Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search engine links redirecting


  • Please log in to reply
12 replies to this topic

#1 Quiggifur

Quiggifur

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 03 December 2010 - 01:27 PM

Looking for some help...
Normally I'm the kind of guy that'll just backup a few essential files and reformat, but I'm trying to fix my father's computer, and he refuses to do that. I get along well with a computer most of the time, but I've tried everything I know to do, and nothing has worked.

The problem is simply explained, not much more than the title of this topic. Sometimes, more often than not, the clicking of a search engine link will redirect to another website. Sometimes it redirects to another search type site, and others it's a specific product, but hardly ever to the same site. Possibly related, internet explorer will sometimes refuse to open (Firefox seems not to have that problem, at least not to the same extent).

I've downloaded an add-on called redirect remover for Firefox, and it added an option to the right-click function to open the "un-cleaned" link. For whatever reason, this (and not the intended use of the program, strangely enough) prevents link redirection, so far as I can see. As well, if I click on a link and am able to click in the URL field fast enough, and then click enter before redirection starts, it will send me to the page to which I had intended to go.

Looking forward to any reply,
-Mat

Edit:
The "open uncleaned link" option is not the workaround it seemed to be... figures. I also forgot to mention that there are occasional pop-ups too. I've tried every spyware and malware program I knew of, but none are finding anything.

Posted Image
(Yahoo search, desired link circled)
Posted Image
(Page to which I was redirected)

Edited by Quiggifur, 03 December 2010 - 03:17 PM.


BC AdBot (Login to Remove)

 


#2 trollocks

trollocks

  • Members
  • 369 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:05:14 PM

Posted 03 December 2010 - 07:42 PM

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
      If suspicious objects are found select skip
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)


#3 Quiggifur

Quiggifur
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 04 December 2010 - 02:53 PM

As far as I can tell, Trollocks, worked perfectly. Thanks a lot for the help. Here's the copy of the log:

2010/12/04 13:06:55.0672 TDSS rootkit removing tool 2.4.10.1 Dec 2 2010 12:28:01
2010/12/04 13:06:55.0672 ================================================================================
2010/12/04 13:06:55.0672 SystemInfo:
2010/12/04 13:06:55.0672
2010/12/04 13:06:55.0672 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/04 13:06:55.0672 Product type: Workstation
2010/12/04 13:06:55.0672 ComputerName: YOUR-4844BAE239
2010/12/04 13:06:55.0672 UserName: Norman
2010/12/04 13:06:55.0672 Windows directory: C:\WINDOWS.0
2010/12/04 13:06:55.0672 System windows directory: C:\WINDOWS.0
2010/12/04 13:06:55.0672 Processor architecture: Intel x86
2010/12/04 13:06:55.0672 Number of processors: 2
2010/12/04 13:06:55.0672 Page size: 0x1000
2010/12/04 13:06:55.0672 Boot type: Normal boot
2010/12/04 13:06:55.0672 ================================================================================
2010/12/04 13:06:55.0985 Initialize success
2010/12/04 13:07:09.0313 ================================================================================
2010/12/04 13:07:09.0313 Scan started
2010/12/04 13:07:09.0313 Mode: Manual;
2010/12/04 13:07:09.0313 ================================================================================
2010/12/04 13:07:10.0157 Aavmker4 (8d488938e2f7048906f1fbd3af394887) C:\WINDOWS.0\system32\drivers\Aavmker4.sys
2010/12/04 13:07:10.0282 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS.0\system32\DRIVERS\ACPI.sys
2010/12/04 13:07:10.0329 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS.0\system32\drivers\ACPIEC.sys
2010/12/04 13:07:10.0422 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS.0\system32\drivers\aec.sys
2010/12/04 13:07:10.0501 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS.0\System32\drivers\afd.sys
2010/12/04 13:07:10.0782 aswFsBlk (a0d86b8ac93ef95620420c7a24ac5344) C:\WINDOWS.0\system32\drivers\aswFsBlk.sys
2010/12/04 13:07:10.0813 aswMon2 (7d880c76a285a41284d862e2d798ec0d) C:\WINDOWS.0\system32\drivers\aswMon2.sys
2010/12/04 13:07:10.0876 aswRdr (69823954bbd461a73d69774928c9737e) C:\WINDOWS.0\system32\drivers\aswRdr.sys
2010/12/04 13:07:10.0922 aswSP (7ecc2776638b04553f9a85bd684c3abf) C:\WINDOWS.0\system32\drivers\aswSP.sys
2010/12/04 13:07:10.0938 aswTdi (095ed820a926aa8189180b305e1bcfc9) C:\WINDOWS.0\system32\drivers\aswTdi.sys
2010/12/04 13:07:11.0001 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS.0\system32\DRIVERS\asyncmac.sys
2010/12/04 13:07:11.0032 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS.0\system32\DRIVERS\atapi.sys
2010/12/04 13:07:11.0094 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS.0\system32\DRIVERS\atmarpc.sys
2010/12/04 13:07:11.0157 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS.0\system32\DRIVERS\audstub.sys
2010/12/04 13:07:11.0251 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS.0\system32\drivers\Beep.sys
2010/12/04 13:07:11.0313 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS.0\system32\drivers\cbidf2k.sys
2010/12/04 13:07:11.0376 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS.0\system32\drivers\Cdaudio.sys
2010/12/04 13:07:11.0422 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS.0\system32\drivers\Cdfs.sys
2010/12/04 13:07:11.0438 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS.0\system32\DRIVERS\cdrom.sys
2010/12/04 13:07:11.0672 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS.0\system32\DRIVERS\disk.sys
2010/12/04 13:07:11.0751 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS.0\system32\drivers\dmboot.sys
2010/12/04 13:07:11.0813 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS.0\system32\drivers\dmio.sys
2010/12/04 13:07:11.0844 dmload (ebdf515c77d60c3eef857d29cb29bccf) C:\WINDOWS.0\system32\drivers\dmload.sys
2010/12/04 13:07:11.0844 Suspicious file (Forged): C:\WINDOWS.0\system32\drivers\dmload.sys. Real md5: ebdf515c77d60c3eef857d29cb29bccf, Fake md5: 45d900ff20a9cf8ef81d9ea020eb511a
2010/12/04 13:07:11.0860 dmload - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/12/04 13:07:11.0938 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS.0\system32\drivers\DMusic.sys
2010/12/04 13:07:12.0047 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS.0\system32\drivers\drmkaud.sys
2010/12/04 13:07:12.0110 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS.0\system32\drivers\Fastfat.sys
2010/12/04 13:07:12.0141 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS.0\system32\drivers\Fdc.sys
2010/12/04 13:07:12.0204 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS.0\system32\DRIVERS\fetnd5.sys
2010/12/04 13:07:12.0219 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS.0\system32\drivers\Fips.sys
2010/12/04 13:07:12.0251 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS.0\system32\drivers\Flpydisk.sys
2010/12/04 13:07:12.0313 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS.0\system32\drivers\fltmgr.sys
2010/12/04 13:07:12.0376 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS.0\system32\drivers\Fs_Rec.sys
2010/12/04 13:07:12.0422 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS.0\system32\DRIVERS\ftdisk.sys
2010/12/04 13:07:12.0438 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS.0\system32\DRIVERS\msgpc.sys
2010/12/04 13:07:12.0532 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS.0\system32\DRIVERS\HDAudBus.sys
2010/12/04 13:07:12.0626 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS.0\system32\DRIVERS\hidusb.sys
2010/12/04 13:07:12.0719 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS.0\system32\Drivers\HTTP.sys
2010/12/04 13:07:12.0813 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS.0\system32\DRIVERS\i8042prt.sys
2010/12/04 13:07:12.0891 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS.0\system32\DRIVERS\imapi.sys
2010/12/04 13:07:13.0141 IntcAzAudAddService (a30685283f90ae02f1cd50972c6065e3) C:\WINDOWS.0\system32\drivers\RtkHDAud.sys
2010/12/04 13:07:13.0235 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS.0\system32\DRIVERS\intelppm.sys
2010/12/04 13:07:13.0266 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS.0\system32\drivers\ip6fw.sys
2010/12/04 13:07:13.0329 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS.0\system32\DRIVERS\ipfltdrv.sys
2010/12/04 13:07:13.0360 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS.0\system32\DRIVERS\ipinip.sys
2010/12/04 13:07:13.0391 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS.0\system32\DRIVERS\ipnat.sys
2010/12/04 13:07:13.0422 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS.0\system32\DRIVERS\ipsec.sys
2010/12/04 13:07:13.0454 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS.0\system32\DRIVERS\irenum.sys
2010/12/04 13:07:13.0485 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS.0\system32\DRIVERS\isapnp.sys
2010/12/04 13:07:13.0516 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS.0\system32\DRIVERS\kbdclass.sys
2010/12/04 13:07:13.0579 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS.0\system32\drivers\kmixer.sys
2010/12/04 13:07:13.0626 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS.0\system32\drivers\KSecDD.sys
2010/12/04 13:07:13.0766 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS.0\system32\drivers\mnmdd.sys
2010/12/04 13:07:13.0797 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS.0\system32\drivers\Modem.sys
2010/12/04 13:07:13.0829 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS.0\system32\DRIVERS\mouclass.sys
2010/12/04 13:07:13.0844 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS.0\system32\drivers\MountMgr.sys
2010/12/04 13:07:13.0907 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS.0\system32\DRIVERS\mrxdav.sys
2010/12/04 13:07:13.0969 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS.0\system32\DRIVERS\mrxsmb.sys
2010/12/04 13:07:14.0016 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS.0\system32\drivers\Msfs.sys
2010/12/04 13:07:14.0063 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS.0\system32\drivers\MSKSSRV.sys
2010/12/04 13:07:14.0079 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS.0\system32\drivers\MSPCLOCK.sys
2010/12/04 13:07:14.0110 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS.0\system32\drivers\MSPQM.sys
2010/12/04 13:07:14.0141 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS.0\system32\DRIVERS\mssmbios.sys
2010/12/04 13:07:14.0172 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS.0\system32\drivers\Mup.sys
2010/12/04 13:07:14.0235 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS.0\system32\drivers\NDIS.sys
2010/12/04 13:07:14.0251 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS.0\system32\DRIVERS\ndistapi.sys
2010/12/04 13:07:14.0282 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS.0\system32\DRIVERS\ndisuio.sys
2010/12/04 13:07:14.0313 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS.0\system32\DRIVERS\ndiswan.sys
2010/12/04 13:07:14.0329 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS.0\system32\drivers\NDProxy.sys
2010/12/04 13:07:14.0360 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS.0\system32\DRIVERS\netbios.sys
2010/12/04 13:07:14.0391 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS.0\system32\DRIVERS\netbt.sys
2010/12/04 13:07:14.0454 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS.0\system32\drivers\Npfs.sys
2010/12/04 13:07:14.0501 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS.0\system32\drivers\Ntfs.sys
2010/12/04 13:07:14.0594 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS.0\system32\drivers\Null.sys
2010/12/04 13:07:14.0657 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS.0\system32\DRIVERS\nwlnkflt.sys
2010/12/04 13:07:14.0688 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS.0\system32\DRIVERS\nwlnkfwd.sys
2010/12/04 13:07:14.0704 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS.0\system32\DRIVERS\parport.sys
2010/12/04 13:07:14.0719 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS.0\system32\drivers\PartMgr.sys
2010/12/04 13:07:14.0751 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS.0\system32\drivers\ParVdm.sys
2010/12/04 13:07:14.0782 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS.0\system32\DRIVERS\pci.sys
2010/12/04 13:07:14.0844 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS.0\system32\DRIVERS\pciide.sys
2010/12/04 13:07:14.0891 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS.0\system32\drivers\Pcmcia.sys
2010/12/04 13:07:15.0141 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS.0\system32\DRIVERS\raspptp.sys
2010/12/04 13:07:15.0157 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS.0\system32\DRIVERS\psched.sys
2010/12/04 13:07:15.0204 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS.0\system32\DRIVERS\ptilink.sys
2010/12/04 13:07:15.0360 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS.0\system32\DRIVERS\rasacd.sys
2010/12/04 13:07:15.0391 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS.0\system32\DRIVERS\rasl2tp.sys
2010/12/04 13:07:15.0422 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS.0\system32\DRIVERS\raspppoe.sys
2010/12/04 13:07:15.0454 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS.0\system32\DRIVERS\raspti.sys
2010/12/04 13:07:15.0516 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS.0\system32\DRIVERS\rdbss.sys
2010/12/04 13:07:15.0532 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS.0\system32\DRIVERS\RDPCDD.sys
2010/12/04 13:07:15.0579 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS.0\system32\DRIVERS\rdpdr.sys
2010/12/04 13:07:15.0626 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS.0\system32\drivers\RDPWD.sys
2010/12/04 13:07:15.0688 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS.0\system32\DRIVERS\redbook.sys
2010/12/04 13:07:15.0782 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS.0\system32\DRIVERS\secdrv.sys
2010/12/04 13:07:15.0829 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS.0\system32\DRIVERS\serenum.sys
2010/12/04 13:07:15.0844 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS.0\system32\DRIVERS\serial.sys
2010/12/04 13:07:15.0907 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS.0\system32\drivers\Sfloppy.sys
2010/12/04 13:07:16.0047 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS.0\system32\drivers\splitter.sys
2010/12/04 13:07:16.0079 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS.0\system32\DRIVERS\sr.sys
2010/12/04 13:07:16.0126 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS.0\system32\DRIVERS\srv.sys
2010/12/04 13:07:16.0172 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS.0\system32\DRIVERS\swenum.sys
2010/12/04 13:07:16.0219 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS.0\system32\drivers\swmidi.sys
2010/12/04 13:07:16.0360 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS.0\system32\drivers\sysaudio.sys
2010/12/04 13:07:16.0454 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS.0\system32\DRIVERS\tcpip.sys
2010/12/04 13:07:16.0501 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS.0\system32\drivers\TDPIPE.sys
2010/12/04 13:07:16.0532 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS.0\system32\drivers\TDTCP.sys
2010/12/04 13:07:16.0563 TermDD (88155247177638048422893737429d9e) C:\WINDOWS.0\system32\DRIVERS\termdd.sys
2010/12/04 13:07:16.0672 uagp35 (d85938f272d1bcf3db3a31fc0a048928) C:\WINDOWS.0\system32\DRIVERS\uagp35.sys
2010/12/04 13:07:16.0704 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS.0\system32\drivers\Udfs.sys
2010/12/04 13:07:16.0782 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS.0\system32\DRIVERS\update.sys
2010/12/04 13:07:16.0938 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS.0\system32\DRIVERS\usbccgp.sys
2010/12/04 13:07:16.0969 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS.0\system32\DRIVERS\usbehci.sys
2010/12/04 13:07:16.0985 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS.0\system32\DRIVERS\usbhub.sys
2010/12/04 13:07:17.0047 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS.0\system32\DRIVERS\usbscan.sys
2010/12/04 13:07:17.0063 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS.0\system32\DRIVERS\USBSTOR.SYS
2010/12/04 13:07:17.0110 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS.0\system32\DRIVERS\usbuhci.sys
2010/12/04 13:07:17.0141 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS.0\System32\drivers\vga.sys
2010/12/04 13:07:17.0172 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS.0\system32\DRIVERS\viaide.sys
2010/12/04 13:07:17.0188 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS.0\system32\drivers\VolSnap.sys
2010/12/04 13:07:17.0251 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS.0\system32\DRIVERS\wanarp.sys
2010/12/04 13:07:17.0344 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS.0\system32\drivers\wdmaud.sys
2010/12/04 13:07:17.0672 ================================================================================
2010/12/04 13:07:17.0672 Scan finished
2010/12/04 13:07:17.0672 ================================================================================
2010/12/04 13:07:17.0688 Detected object count: 1
2010/12/04 13:07:41.0454 dmload (ebdf515c77d60c3eef857d29cb29bccf) C:\WINDOWS.0\system32\drivers\dmload.sys
2010/12/04 13:07:41.0454 Suspicious file (Forged): C:\WINDOWS.0\system32\drivers\dmload.sys. Real md5: ebdf515c77d60c3eef857d29cb29bccf, Fake md5: 45d900ff20a9cf8ef81d9ea020eb511a
2010/12/04 13:08:12.0422 Backup copy not found, trying to cure infected file..
2010/12/04 13:08:12.0422 Cure success, using it..
2010/12/04 13:08:12.0438 C:\WINDOWS.0\system32\drivers\dmload.sys - will be cured after reboot
2010/12/04 13:08:12.0438 Rootkit.Win32.TDSS.tdl3(dmload) - User select action: Cure
2010/12/04 13:08:32.0688 Deinitialize success

#4 trollocks

trollocks

  • Members
  • 369 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:05:14 PM

Posted 04 December 2010 - 06:14 PM

Lets run a couple more scans to see if anything else is there.


Please download Malwarebytes from Here or Here

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
    Posted Image
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the log please






Run the following scan: Eset Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:14 PM

Posted 04 December 2010 - 08:08 PM

Hello, just to add an important note about the infection cured above.
This allows hackers to remotely control your computer, steal critical system information and download and execute files. You should change all passwords.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Quiggifur

Quiggifur
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 05 December 2010 - 01:26 PM

Thanks, both of you, for the help and advice. I've run Malwarebytes before, didn't find anything, and this time was the same. ESET though was a different story.

(Malwarebytes Log)
Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5240

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/5/2010 9:55:41 AM
mbam-log-2010-12-05 (09-55-41).txt

Scan type: Quick scan
Objects scanned: 258871
Time elapsed: 33 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

(ESET details)
C:\Documents and Settings\HOMER\My Documents\Azureus Downloads\Black XP 30 Ultimate\BLACK_XP_30_ULTIMATE\WPI\Install\COMPRESSION\WINRAR\WINRAR-V3.80_CORP.EXE probably a variant of Win32/Agent.GUJNLYS trojan deleted - quarantined
C:\Documents and Settings\HOMER\My Documents\Azureus Downloads\Black XP 30 Ultimate\BLACK_XP_30_ULTIMATE\WPI\Install\privacy\East-Tec.Eraser.Pro.2008_8.9.2.100.exe probably a variant of Win32/Agent.HXPDCLC trojan deleted - quarantined
C:\Documents and Settings\HOMER\My Documents\Azureus Downloads\Black XP 30 Ultimate\BLACK_XP_30_ULTIMATE\WPI\Install\SystemTools\NIRSOFTSUITE2008_11_13EN.SFX.EXE multiple threats deleted - quarantined
C:\Documents and Settings\Norman\Application Data\Microsoft\Run.exe a variant of MSIL/Injector.BB trojan cleaned by deleting - quarantined
C:\Documents and Settings\Norman\Local Settings\Temp\plugtmp-1\plugin-inczxrbphohpa5.pdf PDF/Exploit.Pidief.PDS.Gen trojan cleaned by deleting - quarantined
E:\Azureus Downloads\jZipV1d.exe a variant of Win32/Adware.Toolbar.Shopper.AA application deleted - quarantined
E:\Azureus Downloads\Black XP 30 Ultimate\BLACK_XP_30_ULTIMATE\WPI\Install\COMPRESSION\WINRAR\WINRAR-V3.80_CORP.EXE probably a variant of Win32/Agent.GUJNLYS trojan deleted - quarantined
E:\Azureus Downloads\Black XP 30 Ultimate\BLACK_XP_30_ULTIMATE\WPI\Install\privacy\East-Tec.Eraser.Pro.2008_8.9.2.100.exe probably a variant of Win32/Agent.HXPDCLC trojan deleted - quarantined
E:\Azureus Downloads\Black XP 30 Ultimate\BLACK_XP_30_ULTIMATE\WPI\Install\SystemTools\NIRSOFTSUITE2008_11_13EN.SFX.EXE multiple threats deleted - quarantined
E:\Azureus Downloads\Season5\jZipV1d.exe a variant of Win32/Adware.Toolbar.Shopper.AA application deleted - quarantined

(ESET Log)
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=f56ee5b29252bb4392e4851902f441de
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-05 05:59:27
# local_time=2010-12-05 11:59:27 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 8143392 8143392 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=250708
# found=10
# cleaned=10
# scan_time=5394
C:\Documents and Settings\HOMER\My Documents\Azureus Downloads\Black XP 30 Ultimate\BLACK_XP_30_ULTIMATE\WPI\Install\COMPRESSION\WINRAR\WINRAR-V3.80_CORP.EXE probably a variant of Win32/Agent.GUJNLYS trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\HOMER\My Documents\Azureus Downloads\Black XP 30 Ultimate\BLACK_XP_30_ULTIMATE\WPI\Install\privacy\East-Tec.Eraser.Pro.2008_8.9.2.100.exe probably a variant of Win32/Agent.HXPDCLC trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\HOMER\My Documents\Azureus Downloads\Black XP 30 Ultimate\BLACK_XP_30_ULTIMATE\WPI\Install\SystemTools\NIRSOFTSUITE2008_11_13EN.SFX.EXE multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Norman\Application Data\Microsoft\Run.exe a variant of MSIL/Injector.BB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Norman\Local Settings\Temp\plugtmp-1\plugin-inczxrbphohpa5.pdf PDF/Exploit.Pidief.PDS.Gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
E:\Azureus Downloads\jZipV1d.exe a variant of Win32/Adware.Toolbar.Shopper.AA application (deleted - quarantined) 00000000000000000000000000000000 C
E:\Azureus Downloads\Black XP 30 Ultimate\BLACK_XP_30_ULTIMATE\WPI\Install\COMPRESSION\WINRAR\WINRAR-V3.80_CORP.EXE probably a variant of Win32/Agent.GUJNLYS trojan (deleted - quarantined) 00000000000000000000000000000000 C
E:\Azureus Downloads\Black XP 30 Ultimate\BLACK_XP_30_ULTIMATE\WPI\Install\privacy\East-Tec.Eraser.Pro.2008_8.9.2.100.exe probably a variant of Win32/Agent.HXPDCLC trojan (deleted - quarantined) 00000000000000000000000000000000 C
E:\Azureus Downloads\Black XP 30 Ultimate\BLACK_XP_30_ULTIMATE\WPI\Install\SystemTools\NIRSOFTSUITE2008_11_13EN.SFX.EXE multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
E:\Azureus Downloads\Season5\jZipV1d.exe a variant of Win32/Adware.Toolbar.Shopper.AA application (deleted - quarantined) 00000000000000000000000000000000 C

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:14 PM

Posted 05 December 2010 - 07:49 PM

IMPORTANT NOTE: Your scan log results indicate you are using warez/pirated software.

Windows XP Black Edition

Windows XP Black isn't really a legitimate operating system. It is a pirate version of Windows XP.


What is XP Black Edition?

It's an OS + cracked apps bundle that isn't created by Microsoft, and isn't legal.




The practice of using cracking tools, keygens, warez or any pirated software is not only considered illegal activity but it is a serious security risk.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

...warez/piracy sites ranked the highest in downloading spyware...just opening the web page usually sets off an exploit, never mind actually downloading anything. And by the time the malware is finished downloading, often the machine is trashed and rendered useless.

University of Washington spyware study

...One of the most aggressive and intrusive of all bad websites on the Internet are serial, warez, software cracking type sites...they sneak malware onto your system...Where do trojan viruses originate? One of the biggest malware distributors on the Internet are serial/warez/code cracking sites.

Bad Web Sites: Malware

Warez, or pirated software, while free often comes with an exceptionally high cost in the form of viruses, spyware and more.

What are Warez? They appear to be free, but are they safe?

...For some users, it has become a habit to download software from free trackers. And sometimes they get away with warez or cracked software. In other cases...the cost of free software might be too high, as these trojans may steal your data.

The Cost of Free $oftware

When you use those kind of programs, be forewarned that some of the worst types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. In many cases, those sites are infested with a smörgåsbord of malware and an increasing source of system infection. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

Before continuing, we need you to remove all such programs immediately to reduce the risk of infection/reinfection. If not, then we are just wasting time trying to clean your system. Further, other tools used during the disinfection process may detect warez, crack and keygens. Since the warez installed on this machine is part of an illegal OS, these tools may delete files resulting in an unbootable machine.

Using these types of programs or the websites you visited to get them is very likely how the computer got infected!!
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Quiggifur

Quiggifur
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 06 December 2010 - 12:04 PM

I may be wrong, but I'm pretty sure the files were just downloaded to the computer, and weren't actually installed. When prompted, I deleted the files that were marked as malware from the windows black folder, and will delete the rest of the installation folder immediately. Please, someone let me know if the logs actually indicate that windows black is being used, because from what I can tell, the logs don't seem to indicate that and neither does the system information.

Edit: I'm almost positive, actually, that windows black is not being used; This is a new computer, and E: is a detatchable drive he's had around a while... so, please consider windows black removed from the computer. Any additional input would be appreciated.

Edited by Quiggifur, 06 December 2010 - 12:13 PM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:14 PM

Posted 06 December 2010 - 12:46 PM

As I don't use warez, I need to be sure about the OS installation. However, the fact that someone visted such warez sites and downloaded this software is still probably how the machine came to be infected.

Press the WINKEY + R keys on your keyboard or click Posted Image > Run..., and in the Open dialog box, type: cmd
  • OK or press Enter.
  • At the command prompt C:\>_, type: systeminfo >>"C:\sysinfo.txt"
  • Press Enter.
  • This will send the information to a text file name sysinfo.txt in your root drive, usually C:.
  • Open sysinfo.txt in Notepad and copy/paste the contents in your next reply.

Please download CKScanner and save it to your Desktop. <-Important!!!
  • Double-click on CKScanner.exe and click Search For Files.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A text file will be created on your desktop named ckfiles.txt.
  • Click OK at the file saved message box.
  • Double-click the ckfiles.txt icon on your desktop to open the log and copy/paste the contents in your next reply.

Edited by quietman7, 06 December 2010 - 12:51 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Quiggifur

Quiggifur
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 06 December 2010 - 04:03 PM

(Sysinfo.txt)
Host Name: YOUR-4844BAE239
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Your User Name
Registered Organization: Your Organization Name
Product ID: 55274-640-8834005-23071
Original Install Date: 1/7/2010, 2:30:18 PM
System Up Time: 1 Days, 11 Hours, 30 Minutes, 4 Seconds
System Manufacturer: MSI
System Model: MS-7255
System type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 6 Model 15 Stepping 13 GenuineIntel ~2199 Mhz
BIOS Version: A M I - 8000713
Windows Directory: C:\WINDOWS.0
System Directory: C:\WINDOWS.0\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-06:00) Central Time (US & Canada)
Total Physical Memory: 1,982 MB
Available Physical Memory: 1,281 MB
Virtual Memory: Max Size: 2,048 MB
Virtual Memory: Available: 2,008 MB
Virtual Memory: In Use: 40 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\YOUR-4844BAE239
Hotfix(s): 223 Hotfix(s) Installed.
[01]: File 1
[02]: File 1
[03]: File 1
[04]: File 1
[05]: File 1
[06]: File 1
[07]: File 1
[08]: File 1
[09]: File 1
[10]: File 1
[11]: File 1
[12]: File 1
[13]: File 1
[14]: File 1
[15]: File 1
[16]: File 1
[17]: File 1
[18]: File 1
[19]: File 1
[20]: File 1
[21]: File 1
[22]: File 1
[23]: File 1
[24]: File 1
[25]: File 1
[26]: File 1
[27]: File 1
[28]: File 1
[29]: File 1
[30]: File 1
[31]: File 1
[32]: File 1
[33]: File 1
[34]: File 1
[35]: File 1
[36]: File 1
[37]: File 1
[38]: File 1
[39]: File 1
[40]: File 1
[41]: File 1
[42]: File 1
[43]: File 1
[44]: File 1
[45]: File 1
[46]: File 1
[47]: File 1
[48]: File 1
[49]: File 1
[50]: File 1
[51]: File 1
[52]: File 1
[53]: File 1
[54]: File 1
[55]: File 1
[56]: File 1
[57]: File 1
[58]: File 1
[59]: File 1
[60]: File 1
[61]: File 1
[62]: File 1
[63]: File 1
[64]: File 1
[65]: File 1
[66]: File 1
[67]: File 1
[68]: File 1
[69]: File 1
[70]: File 1
[71]: File 1
[72]: File 1
[73]: File 1
[74]: File 1
[75]: File 1
[76]: File 1
[77]: File 1
[78]: File 1
[79]: File 1
[80]: File 1
[81]: File 1
[82]: File 1
[83]: File 1
[84]: File 1
[85]: File 1
[86]: File 1
[87]: File 1
[88]: File 1
[89]: File 1
[90]: File 1
[91]: File 1
[92]: File 1
[93]: File 1
[94]: File 1
[95]: File 1
[96]: File 1
[97]: File 1
[98]: File 1
[99]: File 1
[100]: File 1
[101]: File 1
[102]: File 1
[103]: File 1
[104]: File 1
[105]: File 1
[106]: Q147222
[107]: KB2378111_WM9
[108]: KB952069_WM9
[109]: KB954155_WM9
[110]: KB968816_WM9
[111]: KB973540_WM9
[112]: KB973540_WM9L
[113]: KB975558_WM8
[114]: KB978695_WM9
[115]: KB979402_WM9
[116]: KB979402_WM9L
[117]: KB941569
[118]: KB2183461-IE8 - Update
[119]: KB2360131-IE8 - Update
[120]: KB971961-IE8 - Update
[121]: KB976662-IE8 - Update
[122]: KB980182-IE8 - Update
[123]: KB981332-IE8 - Update
[124]: KB982381-IE8 - Update
[125]: KB982632-IE8 - Update
[126]: KB936929 - Service Pack
[127]: KB2079403 - Update
[128]: KB2115168 - Update
[129]: KB2121546 - Update
[130]: KB2141007 - Update
[131]: KB2158563 - Update
[132]: KB2160329 - Update
[133]: KB2229593 - Update
[134]: KB2259922 - Update
[135]: KB2279986 - Update
[136]: KB2286198 - Update
[137]: KB2296011 - Update
[138]: KB2345886 - Update
[139]: KB2347290 - Update
[140]: KB2360937 - Update
[141]: KB2387149 - Update
[142]: KB946648 - Update
[143]: KB950762 - Update
[144]: KB950974 - Update
[145]: KB951066 - Update
[146]: KB951376-v2 - Update
[147]: KB951748 - Update
[148]: KB951978 - Update
[149]: KB952004 - Update
[150]: KB952954 - Update
[151]: KB954550-v5 - Update
[152]: KB955069 - Update
[153]: KB955759 - Update
[154]: KB956572 - Update
[155]: KB956744 - Update
[156]: KB956802 - Update
[157]: KB956803 - Update
[158]: KB957097 - Update
[159]: KB958644 - Update
[160]: KB958687 - Update
[161]: KB958869 - Update
[162]: KB959426 - Update
[163]: KB960225 - Update
[164]: KB960803 - Update
[165]: KB960859 - Update
[166]: KB961118 - Update
[167]: KB961501 - Update
[168]: KB967715 - Update
[169]: KB968389 - Update
[170]: KB969059 - Update
[171]: KB969947 - Update
[172]: KB970238 - Update
[173]: KB970430 - Update
[174]: KB971468 - Update
[175]: KB971486 - Update
[176]: KB971557 - Update
[177]: KB971633 - Update
[178]: KB971657 - Update
[179]: KB971737 - Update
[180]: KB972270 - Update
[181]: KB973507 - Update
[182]: KB973525 - Update
[183]: KB973687 - Update
[184]: KB973815 - Update
[185]: KB974112 - Update
[186]: KB974318 - Update
[187]: KB974392 - Update
[188]: KB974571 - Update
[189]: KB975025 - Update
[190]: KB975467 - Update
[191]: KB975560 - Update
[192]: KB975562 - Update
[193]: KB975713 - Update
[194]: KB976098-v2 - Update
[195]: KB977165 - Update
[196]: KB977816 - Update
[197]: KB977914 - Update
[198]: KB978037 - Update
[199]: KB978251 - Update
[200]: KB978262 - Update
[201]: KB978338 - Update
[202]: KB978542 - Update
[203]: KB978601 - Update
[204]: KB978706 - Update
[205]: KB979306 - Update
[206]: KB979309 - Update
[207]: KB979482 - Update
[208]: KB979559 - Update
[209]: KB979683 - Update
[210]: KB979687 - Update
[211]: KB980195 - Update
[212]: KB980218 - Update
[213]: KB980232 - Update
[

NetWork Card(s): 1 NIC(s) Installed.
[01]: VIA Compatable Fast Ethernet Adapter
Connection Name: Local Area Connection
DHCP Enabled: Yes
DHCP Server: 10.10.10.1
IP address(es)
[01]: 10.10.10.4

(CKfiles.txt)
CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11
----- EOF -----

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:14 PM

Posted 06 December 2010 - 05:10 PM

Please download Norman Malware Cleaner and save to your desktop.
alternate download link
If you previously used Norman, delete that version and download it again as the tool is frequently updated!
  • Be sure to read all the information Norman provides on that same page.
  • Double-click on Norman_Malware_Cleaner.exe to start. Vista/Windows 7 users right-click and select Run As Administrator.
    The tool is very slow to load as it uses a special driver. This is normal so please be patient.
  • Read the End User License Agreement and click the Accept button to open the scanning window.
  • Click Start Scan to begin.
  • In some cases Norman Malware Cleaner may require that you restart the computer to completely remove an infection. If prompted, reboot to ensure that all infections are removed.
  • After the scan has finished, a log file a log file named NFix_date_time (i.e. NFix_2009-06-22_07-08-56.log) will be created on your desktop with the results.
  • Copy and paste the contents of that file in your next reply.
-- Note: If you need to scan a usb flash drives or other removable drives not listed, use the Add button to browse to the drives location, click on the drive to highlight and choose Ok.


Please download and scan with the Kaspersky Virus Removal Tool from one of the links provided below and save it to your desktop.
Link 1
Link 2Be sure to print out and read the instructions provided in:How to Install Kaspersky Virus Removal Tool
How to use the Kaspersky Virus Removal Tool to automatically remove viruses
  • Double-click the setup file (i.e. setup_9.0.0.722_22.01.2010_10-04.exe) to select your language and install the utility.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If you receive a UAC prompt asking if you would like to continue running the program, you should press the Continue button.
  • When the 'Setup page' appears, click Next, check the box 'I accept the license agreement' and click Next twice more to begin extracting the required files.
  • Setup may recommend to scan the computer in Safe Mode. Click Ok.
  • A window will open with a tab that says Autoscan and one for Manual disinfection.
  • Click the green Start scan button on the Autoscan tab in the main window.
  • If malware is detected, you will see the Scan Alert screen. Place a checkmark in the Apply to all box, and click Disinfect if the button is active.
  • After the scan finishes, if any threats are left unneutralized in the Scan window (Red exclamation point), click the Neutralize all button.
  • Place a checkmark in the Apply to all box, and click Disinfect if the button is active.
  • If advised that a special disinfection procedure is required which demands system reboot, click the Ok button to close the window.
  • In the Scan window click the Reports button, choose Critical events and select Save to save the results to a file (name it avptool.txt).
  • Copy and paste the report results of any threats detected and if they were successfully removed in your next reply. Do not include the longer list marked Events.
  • When finished, follow these instructions on How to uninstall Kaspersky Virus Removal Tool 2010.
-- If you cannot run this tool in normal mode, then try using it in "safe mode".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Quiggifur

Quiggifur
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 06 December 2010 - 10:32 PM

Here's the Norman log, in case someone wants to take a look before I run Kaspersky; Norman took quite a while, and I don't have the time to run and post the Kaspersky log tonight. Also, just wondering, were those hits in the combofix and spybot folders possibly (or likely) false positives?

Norman Malware Cleaner
Version 1.8.3
Copyright © 1990 - 2010, Norman ASA. Built 2010/12/05 17:56:48

Norman Scanner Engine Version: 6.06.07
Nvcbin.def Version: 6.06.00, Date: 2010/12/05 17:56:48, Variants: 8288531

Scan started: 2010/12/06 16:56:54

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Professional 5.1.2600 Service Pack 3
Logged on user: YOUR-4844BAE239\Norman


Scanning kernel...

Kernel scan complete


Scanning bootsectors...

Number of sectors found: 2
Number of sectors scanned: 2
Number of sectors not scanned: 0
Number of infections found: 0
Number of infections removed: 0
Total scanning time: 0s 62ms


Scanning running processes and process memory...

Number of processes/threads found: 3062
Number of processes/threads scanned: 3062
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 1m 36s


Scanning file system...

Scanning: prescan

Scanning: C:\*.*

C:\ComboFix\catchme.cfxxe (Infected with W32/Smalltroj.ZLDK)
Deleted file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.091230-1503.txt (Infected with LNK/FakeAV.AU)
Deleted file

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Fixes.091230-1508.txt (Infected with LNK/FakeAV.AU)
Deleted file

C:\Documents and Settings\Norman\Local Settings\Temporary Internet Files\Content.IE5\H780MN90\100px-Henryk_Mikolaj_Górecki_Polish_composer_ITN[1].jpg (Error opening file: Not found)

C:\Documents and Settings\Norman\Local Settings\Temporary Internet Files\Content.IE5\KNV0XKAK\75px-Ludwik_Wegierski_by_Bacciarelli[1].jpg (Error opening file: Not found)

C:\Documents and Settings\Norman\Local Settings\Temporary Internet Files\Content.IE5\TT3657EA\225px-Tea_leaves_steeping_in_a_zhong_caj_05[1].jpg (Error opening file: Not found)

Scanning: E:\*.*

E:\oldies\Recovered Items\Frank Sinatra_The Best Of The Capitol Years_I've Got The World On A StringN01.mp3 (Error opening file: Not found)

E:\oldies\Recovered Items\GP - Irish Rovers - Traditional Fiddle Music - Reels - The Flaxen Broom - Oinny O'Brien's Reels - Come West Along The Road.mp3 (Error opening file: Not found)

E:\oldies\Recovered Items\Waylon Jennings & Willie Nelson - Don't Let Your Babies Grow Up to Be Cowbuys.mp3 (Error opening file: Not found)

Scanning: postscan


Running post-scan cleanup routine:

Number of files found: 436064
Number of archives unpacked: 1802
Number of files scanned: 436027
Number of files not scanned: 37
Number of files skipped due to exclude list: 0
Number of infected files found: 3
Number of infected files repaired/deleted: 3
Number of infections removed: 3
Total scanning time: 2h 18m 12s

----

Since no one replied yet, I've had time to run Kaspersky, and it was clean. Here's the log:

Autoscan: completed 1 minute ago (events: 2, objects: 2452, time: 00:02:12)
12/7/2010 6:32:39 AM Task completed
12/7/2010 6:30:27 AM Task started

So, far as I can tell the initial problem is completely gone, along with a couple more I wasn't aware of. If anyone else knows of some other program(s) I should run, I'd be glad to hear of them, but it doesn't seem absolutely necessary (I could be wrong, I'm new at this). Thanks again for all the help.

Edited by Quiggifur, 07 December 2010 - 07:37 AM.


#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:14 PM

Posted 07 December 2010 - 09:34 AM

Certain embedded files that are part of legitimate programs or specialized fix tools such as Combofix may at times be detected by some anti-virus and anti-malware scanners as a "Risk Tool", "Hacking Tool", "Potentially Unwanted Program", or even "Malware" (virus/trojan) when that is not the case. This occurs for a variety of reasons to include the tool's compiler, the files it uses, whether files are compressed or packed, what behavior it performs, any registry strings it may contain and the type of security engine that was used during the scan.

Such programs have legitimate uses in contexts where a Malware Removal Expert asked you to use the tool or when an authorized user/administrator has knowingly installed it. When flagged by an anti-virus or security scanner, it's because the program includes features, behavior or files that appear suspicious or which can potentially be used for malicious purposes. These detections do not necessarily mean the file is malware or a bad program.

It means it has the potential for being misused by others or that it was simply detected as suspicious or a threat due to the security program's heuristic analysis engine which provides the ability to detect possible new variants of malware. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. In these cases the detection is a "false positive".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users