Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect issues


  • This topic is locked This topic is locked
10 replies to this topic

#1 Mrs_Clifton

Mrs_Clifton

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 20 September 2010 - 11:18 AM

Hello & thank you in advance for any help provided. My Computer has been infected with a very nasty trojan that redirects me from my original searches 95% of the time. It has also stopped a number of my Computer Programs like, Microsoft word, search & my original internet explorer program which will not open any links neither will it respond to any address put into the search bar. I have removed this virus a number of times using MBAM but the same problems return & the virus returns a few hours or days later.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4651

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

19/09/2010 17:23:09
mbam-log-2010-09-19 (17-23-09).txt

Scan type: Full scan (A:\|C:\|D:\|E:\|G:\|)
Objects scanned: 260627
Time elapsed: 2 hour(s), 13 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0983c6cd-d46a-76a6-80cb-54be441c54ab} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0983c6cd-d46a-76a6-80cb-54be441c54ab} (Trojan.BHO.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\iyumiyapa.dll (Trojan.BHO.H) -> Delete on reboot.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:02 AM

Posted 20 September 2010 - 12:58 PM

Hello a reboot was needed after that to complete removal.


Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.



Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal/regular mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Mrs_Clifton

Mrs_Clifton
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 21 September 2010 - 06:51 PM

Sorry for the late reply but the last time I ran this scan, which I thought would take around Two Hours, ended up taking around Four & was still going so I had to give up on it & get some shut eye.

The MBAM Log says the Computer is clean but I doubt that very much, as the folder which listed the BHO trojan, Iyumiyapa has returned yet now does not show in the virus scan but it is still very much part of the start up programs, I have a feeling this might be some form of Rootkit.



Generated 09/22/2010 at 00:01 AM

Application Version : 4.43.1000

Core Rules Database Version : 5426
Trace Rules Database Version: 3238

Scan type : Complete Scan
Total Scan Time : 08:57:25

Memory items scanned : 244
Memory threats detected : 0
Registry items scanned : 6681
Registry threats detected : 0
File items scanned : 104263
File threats detected : 111

Adware.Tracking Cookie
objects.tremormedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\TE6VBDPF ]
www.naiadsystems.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\5URHA7V2 ]
.collective-media.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.doubleclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.collective-media.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.msnportal.112.2o7.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.bizzclick.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.smartadserver.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.smartadserver.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.smartadserver.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.smartadserver.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.smartadserver.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.apmebf.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.mediaplex.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.tribalfusion.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.tribalfusion.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.tribalfusion.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.tribalfusion.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.tribalfusion.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.apmebf.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.chitika.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.microsoftsto.112.2o7.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
statse.webtrendslive.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.adultfriendfinder.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.adultfriendfinder.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.adultfriendfinder.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.adultfriendfinder.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.adultfriendfinder.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.adultfriendfinder.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.adultfriendfinder.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
rts.pgmediaserve.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
rts.pgmediaserve.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
rts.pgmediaserve.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.bs.serving-sys.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.serving-sys.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.atdmt.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
bridge1.admarketplace.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.admarketplace.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.content.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.invitemedia.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.adbrite.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.adbrite.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.media6degrees.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.media6degrees.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.adviva.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.questionmarket.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.questionmarket.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.adultfriendfinder.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.pornoxo.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.pornoxo.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.pornoxo.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
www.pornoxo.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.toplist.cz [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.ero-advertising.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.adxpansion.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.statcounter.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.advertise.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.adbrite.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.adbrite.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.adbrite.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.media6degrees.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
n-traffic.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.content.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
ad.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.specificclick.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.trinitymirror.112.2o7.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
onlineadtracker.co.uk [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.revsci.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.advertising.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.yieldmanager.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]
.mediaplex.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bzs7iks1.default\cookies.sqlite ]



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4667

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

22/09/2010 00:22:32
mbam-log-2010-09-22 (00-22-32).txt

Scan type: Quick scan
Objects scanned: 151063
Time elapsed: 10 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:02 AM

Posted 21 September 2010 - 07:19 PM

Hi, no problem... Yes SAS is a longer one especially the first time it is run.
First we'll stop that dll.
•Click Start.
•Click Run.
•Type msconfig.
•Click OK.

This brings up the System Configuration Utility window.
Click the Startup tab.
Look thru the list for iyumiyapa.dll. Un check the box. Click Apply and OK.
Reboot for your changes can take effect.


Let's do another not as long online scan. ESET
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the ESET Online Scanner button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Export to text file... to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Eset Smart Installer icon on your desktop.
  • Check the "YES, I accept the Terms of Use"
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push "List of found threats"
  • Push "Export to text file", and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the "<<Back" button.
  • Push Finish
In your next reply, please include the following:
  • Eset Scan Log


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Mrs_Clifton

Mrs_Clifton
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 24 September 2010 - 12:40 PM

Hello sorry forthe late reply once more.



C:\Program Files\Trend Micro\HijackThis\backups\backup-20100916-132617-860.dll a variant of Win32/Cimag.CK trojan cleaned by deleting - quarantined
C:\Program Files\Trend Micro\HijackThis\backups\backup-20100916-143216-265.dll a variant of Win32/Cimag.CK trojan cleaned by deleting - quarantined
C:\WINDOWS\ahetucivi.dll a variant of Win32/Cimag.CK trojan cleaned by deleting - quarantined
C:\WINDOWS\drdolet.exe a variant of Win32/Cimag.DD trojan cleaned by deleting - quarantined
C:\WINDOWS\ionvtc.dll a variant of Win32/Cimag.DC trojan cleaned by deleting - quarantined

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:02 AM

Posted 24 September 2010 - 03:56 PM

Now that's a trouble maker. Good to get that off. Any more redirects now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Mrs_Clifton

Mrs_Clifton
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 24 September 2010 - 05:13 PM

Hi. Yes my Internet is still slow & I am still getting error messages informing me of script errors in Fireforx & my Internet explorer won't load home page neither will any links or adress bars work. Still getting redirects & Media player opening up & trying to play content from websites. Still can't load IPCONFIG, Word,search etc & Iyumiyapa is still there but not on start up.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:02 AM

Posted 24 September 2010 - 07:51 PM

Hello again, I will give you afew things to do as we are far apart in time.

Please click Start > Run, type inetcpl.cpl in the runbox and press enter.

Generally most Internet connectivity problems arise out of corrupt Winsock settings due to the installation of a networking software or Malware infestation.

Try resetting the IP address:
  • Go to Posted Image > Run... and in the open box, type: cmd
  • Press OK or Hit Enter. A dos Window will appear.
  • At the command prompt type or copy/paste:: ipconfig /release
  • Hit Enter.
  • When the prompt comes back, type: ipconfig /renew
  • Hit Enter.
  • Close the command box and and see if that fixes the connection. No reboot needed.
-- XP users can refer to XP ipconfig Tutorial: Step 4
-- Vista users can refer to Vista ipconfig Tutorial: Step 4 and How to Enable Run Command in Vista


If that did not resolve the problem:
  • Go to Posted Image > Run... and in the open box, type: cmd
  • Press OK or Hit Enter.
  • At the command prompt, type or copy/paste: ipconfig /flushdns
  • Hit Enter.
  • You will get a confirmation that the flush was successful.
  • Close the command box.
If the above commands did not resolve the problem, the next thing to try is to reset your network settings and Configure TCP/IP to use DNS.
  • Go to Posted Image > Control Panel, and choose Network Connections.
  • Right-click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and and choose Properties.
  • Double-click on Internet Protocol (TCP/IP) or highlight it and select Properties.
  • Under the General tab, write down any settings in case you should need to change them back.
  • Select the button that says "Obtain an IP address automatically" or make sure the DNS server IP address is the same as provided by your ISP.
  • Select the button that says "Obtain DNS servers automatically".
  • If unknown Preferred or Alternate DNS servers are listed, uncheck the box that says "Use the following DNS server address".
  • Click OK twice to get out of the properties screen and restart your computer. If not prompted to reboot go ahead and reboot manually.
-- Vista users can refer to How to Change TCP/IP settings

CAUTION: It's possible that your ISP (Internet Service Provider) requires specific DNS settings here. Make sure you know if you need these settings or not BEFORE you make any changes or you may lose your Internet connection. If you're sure you do not need a specific DNS address, then you may proceed.


If that still does not help and your using Windows XP SP2 or SP3, log on as an administrator:
  • Go to Posted Image > Run... and in the open box, type: cmd
  • Press OK or Hit Enter. A dos Window will appear.
  • At the command prompt, type or copy/paste: netsh winsock reset
  • Hit Enter.
  • When the program is finished, you will receive the message: "Successfully reset the Winsock Catalog. You must restart the machine in order to complete the reset."
  • Close the command box and reboot your computer.
Note: The netsh winsock reset command resets the Winsock catalog to the default configuration (clean state) and removes all LSPs (Layered Service Providers) previously installed. It is useful if a malformed LSP is installed that results in loss of network packets transmission failure leading to loss of network connectivity. Any previously-installed LSPs will need to be re-installed. Instead of using the netsh winsock command, another option for resetting TCP/IP in XP or Vista, is to use automatic Microsoft Fix it. Click the Fix this problem link. Then click Run in the File Download dialog box, and follow the steps in this wizard. You can save the automatic fix to a USB flash drive or CD, transfer it to the affected computer and then run it.


Finally, if you continue to have connectivity problems, XP users can download a fix from another computer, save to a usb drive and transfer to the infected computer so it can be used. Vista users can refer to:

>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

RKill....

Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply
Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.

>><><><><><><><><><>
Please run the tool here How to remove Google Redirects

When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Mrs_Clifton

Mrs_Clifton
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 25 September 2010 - 04:28 AM

Hi the IP issues couldn't be fixed as soon as I open the command box & type in the above instructions it disapears. I was able to scan with the Rootkit.tdds application & found a rootkit in the PCI driver. I am now able to download windows updates but my Internet is still slow on Firefox & explorer still won't respond to address bar searches or tab searches.



2010/09/25 09:18:03.0778 TDSS rootkit removing tool 2.4.2.1 Sep 7 2010 14:43:44
2010/09/25 09:18:03.0778 ================================================================================
2010/09/25 09:18:03.0778 SystemInfo:
2010/09/25 09:18:03.0778
2010/09/25 09:18:03.0778 OS Version: 5.1.2600 ServicePack: 3.0
2010/09/25 09:18:03.0778 Product type: Workstation
2010/09/25 09:18:03.0778 ComputerName: BLACKG
2010/09/25 09:18:03.0778 UserName: Owner
2010/09/25 09:18:03.0778 Windows directory: C:\WINDOWS
2010/09/25 09:18:03.0778 System windows directory: C:\WINDOWS
2010/09/25 09:18:03.0778 Processor architecture: Intel x86
2010/09/25 09:18:03.0778 Number of processors: 1
2010/09/25 09:18:03.0778 Page size: 0x1000
2010/09/25 09:18:03.0778 Boot type: Normal boot
2010/09/25 09:18:03.0778 ================================================================================
2010/09/25 09:18:04.0459 Initialize success
2010/09/25 09:21:10.0697 ================================================================================
2010/09/25 09:21:10.0697 Scan started
2010/09/25 09:21:10.0697 Mode: Manual;
2010/09/25 09:21:10.0697 ================================================================================
2010/09/25 09:21:11.0298 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/09/25 09:21:11.0448 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/09/25 09:21:11.0658 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/09/25 09:21:11.0829 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\WINDOWS\system32\drivers\Afc.sys
2010/09/25 09:21:11.0989 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/09/25 09:21:12.0219 alcan5wn (0940030d5a5869067ccc03e3b0b8dec7) C:\WINDOWS\system32\DRIVERS\alcan5wn.sys
2010/09/25 09:21:12.0389 alcaudsl (4c9577888c53243e2991456f510488a1) C:\WINDOWS\system32\DRIVERS\alcaudsl.sys
2010/09/25 09:21:12.0570 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2010/09/25 09:21:12.0740 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2010/09/25 09:21:12.0900 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
2010/09/25 09:21:13.0110 AN983 (116bff96077a4a724e0aab800525ceb5) C:\WINDOWS\system32\DRIVERS\AN983.sys
2010/09/25 09:21:13.0321 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/09/25 09:21:13.0641 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/09/25 09:21:13.0801 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/09/25 09:21:13.0992 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/09/25 09:21:14.0172 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/09/25 09:21:14.0342 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/09/25 09:21:14.0713 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
2010/09/25 09:21:14.0893 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
2010/09/25 09:21:15.0103 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
2010/09/25 09:21:15.0374 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
2010/09/25 09:21:15.0674 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/09/25 09:21:15.0824 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/09/25 09:21:16.0025 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/09/25 09:21:16.0185 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/09/25 09:21:16.0265 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/09/25 09:21:16.0425 cfwids (44e4a7dded054dd55ae995c3aed719ae) C:\WINDOWS\system32\drivers\cfwids.sys
2010/09/25 09:21:16.0726 cmpci (e5842ccf0953d3d46d5e26427b67e901) C:\WINDOWS\system32\drivers\cmaudio.sys
2010/09/25 09:21:16.0906 COMMONFX.DLL (1ef05b641e9a67ded74ac8ad40055dbf) C:\WINDOWS\system32\COMMONFX.DLL
2010/09/25 09:21:17.0196 CT20XUT.DLL (6191a973461852a09d643609e1d5f7c6) C:\WINDOWS\system32\CT20XUT.DLL
2010/09/25 09:21:17.0427 ctac32k (8ac5f77e30e37d2d11bd99eff0c53d8c) C:\WINDOWS\system32\drivers\ctac32k.sys
2010/09/25 09:21:17.0647 ctaud2k (673241d314e932f4890509ae8ebf26db) C:\WINDOWS\system32\drivers\ctaud2k.sys
2010/09/25 09:21:17.0857 CTAUDFX.DLL (472b82d7e549e7fab428852e4d16f21d) C:\WINDOWS\system32\CTAUDFX.DLL
2010/09/25 09:21:18.0058 ctdvda2k (ed316d4c3d39c5b6c23de067e275c183) C:\WINDOWS\system32\drivers\ctdvda2k.sys
2010/09/25 09:21:18.0228 CTEAPSFX.DLL (6a57f82009563aee8826f117e1d3c72c) C:\WINDOWS\system32\CTEAPSFX.DLL
2010/09/25 09:21:18.0408 CTEDSPFX.DLL (c8ac1ffaeadd655193d7b1811a572d8d) C:\WINDOWS\system32\CTEDSPFX.DLL
2010/09/25 09:21:18.0638 CTEDSPIO.DLL (44495d9daf675257d00b25b041ee6667) C:\WINDOWS\system32\CTEDSPIO.DLL
2010/09/25 09:21:18.0809 CTEDSPSY.DLL (8e90b1762cb42e2fc76dac9210c83c66) C:\WINDOWS\system32\CTEDSPSY.DLL
2010/09/25 09:21:18.0979 CTERFXFX.DLL (d3fbd9983325435b06795f29cb57ed3d) C:\WINDOWS\system32\CTERFXFX.DLL
2010/09/25 09:21:19.0259 CTEXFIFX.DLL (2c48e9d8ca703964463f27ae341115b7) C:\WINDOWS\system32\CTEXFIFX.DLL
2010/09/25 09:21:19.0470 CTHWIUT.DLL (f7657c598e7c29c6683c1e4a8dd68884) C:\WINDOWS\system32\CTHWIUT.DLL
2010/09/25 09:21:19.0640 ctprxy2k (34e7f8a499fd8361df14fedb724c0ad3) C:\WINDOWS\system32\drivers\ctprxy2k.sys
2010/09/25 09:21:19.0840 CTSBLFX.DLL (679ae21eb7f48a08184813aebabdec7c) C:\WINDOWS\system32\CTSBLFX.DLL
2010/09/25 09:21:20.0010 ctsfm2k (32098497cb4dfe9ea7660fa62dd91060) C:\WINDOWS\system32\drivers\ctsfm2k.sys
2010/09/25 09:21:20.0311 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/09/25 09:21:20.0531 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/09/25 09:21:20.0711 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/09/25 09:21:20.0862 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/09/25 09:21:21.0062 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/09/25 09:21:21.0312 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/09/25 09:21:21.0492 DsAudioDevice_310 (23020385d34e35dfc2d6503fa67d3ffc) C:\WINDOWS\system32\drivers\DsAudioDevice_310.sys
2010/09/25 09:21:21.0673 emupia (2885f72d2daffd0329272f12e16d6579) C:\WINDOWS\system32\drivers\emupia2k.sys
2010/09/25 09:21:21.0833 ENTECH (fd9fc82f134b1c91004ffc76a5ae494b) C:\WINDOWS\system32\DRIVERS\ENTECH.sys
2010/09/25 09:21:22.0053 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/09/25 09:21:22.0254 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/09/25 09:21:22.0584 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/09/25 09:21:22.0764 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/09/25 09:21:22.0844 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/09/25 09:21:23.0035 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
2010/09/25 09:21:23.0215 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/09/25 09:21:23.0395 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/09/25 09:21:23.0565 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2010/09/25 09:21:23.0746 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2010/09/25 09:21:23.0926 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/09/25 09:21:24.0166 ha10kx2k (da2c735b66d2e7b739f9a46146581a9d) C:\WINDOWS\system32\drivers\ha10kx2k.sys
2010/09/25 09:21:24.0427 hap16v2k (5c7d6d68796e4621b4168c879908dae0) C:\WINDOWS\system32\drivers\hap16v2k.sys
2010/09/25 09:21:24.0637 hap17v2k (a595b88ad16d8b5693ddf08113caf30e) C:\WINDOWS\system32\drivers\hap17v2k.sys
2010/09/25 09:21:24.0857 HCF_MSFT (4236e014632f4163f53ebb717f41594c) C:\WINDOWS\system32\DRIVERS\HCF_MSFT.sys
2010/09/25 09:21:25.0208 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/09/25 09:21:25.0438 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/09/25 09:21:25.0608 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\drivers\Imapi.sys
2010/09/25 09:21:25.0799 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/09/25 09:21:25.0969 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/09/25 09:21:26.0139 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/09/25 09:21:26.0269 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/09/25 09:21:26.0450 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/09/25 09:21:26.0610 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/09/25 09:21:26.0700 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/09/25 09:21:26.0870 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/09/25 09:21:26.0930 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/09/25 09:21:27.0000 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/09/25 09:21:27.0181 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/09/25 09:21:27.0451 LVCap138 (26f56ae5f6f56eaa0ec0ad18dfdb7ec6) C:\WINDOWS\system32\DRIVERS\lvcap138.sys
2010/09/25 09:21:27.0611 lvtuner (fe846d04ab92af24a04444219251be7d) C:\WINDOWS\system32\DRIVERS\lvtuner.sys
2010/09/25 09:21:27.0792 mfeapfk (b77e959e1c50d3e3a9d9ef423be62e09) C:\WINDOWS\system32\drivers\mfeapfk.sys
2010/09/25 09:21:27.0982 mfeavfk (e84596fcb591117f5597498a5f82ad97) C:\WINDOWS\system32\drivers\mfeavfk.sys
2010/09/25 09:21:28.0152 mfebopk (d40ce01e2d3fe0c079cd2d6b3e4b823b) C:\WINDOWS\system32\drivers\mfebopk.sys
2010/09/25 09:21:28.0382 mfefirek (3962c6a9e35c4319dcdab0497614fd69) C:\WINDOWS\system32\drivers\mfefirek.sys
2010/09/25 09:21:28.0583 mfehidk (e7ecf7872bf8f2897ae5a696d908c2f7) C:\WINDOWS\system32\drivers\mfehidk.sys
2010/09/25 09:21:28.0763 mfendisk (554dbbdc8c3b4f380b21269239bd29bb) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
2010/09/25 09:21:28.0803 mfendiskmp (554dbbdc8c3b4f380b21269239bd29bb) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
2010/09/25 09:21:28.0963 mferkdet (e411594ac94baef7f8ea991cc8f47fd1) C:\WINDOWS\system32\drivers\mferkdet.sys
2010/09/25 09:21:29.0133 mfetdi2k (1bfe4c4ccf8cd2d7deaffb424e691196) C:\WINDOWS\system32\drivers\mfetdi2k.sys
2010/09/25 09:21:29.0344 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/09/25 09:21:29.0514 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/09/25 09:21:29.0564 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/09/25 09:21:29.0734 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/09/25 09:21:29.0885 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/09/25 09:21:30.0085 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
2010/09/25 09:21:30.0315 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
2010/09/25 09:21:30.0465 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/09/25 09:21:30.0686 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/09/25 09:21:30.0886 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/09/25 09:21:30.0956 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/09/25 09:21:31.0096 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/09/25 09:21:31.0156 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/09/25 09:21:31.0357 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/09/25 09:21:31.0417 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/09/25 09:21:31.0577 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/09/25 09:21:31.0647 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/09/25 09:21:31.0827 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/09/25 09:21:31.0917 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/09/25 09:21:32.0068 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/09/25 09:21:32.0238 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/09/25 09:21:32.0298 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/09/25 09:21:32.0478 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/09/25 09:21:32.0649 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/09/25 09:21:32.0729 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/09/25 09:21:32.0959 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/09/25 09:21:33.0139 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/09/25 09:21:33.0229 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/09/25 09:21:33.0430 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/09/25 09:21:33.0780 nv (ba1b732c1a70cfea0c1b64f2850bf44f) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/09/25 09:21:34.0171 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/09/25 09:21:34.0361 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/09/25 09:21:34.0521 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/09/25 09:21:34.0621 ossrv (61c85afeaa6ef0c1b32d43f84f7bfbcf) C:\WINDOWS\system32\drivers\ctoss2k.sys
2010/09/25 09:21:34.0802 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/09/25 09:21:34.0972 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/09/25 09:21:35.0152 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/09/25 09:21:35.0352 PCI (9821e8722e22c2756da72aaa6583c69c) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/09/25 09:21:35.0352 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\pci.sys. Real md5: 9821e8722e22c2756da72aaa6583c69c, Fake md5: a219903ccf74233761d92bef471a07b1
2010/09/25 09:21:35.0382 PCI - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/09/25 09:21:35.0623 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/09/25 09:21:35.0803 PCTCore (167b2fea66dde6925766d1a81a1affc0) C:\WINDOWS\system32\drivers\PCTCore.sys
2010/09/25 09:21:36.0344 pfc (6c1618a07b49e3873582b6449e744088) C:\WINDOWS\system32\drivers\pfc.sys
2010/09/25 09:21:36.0444 PfModNT (2f5532f9b0f903b26847da674b4f55b2) C:\WINDOWS\system32\PfModNT.sys
2010/09/25 09:21:36.0774 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/09/25 09:21:36.0835 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/09/25 09:21:37.0025 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/09/25 09:21:37.0205 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/09/25 09:21:37.0626 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/09/25 09:21:37.0816 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/09/25 09:21:37.0996 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/09/25 09:21:38.0086 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/09/25 09:21:38.0217 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/09/25 09:21:38.0347 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/09/25 09:21:38.0517 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/09/25 09:21:38.0707 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/09/25 09:21:38.0787 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
2010/09/25 09:21:38.0978 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/09/25 09:21:39.0028 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2010/09/25 09:21:39.0268 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/09/25 09:21:39.0458 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/09/25 09:21:39.0639 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/09/25 09:21:39.0849 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/09/25 09:21:40.0089 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/09/25 09:21:40.0340 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/09/25 09:21:40.0530 sp_rsdrv2 (ccd6e6c387e3efa3ba5fe0e7883821c1) C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2010/09/25 09:21:40.0720 SQTECH930B (0b5ffc63a77cda4a2a9ec41767b704f7) C:\WINDOWS\system32\Drivers\Capt930b.sys
2010/09/25 09:21:40.0890 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\System32\DRIVERS\sr.sys
2010/09/25 09:21:41.0201 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/09/25 09:21:41.0381 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/09/25 09:21:41.0451 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/09/25 09:21:41.0611 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/09/25 09:21:41.0832 SymIM (54bda52e4b8ee68e9c01d4b9cd75cd95) C:\WINDOWS\system32\DRIVERS\SymIM.sys
2010/09/25 09:21:41.0872 SymIMMP (54bda52e4b8ee68e9c01d4b9cd75cd95) C:\WINDOWS\system32\DRIVERS\SymIM.sys
2010/09/25 09:21:42.0142 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/09/25 09:21:42.0413 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/09/25 09:21:42.0623 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/09/25 09:21:42.0773 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/09/25 09:21:42.0873 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/09/25 09:21:43.0074 tmcomm (df8444a8fa8fd38d8848bdd40a8403b3) C:\WINDOWS\system32\drivers\tmcomm.sys
2010/09/25 09:21:43.0294 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/09/25 09:21:43.0544 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/09/25 09:21:43.0744 USBAAPL (60a68a5ea173a97971ee9f1ff49eb2b3) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/09/25 09:21:43.0835 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/09/25 09:21:44.0015 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/09/25 09:21:44.0185 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/09/25 09:21:44.0355 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/09/25 09:21:44.0516 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/09/25 09:21:44.0696 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/09/25 09:21:44.0866 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/09/25 09:21:45.0076 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/09/25 09:21:45.0317 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/09/25 09:21:45.0507 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/09/25 09:21:45.0737 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2010/09/25 09:21:45.0908 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/09/25 09:21:46.0098 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/09/25 09:21:46.0278 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/09/25 09:21:46.0448 ================================================================================
2010/09/25 09:21:46.0448 Scan finished
2010/09/25 09:21:46.0448 ================================================================================
2010/09/25 09:21:46.0538 Detected object count: 1
2010/09/25 09:26:15.0075 PCI (9821e8722e22c2756da72aaa6583c69c) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/09/25 09:26:15.0075 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\pci.sys. Real md5: 9821e8722e22c2756da72aaa6583c69c, Fake md5: a219903ccf74233761d92bef471a07b1
2010/09/25 09:26:15.0836 Backup copy found, using it..
2010/09/25 09:26:15.0916 C:\WINDOWS\system32\DRIVERS\pci.sys - will be cured after reboot
2010/09/25 09:26:15.0916 Rootkit.Win32.TDSS.tdl3(PCI) - User select action: Cure
2010/09/25 09:26:36.0906 Deinitialize success



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4690

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

25/09/2010 09:53:30
mbam-log-2010-09-25 (09-53-30).txt

Scan type: Quick scan
Objects scanned: 153337
Time elapsed: 11 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:02 AM

Posted 25 September 2010 - 09:47 AM

I suspect a rootkit that is protected by a system file or driver,much like the ones just forund.
We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:02 AM

Posted 27 September 2010 - 02:28 AM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic349827.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users