Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Browser Hijacking after Full System Recovery

  • Please log in to reply
4 replies to this topic

#1 TechGuy737


  • Members
  • 37 posts
  • Local time:01:44 PM

Posted 02 January 2011 - 09:11 PM

Thanks in advance for your time and help.

* When using either Internet Explorer or Firefox the requested page is redirected to seemingly random other websites.
* The browser hijack does not appear to occur upon opening a browser with a pre-established homepage.
* The browser hijack does not occur every time a hyperlink is clicked.

Operating System: Windows XP Home with Service Pack 2 (SP2)
Computer Model: HP Pavilion a420n

Background Information:
* The machine just went through a PC System Recovery using the F10 option during POST.
* The System Recovery used the option for complete destruction of data.
* The current Firefox browser (3.16.13) is the only program added since the System Recovery.
* No other programs or updates (including Windows Updates) have been initiated.
* Prior to the System Recovery, Safe Mode was used to first run MBAM and then Avast Anti-Virus. MBAM found multiple issues exceeding the 900 count.
* Prior to the System Recovery, the initial problem started as an infection by AntiVirus 2008.

BC AdBot (Login to Remove)


#2 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,562 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:01:44 PM

Posted 02 January 2011 - 11:25 PM

Hello and welcome.
I want to run 2 things next from Normal mode if possible.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller. will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Now if MBAM (MalwareBytes)was originally installed from Normal mode do A,if frpm safe mode do B.

A >> Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal/regular mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

B >>
1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
2. Restart your computer (very important).
3. Download and run this utility. Mbam clean
4. It will ask to restart your computer (please allow it to).
5. After the computer restarts, install the latest version from here. http://www.malwarebytes.org/mbam-download.php
Note: You will need to reactivate the program using the license you were sent.
Note: If using Free version, ignore the part about putting in your license key and activating.
Launch the program and set the Protection and Registration.
Then go to the UPDATE tab if not done during installation and check for updates.
Restart the computer again and verify that MBAM is in the task tray and run a Quick Scan and post that log.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 TechGuy737

  • Topic Starter

  • Members
  • 37 posts
  • Local time:01:44 PM

Posted 03 January 2011 - 12:10 AM

The following steps were taken per your instructions:

* (TDSSKiller.exe) ran successfully. Found one problem and Cured as instructed.
* Logfile as requested:
2011/01/02 22:46:23.0360	TDSS rootkit removing tool Dec 16 2010 09:46:46
2011/01/02 22:46:23.0360	================================================================================
2011/01/02 22:46:23.0360	SystemInfo:
2011/01/02 22:46:23.0360	
2011/01/02 22:46:23.0360	OS Version: 5.1.2600 ServicePack: 1.0
2011/01/02 22:46:23.0360	Product type: Workstation
2011/01/02 22:46:23.0360	ComputerName: GODSGIFT
2011/01/02 22:46:23.0360	UserName: Owner
2011/01/02 22:46:23.0360	Windows directory: C:\WINDOWS
2011/01/02 22:46:23.0360	System windows directory: C:\WINDOWS
2011/01/02 22:46:23.0360	Processor architecture: Intel x86
2011/01/02 22:46:23.0360	Number of processors: 1
2011/01/02 22:46:23.0360	Page size: 0x1000
2011/01/02 22:46:23.0360	Boot type: Normal boot
2011/01/02 22:46:23.0360	================================================================================
2011/01/02 22:46:23.0766	Initialize success
2011/01/02 22:46:29.0064	================================================================================
2011/01/02 22:46:29.0064	Scan started
2011/01/02 22:46:29.0064	Mode: Manual; 
2011/01/02 22:46:29.0064	================================================================================
2011/01/02 22:46:31.0533	ACPI            (94ddd4b3acbd7a9558e1762cd58386f9) C:\WINDOWS\System32\DRIVERS\ACPI.sys
2011/01/02 22:46:32.0252	ACPIEC          (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\System32\drivers\ACPIEC.sys
2011/01/02 22:46:33.0674	aec             (ff773feda15e8bd97fd54fe87a0acdbe) C:\WINDOWS\System32\drivers\aec.sys
2011/01/02 22:46:34.0408	AFD             (51b1872b62d1c335bac53313913c8d5b) C:\WINDOWS\System32\drivers\afd.sys
2011/01/02 22:46:35.0127	AFS2K           (c719341a1cf6afd4fa0808ae3d23d6a3) C:\WINDOWS\System32\drivers\AFS2K.sys
2011/01/02 22:46:35.0909	agp440          (65880045c51aa36184841cee915a61df) C:\WINDOWS\System32\DRIVERS\agp440.sys
2011/01/02 22:46:38.0847	ALCXWDM         (c1ee0356d7ff7dc7c5042a8baeaccc04) C:\WINDOWS\System32\drivers\ALCXWDM.SYS
2011/01/02 22:46:40.0284	AmdK7           (e1f2a5f066a6656c8cd5056947a73723) C:\WINDOWS\System32\DRIVERS\amdk7.sys
2011/01/02 22:46:41.0738	Arp1394         (e47ae30589d7195bb044847fbb63a06e) C:\WINDOWS\System32\DRIVERS\arp1394.sys
2011/01/02 22:46:44.0691	AsyncMac        (03f403b07a884fc2aa54a0916c410931) C:\WINDOWS\System32\DRIVERS\asyncmac.sys
2011/01/02 22:46:45.0426	atapi           (f1d915c3870e741d83b5142f3b358761) C:\WINDOWS\System32\DRIVERS\atapi.sys
2011/01/02 22:46:46.0879	Atmarpc         (8d735ca1cbdb0081b0e3b9ff0eb222d0) C:\WINDOWS\System32\DRIVERS\atmarpc.sys
2011/01/02 22:46:47.0582	audstub         (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\System32\DRIVERS\audstub.sys
2011/01/02 22:46:48.0317	Beep            (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\System32\drivers\Beep.sys
2011/01/02 22:46:49.0098	cbidf2k         (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\System32\drivers\cbidf2k.sys
2011/01/02 22:46:49.0833	CCDECODE        (fdc06e2ada8c468ebb161624e03976cf) C:\WINDOWS\System32\DRIVERS\CCDECODE.sys
2011/01/02 22:46:51.0255	Cdaudio         (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\System32\drivers\Cdaudio.sys
2011/01/02 22:46:52.0005	Cdfs            (049a38451f2611caf2fd528e023a0b5a) C:\WINDOWS\System32\drivers\Cdfs.sys
2011/01/02 22:46:52.0739	Cdrom           (6506e033ad04cfec9ee56dbefd1083dd) C:\WINDOWS\System32\DRIVERS\cdrom.sys
2011/01/02 22:46:57.0037	Disk            (d1b16340ceaceecbf52340a0cbdf43e1) C:\WINDOWS\System32\DRIVERS\disk.sys
2011/01/02 22:46:57.0787	dmboot          (e18132d39407aadca6b1d19adf408a8a) C:\WINDOWS\System32\drivers\dmboot.sys
2011/01/02 22:46:58.0537	dmio            (aca44e9a8e2ff7c833664263c8478629) C:\WINDOWS\System32\drivers\dmio.sys
2011/01/02 22:46:59.0240	dmload          (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\System32\drivers\dmload.sys
2011/01/02 22:46:59.0959	DMusic          (ef05974d47d56fa8387f170f05bae5e7) C:\WINDOWS\System32\drivers\DMusic.sys
2011/01/02 22:47:01.0475	drmkaud         (fd859e517fa2abb53654afa7ec9e3a94) C:\WINDOWS\System32\drivers\drmkaud.sys
2011/01/02 22:47:02.0225	Fastfat         (e4a3a8f3e60b542a747b10e86faa5dad) C:\WINDOWS\System32\drivers\Fastfat.sys
2011/01/02 22:47:02.0960	fasttx2k        (6339aaf63240df0634902b98c0f56049) C:\WINDOWS\System32\DRIVERS\fasttx2k.sys
2011/01/02 22:47:03.0694	Fdc             (19c5c7eac0190a42522290bf002f64ea) C:\WINDOWS\System32\DRIVERS\fdc.sys
2011/01/02 22:47:04.0429	FETNDISB        (29063004926b225c417e7147822f5866) C:\WINDOWS\System32\DRIVERS\fetnd5b.sys
2011/01/02 22:47:05.0148	Fips            (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\System32\drivers\Fips.sys
2011/01/02 22:47:05.0882	Flpydisk        (8f70d1f7606f7442e2f7383f3701d728) C:\WINDOWS\System32\DRIVERS\flpydisk.sys
2011/01/02 22:47:06.0554	Fs_Rec          (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\System32\drivers\Fs_Rec.sys
2011/01/02 22:47:07.0289	Ftdisk          (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\System32\DRIVERS\ftdisk.sys
2011/01/02 22:47:08.0023	Gpc             (13591e0a02e85de2a388f3ec4bd206df) C:\WINDOWS\System32\DRIVERS\msgpc.sys
2011/01/02 22:47:10.0805	i8042prt        (7080f46568108cc6ea73e460ee6ee702) C:\WINDOWS\System32\DRIVERS\i8042prt.sys
2011/01/02 22:47:11.0539	ialm            (1406d6ef4436aee970efe13193123965) C:\WINDOWS\System32\DRIVERS\ialmnt5.sys
2011/01/02 22:47:12.0289	Imapi           (3cb4410747f2330d97b10b656d5bb2ac) C:\WINDOWS\System32\DRIVERS\imapi.sys
2011/01/02 22:47:13.0758	IntelIde        (3049227da71a4a68515dcdce3030eacd) C:\WINDOWS\System32\DRIVERS\intelide.sys
2011/01/02 22:47:14.0477	IpFilterDriver  (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys
2011/01/02 22:47:15.0227	IpInIp          (f56dd863ba732a4e8ee58d486c31250f) C:\WINDOWS\System32\DRIVERS\ipinip.sys
2011/01/02 22:47:15.0962	IpNat           (fc672ad6e9676814a0c844912f2abcff) C:\WINDOWS\System32\DRIVERS\ipnat.sys
2011/01/02 22:47:16.0681	IPSec           (1c4802409cfd4a7051f458b744cfcaa5) C:\WINDOWS\System32\DRIVERS\ipsec.sys
2011/01/02 22:47:17.0493	IRENUM          (b43201394646b7e98c89056edda686b5) C:\WINDOWS\System32\DRIVERS\irenum.sys
2011/01/02 22:47:18.0212	isapnp          (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\System32\DRIVERS\isapnp.sys
2011/01/02 22:47:18.0947	Kbdclass        (1e7f78c2fc393356cd884c6fde7966f9) C:\WINDOWS\System32\DRIVERS\kbdclass.sys
2011/01/02 22:47:19.0775	kmixer          (10e0feb086d8c1419b958c9034e4668a) C:\WINDOWS\System32\drivers\kmixer.sys
2011/01/02 22:47:21.0275	KSecDD          (abc70e8b89cce44731a346deb764bf95) C:\WINDOWS\System32\drivers\KSecDD.sys
2011/01/02 22:47:23.0807	ltmodem5        (829ef680a308c12e2a80e5e0da0d958d) C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys
2011/01/02 22:47:24.0932	mnmdd           (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\System32\drivers\mnmdd.sys
2011/01/02 22:47:25.0901	Modem           (7760873e4ec17f288e61f00044dea000) C:\WINDOWS\System32\drivers\Modem.sys
2011/01/02 22:47:26.0635	Mouclass        (81fb25d6ee5e0728d2c0630c58d7d908) C:\WINDOWS\System32\DRIVERS\mouclass.sys
2011/01/02 22:47:27.0354	MountMgr        (d4face53a1c48cf8419b4cf494d2ee2e) C:\WINDOWS\System32\drivers\MountMgr.sys
2011/01/02 22:47:29.0448	MRxDAV          (d30cba20cc355d3648b9fed5bb55a9d5) C:\WINDOWS\System32\DRIVERS\mrxdav.sys
2011/01/02 22:47:30.0308	MRxSmb          (d4bd5ef775ad4fb0b8e3786f674dabdd) C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
2011/01/02 22:47:31.0042	Msfs            (a1831538e119363d0d90d757ac8a2012) C:\WINDOWS\System32\drivers\Msfs.sys
2011/01/02 22:47:31.0746	MSKSSRV         (85736f804191cb420a31aca2a7f0674f) C:\WINDOWS\System32\drivers\MSKSSRV.sys
2011/01/02 22:47:32.0465	MSPCLOCK        (e943adb93d83c5cbc0ca3f53f53b48cc) C:\WINDOWS\System32\drivers\MSPCLOCK.sys
2011/01/02 22:47:33.0168	MSPQM           (f6a726b8832db1f88326b8be98b11981) C:\WINDOWS\System32\drivers\MSPQM.sys
2011/01/02 22:47:33.0887	MSTEE           (d5059366b361f0e1124753447af08aa2) C:\WINDOWS\System32\drivers\MSTEE.sys
2011/01/02 22:47:34.0621	Mup             (08c56887f06473b09fc1b39e7dec0fb6) C:\WINDOWS\System32\drivers\Mup.sys
2011/01/02 22:47:35.0371	MxlW2k          (c6eee2261681396e36f3d8a003582c9e) C:\WINDOWS\System32\drivers\MxlW2k.sys
2011/01/02 22:47:36.0074	NABTSFEC        (ac31b352ce5e92704056d409834beb74) C:\WINDOWS\System32\DRIVERS\NABTSFEC.sys
2011/01/02 22:47:36.0246	NAVENG          (340d5f83c8f8256377111ce9220c96b3) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20030924.008\NAVENG.Sys
2011/01/02 22:47:36.0450	NAVEX15         (5544c427f85b1d0bf3b62a20eeb15a92) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20030924.008\NavEx15.Sys
2011/01/02 22:47:37.0168	NDIS            (09b38768036508b51564201afb000950) C:\WINDOWS\System32\drivers\NDIS.sys
2011/01/02 22:47:37.0872	NdisIP          (abd7629cf2796250f315c1dd0b6cf7a0) C:\WINDOWS\System32\DRIVERS\NdisIP.sys
2011/01/02 22:47:38.0591	NdisTapi        (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\System32\DRIVERS\ndistapi.sys
2011/01/02 22:47:39.0294	Ndisuio         (ac136fdc051a57e5f8f93694fce2b240) C:\WINDOWS\System32\DRIVERS\ndisuio.sys
2011/01/02 22:47:40.0013	NdisWan         (15787deca8c5428beeaa8044f544fd85) C:\WINDOWS\System32\DRIVERS\ndiswan.sys
2011/01/02 22:47:40.0731	NDProxy         (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\System32\drivers\NDProxy.sys
2011/01/02 22:47:41.0450	NetBIOS         (e351339fa17c4a70940e15b5e3dae6e2) C:\WINDOWS\System32\DRIVERS\netbios.sys
2011/01/02 22:47:42.0169	NetBT           (d96f3bc5a6e7452b0e3275b560dc8528) C:\WINDOWS\System32\DRIVERS\netbt.sys
2011/01/02 22:47:42.0919	NIC1394         (ff4ceca01030be87d530e2c5859738db) C:\WINDOWS\System32\DRIVERS\nic1394.sys
2011/01/02 22:47:43.0669	Npfs            (20aba9f035e3a98877480e34fcc4dcb3) C:\WINDOWS\System32\drivers\Npfs.sys
2011/01/02 22:47:44.0388	Ntfs            (e3ae9c79498210a5f39fe5a9ad62bc55) C:\WINDOWS\System32\drivers\Ntfs.sys
2011/01/02 22:47:45.0123	Null            (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\System32\drivers\Null.sys
2011/01/02 22:47:45.0935	nv              (c36066ec30521cebaf52127027755798) C:\WINDOWS\System32\DRIVERS\nv4_mini.sys
2011/01/02 22:47:46.0686	nvcap           (9b7accfac9b19b98d54f45a9cf61ca39) C:\WINDOWS\System32\DRIVERS\nvcap.sys
2011/01/02 22:47:47.0420	NVXBAR          (bef79a5b5a01bb749afbed27837e6311) C:\WINDOWS\System32\DRIVERS\NVxbar.sys
2011/01/02 22:47:48.0123	nv_agp          (01621905ae34bc24aaa2fddb93977299) C:\WINDOWS\System32\DRIVERS\nv_agp.sys
2011/01/02 22:47:48.0842	NwlnkFlt        (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\System32\DRIVERS\nwlnkflt.sys
2011/01/02 22:47:49.0577	NwlnkFwd        (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\System32\DRIVERS\nwlnkfwd.sys
2011/01/02 22:47:50.0280	ohci1394        (52c36c911f83f200130b2f84e01f3511) C:\WINDOWS\System32\DRIVERS\ohci1394.sys
2011/01/02 22:47:50.0999	Parport         (67fd105f525a94c0246c9088e85a2f3b) C:\WINDOWS\System32\DRIVERS\parport.sys
2011/01/02 22:47:51.0718	PartMgr         (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\System32\drivers\PartMgr.sys
2011/01/02 22:47:52.0436	ParVdm          (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\System32\drivers\ParVdm.sys
2011/01/02 22:47:53.0140	PCI             (9390447f3b1be5064a3ebe98c555a1e5) C:\WINDOWS\System32\DRIVERS\pci.sys
2011/01/02 22:47:54.0577	PCIIde          (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\System32\DRIVERS\pciide.sys
2011/01/02 22:47:55.0296	Pcmcia          (4ca446e011e2f61ac45eb2e3bc3f1584) C:\WINDOWS\System32\drivers\Pcmcia.sys
2011/01/02 22:48:00.0203	pfc             (e5ac9f8c128b597dd7919af96b84172e) C:\WINDOWS\System32\drivers\pfc.sys
2011/01/02 22:48:00.0953	PptpMiniport    (a33601c20fca262a3fabe3730c2faa62) C:\WINDOWS\System32\DRIVERS\raspptp.sys
2011/01/02 22:48:01.0672	Processor       (0f8a31ab9d8963f66ad93d3f69a1914c) C:\WINDOWS\System32\DRIVERS\processr.sys
2011/01/02 22:48:02.0438	Ps2             (bffdb363485501a38f0bca83aec810db) C:\WINDOWS\System32\DRIVERS\PS2.sys
2011/01/02 22:48:03.0141	PSched          (944440247fe6988c88b376ed85a0cd1a) C:\WINDOWS\System32\DRIVERS\psched.sys
2011/01/02 22:48:03.0845	Ptilink         (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\System32\DRIVERS\ptilink.sys
2011/01/02 22:48:04.0563	PxHelp20        (7e1eacdecba39e0b2a35306426f0decc) C:\WINDOWS\System32\DRIVERS\PxHelp20.sys
2011/01/02 22:48:08.0720	RasAcd          (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\System32\DRIVERS\rasacd.sys
2011/01/02 22:48:09.0455	Rasl2tp         (4c242c79a9c0d98d52d6f8cb9248d528) C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
2011/01/02 22:48:10.0158	RasPppoe        (888335b3be346119cf7b4eff3a3fca7c) C:\WINDOWS\System32\DRIVERS\raspppoe.sys
2011/01/02 22:48:10.0893	Raspti          (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\System32\DRIVERS\raspti.sys
2011/01/02 22:48:11.0627	Rdbss           (df80c149c96fcfbb8a3dc3d5dd950aa8) C:\WINDOWS\System32\DRIVERS\rdbss.sys
2011/01/02 22:48:12.0362	RDPCDD          (4912d5b403614ce99c28420f75353332) C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
2011/01/02 22:48:13.0112	RDPWD           (0606700377b6fb8b04475e92507adade) C:\WINDOWS\System32\drivers\RDPWD.sys
2011/01/02 22:48:13.0862	redbook         (ab56d6ed4e86d2b6f819a24a070f35f7) C:\WINDOWS\System32\DRIVERS\redbook.sys
2011/01/02 22:48:14.0628	rtl8139         (2ef9c0dc26b30b2318b1fc3faa1f0ae7) C:\WINDOWS\System32\DRIVERS\R8139n51.SYS
2011/01/02 22:48:15.0362	S3Psddr         (5ac35ae969a729227522e972885e3aa7) C:\WINDOWS\System32\DRIVERS\s3gnbm.sys
2011/01/02 22:48:15.0518	SAVRT           (0c67e81abbe009d074563d86c4457da6) c:\Program Files\Norton AntiVirus\SAVRT.SYS
2011/01/02 22:48:15.0643	SAVRTPEL        (b51ddbe72d6650658d243b78f157fcf0) c:\Program Files\Norton AntiVirus\SAVRTPEL.SYS
2011/01/02 22:48:16.0425	Secdrv          (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\System32\DRIVERS\secdrv.sys
2011/01/02 22:48:17.0128	Serenum         (65a7c4d86c153c82e33a552c217abb29) C:\WINDOWS\System32\DRIVERS\serenum.sys
2011/01/02 22:48:17.0862	Serial          (dc7cbfec14b1b38bcf32aba922ffeaad) C:\WINDOWS\System32\DRIVERS\serial.sys
2011/01/02 22:48:18.0581	Sfloppy         (4e1b8866f3d208dee3906a191cb493e3) C:\WINDOWS\System32\drivers\Sfloppy.sys
2011/01/02 22:48:20.0003	SiS315          (bdfef5c5d41ba377852389e8f07104ea) C:\WINDOWS\System32\DRIVERS\sisgrp.sys
2011/01/02 22:48:20.0738	SISAGP          (923d23638c616eecb0d811461161d0b8) C:\WINDOWS\System32\DRIVERS\SISAGPX.sys
2011/01/02 22:48:21.0457	SiSkp           (7e9e5823afbb5af2851abb1659ff627d) C:\WINDOWS\System32\DRIVERS\srvkp.sys
2011/01/02 22:48:22.0144	SLIP            (1ffc44d6787ec1ea9a2b1440a90fa5c1) C:\WINDOWS\System32\DRIVERS\SLIP.sys
2011/01/02 22:48:23.0613	splitter        (32c54211e9e8a45cbcb097beaeb1999a) C:\WINDOWS\System32\drivers\splitter.sys
2011/01/02 22:48:24.0317	sr              (cd952661dbdf31c42e325a06bc67fd0e) C:\WINDOWS\System32\DRIVERS\sr.sys
2011/01/02 22:48:25.0192	Srv             (042beb03b0e917b530e78b8a08d48749) C:\WINDOWS\System32\DRIVERS\srv.sys
2011/01/02 22:48:25.0973	streamip        (a9f9fd0212e572b84edb9eb661f6bc04) C:\WINDOWS\System32\DRIVERS\StreamIP.sys
2011/01/02 22:48:26.0692	SunkFilt        (2087b202cfe8a2f8a59cecfffbec58d5) C:\WINDOWS\System32\Drivers\sunkfilt.sys
2011/01/02 22:48:28.0098	swenum          (616a013d3ea068b6dee83d905e92ee9f) C:\WINDOWS\System32\DRIVERS\swenum.sys
2011/01/02 22:48:28.0817	swmidi          (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\System32\drivers\swmidi.sys
2011/01/02 22:48:30.0271	SymEvent        (05d9613efe7809e384c10da26958dfa4) C:\Program Files\Symantec\SYMEVENT.SYS
2011/01/02 22:48:30.0974	SYMREDRV        (5bafb61e41806328502224efdc01a0b3) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
2011/01/02 22:48:31.0693	SYMTDI          (9b944dd054edb7927eca3a2370472d05) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
2011/01/02 22:48:33.0756	sysaudio        (b0b19f036f76333ab3338c7493e87b12) C:\WINDOWS\System32\drivers\sysaudio.sys
2011/01/02 22:48:34.0521	Tcpip           (244a2f9816bc9b593957281ef577d976) C:\WINDOWS\System32\DRIVERS\tcpip.sys
2011/01/02 22:48:35.0225	TDPIPE          (1a96630babbd59e8b885eae0dfbe6a3e) C:\WINDOWS\System32\drivers\TDPIPE.sys
2011/01/02 22:48:35.0943	TDTCP           (d1c578c6b37713694c5edd7c2d7f7451) C:\WINDOWS\System32\drivers\TDTCP.sys
2011/01/02 22:48:36.0678	TermDD          (194c51bc28a7ce9818012142b062e431) C:\WINDOWS\System32\DRIVERS\termdd.sys
2011/01/02 22:48:38.0100	Udfs            (82c636ecaabe2b4ecff464251116dbc2) C:\WINDOWS\System32\drivers\Udfs.sys
2011/01/02 22:48:39.0491	Update          (164cfae1d766905f56c432acfc54f28c) C:\WINDOWS\System32\DRIVERS\update.sys
2011/01/02 22:48:40.0241	usbehci         (2d0c2f3836f72e85d41d9c50aeeb5423) C:\WINDOWS\System32\DRIVERS\usbehci.sys
2011/01/02 22:48:40.0960	usbhub          (d7bf70ac85e48b6c4df953401eccb75a) C:\WINDOWS\System32\DRIVERS\usbhub.sys
2011/01/02 22:48:41.0679	usbohci         (4e7d2f6df7a7e02d80fe0b109f0c9f02) C:\WINDOWS\System32\DRIVERS\usbohci.sys
2011/01/02 22:48:42.0382	USBSTOR         (4923c60f9c381eae679db04021d26abb) C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS
2011/01/02 22:48:43.0101	usbuhci         (49ec068278d85bc1e20ac7f3d315e940) C:\WINDOWS\System32\DRIVERS\usbuhci.sys
2011/01/02 22:48:43.0820	VgaSave         (08d2edfd7261242b8aea27f1fe11e120) C:\WINDOWS\System32\drivers\vga.sys
2011/01/02 22:48:44.0539	viaagp1         (4b039bbd037b01f5db5a144c837f283a) C:\WINDOWS\System32\DRIVERS\viaagp1.sys
2011/01/02 22:48:45.0242	viagfx          (e8c619c6c6bde90d130dda87150e1944) C:\WINDOWS\System32\DRIVERS\vtmini.sys
2011/01/02 22:48:45.0976	ViaIde          (fe2a9e925030fd316680680a2eb9ea63) C:\WINDOWS\System32\DRIVERS\viaide.sys
2011/01/02 22:48:46.0711	VolSnap         (6fdc9523ef81617cf5028f47fcaf0fbe) C:\WINDOWS\System32\drivers\VolSnap.sys
2011/01/02 22:48:47.0477	Wanarp          (484af08f15d1306ff2e8b64fe62a160c) C:\WINDOWS\System32\DRIVERS\wanarp.sys
2011/01/02 22:48:48.0914	wdmaud          (499b653356a9e5589ee83ac47e5d2a8c) C:\WINDOWS\System32\drivers\wdmaud.sys
2011/01/02 22:48:49.0727	WS2IFSL         (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/01/02 22:48:50.0430	WSTCODEC        (233cdd1c06942115802eb7ce6669e099) C:\WINDOWS\System32\DRIVERS\WSTCODEC.SYS
2011/01/02 22:48:51.0196	{6080A529-897E-4629-A488-ABA0C29B635E} (fd1f4e9cf06c71c8d73a24acf18d8296) C:\WINDOWS\System32\drivers\ialmsbw.sys
2011/01/02 22:48:51.0915	{D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (d4d7331d33d1fa73e588e5ce0d90a4c1) C:\WINDOWS\System32\drivers\ialmkchw.sys
2011/01/02 22:48:51.0962	\HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/01/02 22:48:52.0024	================================================================================
2011/01/02 22:48:52.0024	Scan finished
2011/01/02 22:48:52.0024	================================================================================
2011/01/02 22:48:52.0055	Detected object count: 1
2011/01/02 22:49:57.0582	\HardDisk0 - will be cured after reboot
2011/01/02 22:49:57.0582	Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure 
2011/01/02 22:50:00.0316	Deinitialize success

* MBAM was installed in Normal Mode and updated to current database.
* MBAM ran successfully. Found one problem and Cured as instructed.
* Logfile as requested:
Malwarebytes' Anti-Malware

Database version: 5446

Windows 5.1.2600 Service Pack 1
Internet Explorer 6.0.2800.1106

1/2/2011 11:00:53 PM
mbam-log-2011-01-02 (23-00-53).txt

Scan type: Quick scan
Objects scanned: 132330
Time elapsed: 7 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

* The PC has been rebooted into Normal Mode

#4 TechGuy737

  • Topic Starter

  • Members
  • 37 posts
  • Local time:01:44 PM

Posted 03 January 2011 - 09:34 AM

* Is there anything further that you want tested?

Current Status:
* The PC shows no previous stated signs of infection.
* Internet browsing occurs without any redirection.

* To begin applying all relevant Windows Updates.
* To install free security programs: Avast Anti-virus, PC Tools Firewall, Ccleaner, Spyware Blaster, MBAM (already installed), & ERUNT
* To return the PC to an over-worried friend... lol.

Final Thoughts:
If there is not anything further then I want to Thank You Very Much!!! for giving of your experienced time. I wish I was at your level of expertise so I would not have to post like this.

#5 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,562 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:01:44 PM

Posted 03 January 2011 - 02:23 PM

Hello, looks good here and you're welcome. Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users