boxes are checked. By default, they should be. If not, please check them and click on the Posted Image... button afterwards:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
  • Click on My Computer under the Scan section. OK any warnings from your protection programs.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
  • Click on Save Report As... and change the Files of type to Text file (.txt)
  • Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
  • Copy and paste (Ctrl+C) the saved scan results from that file in your next reply.
-- Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished. If that's the case, please refer to How To Temporarily Disable Your Anti-virus.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 LennyM

LennyM
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 16 September 2010 - 12:57 PM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, September 16, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, September 16, 2010 08:51:32
Records in database: 4216192
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Objects scanned: 155722
Threats found: 14
Infected objects found: 102
Suspicious objects found: 167
Scan duration: 03:10:43


File name / Threat / Threats count
C:\Documents and Settings\Mel\Application Data\Mozilla\Profiles\mel\bp7jdsr7.slt\Mail\127.0.0.1\Inbox Suspicious: Exploit.HTML.Iframe.FileDownload 43
C:\Documents and Settings\Mel\Application Data\Mozilla\Profiles\mel\bp7jdsr7.slt\Mail\127.0.0.1\Inbox Infected: Exploit.HTML.ObjData 3
C:\Documents and Settings\Mel\Application Data\Mozilla\Profiles\mel\bp7jdsr7.slt\Mail\127.0.0.1\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Mel\Application Data\Mozilla\Profiles\mel\bp7jdsr7.slt\Mail\127.0.0.1\Junk Suspicious: Exploit.HTML.Iframe.FileDownload 35
C:\Documents and Settings\Mel\Application Data\Mozilla\Profiles\mel\bp7jdsr7.slt\Mail\127.0.0.1\Junk Infected: Exploit.HTML.ObjData 3
C:\Documents and Settings\Mel\Application Data\Mozilla\Profiles\mel\bp7jdsr7.slt\Mail\127.0.0.1\Junk Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Mel\Application Data\Mozilla\Profiles\mel\bp7jdsr7.slt\Mail\127.0.0.1\Junk Infected: Trojan-Spy.HTML.Bayfraud.f 1
C:\Documents and Settings\Mel\Application Data\Mozilla\Profiles\mel\bp7jdsr7.slt\Mail\127.0.0.1\Junk Infected: Trojan-Spy.HTML.Usbankfraud.f 1
C:\Documents and Settings\Mel\Application Data\Mozilla\Profiles\mel\bp7jdsr7.slt\Mail\127.0.0.1\Junk Infected: Trojan-Spy.HTML.Citifraud.bm 2
C:\Documents and Settings\Mel\Application Data\Mozilla\Profiles\mel\bp7jdsr7.slt\Mail\127.0.0.1\Junk Infected: Trojan-Spy.HTML.Bayfraud.g 1
C:\Documents and Settings\Mel\Application Data\Mozilla\Profiles\mel\bp7jdsr7.slt\Mail\127.0.0.1\Sent Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Documents and Settings\Mel\Application Data\Thunderbird\Profiles\bpee662v.default\Mail\127.0.0.1\Inbox Suspicious: Exploit.HTML.Iframe.FileDownload 43
C:\Documents and Settings\Mel\Application Data\Thunderbird\Profiles\bpee662v.default\Mail\127.0.0.1\Inbox Infected: Exploit.HTML.ObjData 3
C:\Documents and Settings\Mel\Application Data\Thunderbird\Profiles\bpee662v.default\Mail\127.0.0.1\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Mel\Application Data\Thunderbird\Profiles\bpee662v.default\Mail\127.0.0.1\Junk Suspicious: Exploit.HTML.Iframe.FileDownload 35
C:\Documents and Settings\Mel\Application Data\Thunderbird\Profiles\bpee662v.default\Mail\127.0.0.1\Junk Infected: Email-Worm.Win32.NetSky.q 38
C:\Documents and Settings\Mel\Application Data\Thunderbird\Profiles\bpee662v.default\Mail\127.0.0.1\Junk Infected: Email-Worm.Win32.Bagle.y 5
C:\Documents and Settings\Mel\Application Data\Thunderbird\Profiles\bpee662v.default\Mail\127.0.0.1\Junk Infected: Exploit.HTML.ObjData 9
C:\Documents and Settings\Mel\Application Data\Thunderbird\Profiles\bpee662v.default\Mail\127.0.0.1\Junk Infected: Email-Worm.Win32.NetSky.d 6
C:\Documents and Settings\Mel\Application Data\Thunderbird\Profiles\bpee662v.default\Mail\127.0.0.1\Junk Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Mel\Application Data\Thunderbird\Profiles\bpee662v.default\Mail\127.0.0.1\Junk Infected: Trojan-Spy.HTML.Bayfraud.f 1
C:\Documents and Settings\Mel\Application Data\Thunderbird\Profiles\bpee662v.default\Mail\127.0.0.1\Junk Infected: Trojan-Spy.HTML.Usbankfraud.f 1
C:\Documents and Settings\Mel\Application Data\Thunderbird\Profiles\bpee662v.default\Mail\127.0.0.1\Junk Infected: Trojan-Dropper.VBS.Zerolin 16
C:\Documents and Settings\Mel\Application Data\Thunderbird\Profiles\bpee662v.default\Mail\127.0.0.1\Junk Infected: Trojan-Spy.HTML.Citifraud.bm 2
C:\Documents and Settings\Mel\Application Data\Thunderbird\Profiles\bpee662v.default\Mail\127.0.0.1\Junk Infected: Email-Worm.Win32.Bagle.gen 1
C:\Documents and Settings\Mel\Application Data\Thunderbird\Profiles\bpee662v.default\Mail\127.0.0.1\Junk Infected: Trojan-Spy.HTML.Bayfraud.g 1
C:\Documents and Settings\Mel\Application Data\Thunderbird\Profiles\bpee662v.default\Mail\127.0.0.1\Junk Infected: Trojan-Downloader.JS.gen 7
C:\Documents and Settings\Mel\Application Data\Thunderbird\Profiles\bpee662v.default\Mail\127.0.0.1\Sent Infected: Virus.MSWord.Cap 1
C:\Documents and Settings\Mel\Application Data\Thunderbird\Profiles\bpee662v.default\Mail\127.0.0.1\Sent Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Documents and Settings\Mel\Application Data\Thunderbird\Profiles\bpee662v.default\Mail\127.0.0.1\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 5

Selected area has been scanned.




Thank you for your help.

LennyM

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:21 AM

Posted 16 September 2010 - 01:09 PM

Delete all those files from your Mozilla\Profiles > Mail > Inbox. - How to Access Inbox in Mozilla Thunderbird
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 progamer1134

progamer1134

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 19 September 2010 - 01:26 PM

Just cleared a virus from 2 machines that was redirecting all browsers, poping new windows and such. used phishing websites like


asklots.com
newsdaily7.com
internet-expose.com
news9today.net
www.localtribune.org
www.asklots.com


The virus was sitting in tcpip.sys file. Avira tried to delete the whole file which results in loss of internet capability, Hitman Pro 3.5 detected but didnt do anything about it. To clean it had to use TDSSKiller.exe


Potentially this virus was giving full and unlimited access/control to an outside party. If you have/had it, i would strongly advise changing passwords.

Edited by progamer1134, 19 September 2010 - 01:28 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users