Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirection when following links


  • This topic is locked This topic is locked
11 replies to this topic

#1 execute

execute

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 05 February 2011 - 02:33 PM

Hello,
My windows XP machine got infected with a whole bunch of viruses (from downloading a malicious PDF). They got through my virus scanner (AntiVir) and I think I have taken care of most of them by running AVG and MalwareBytes. However one that persists is a web browser redirection virus. Occasionally when I follow links, the web browser is redirected to a seemingly random website trying to sell me stuff. Please note that if I copy and paste the link directly into the browser address bar, the redirection does not happen. I have run HiJackThis and pruned out suspicious looking entries but this has not helped.

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:14 AM

Posted 05 February 2011 - 03:13 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 execute

execute
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 05 February 2011 - 04:08 PM

Hello and thank you for the prompt reply. The situation has not changed; the only symptom is firefox gets redirected to strange URL's when following links.
I have run DDS successfully. The first time I ran gmer, my windows blue-screened so I am rerunning it now. I will post the gmer log when it is ready.

DDS (Ver_10-12-12.02) - NTFSx86
Run by Ken at 13:08:22.51 on Sat 02/05/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.339 [GMT -8:00]

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: NVIDIA Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\EPoX\USDM\USDM.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG10\avgui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Ken\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [nTrayFw] c:\program files\nvidia corporation\networkaccessmanager\bin\nTrayFw.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [<NO NAME>]
mRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\\nTune.exe" clear
mRun: [EPoXUSDM] "c:\program files\epox\usdm\USDM.EXE" "5000"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\ken\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {5F572187-3588-40AC-B72B-A9FD0B5E0643} = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ken\applic~1\mozilla\firefox\profiles\kz9iejyy.default\
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R2 app_filter;app_filter;c:\program files\nvidia corporation\networkaccessmanager\bin\nSvcAppFlt.exe [2004-11-24 139264]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe [2010-7-20 291496]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 26192]
R3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys [2010-7-20 27160]
R3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\ngvpn.sys [2010-7-20 77336]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
S2 gupdate1c998a67f11a268;Google Update Service (gupdate1c998a67f11a268);c:\program files\google\update\GoogleUpdate.exe [2009-2-26 133104]
S3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys [2010-7-20 23064]
S3 NgWfp;Aventail VPN Callout;c:\windows\system32\drivers\ngwfp.sys [2010-7-20 25112]
S3 PRISM_ICB;SMC2802W 2.4GHz 54Mbps Wireless PCI Card;c:\windows\system32\drivers\smc2802w.sys [2005-6-6 56512]

=============== Created Last 30 ================

2011-02-05 07:09:06 -------- d--h--w- C:\$AVG
2011-02-05 06:26:49 -------- d-----w- c:\docume~1\ken\applic~1\AVG10
2011-02-05 06:25:36 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2011-02-05 06:24:32 -------- d-----w- c:\windows\system32\drivers\AVG
2011-02-05 06:24:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-02-05 06:24:08 -------- d-----w- c:\program files\AVG
2011-02-05 06:04:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-02-04 17:42:52 -------- d-----w- c:\docume~1\ken\applic~1\Malwarebytes
2011-02-04 17:42:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-04 17:42:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-02-04 17:42:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-04 17:42:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-04 17:20:10 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-02-04 17:20:10 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-26 02:32:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\Aventail
2011-01-26 02:32:39 -------- d-----w- c:\program files\Aventail Connect
2011-01-26 02:30:21 -------- d-----w- c:\docume~1\ken\applic~1\Aventail

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD74 rev.31.0 -> Harddisk0\DR0 -> \Device\Scsi\nvgts2

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86C8785C]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86c8da38]; MOV EAX, [0x86c8dab4]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x86D01030]
3 CLASSPNP[0xF74E7FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000071[0x86D1B6E0]
5 ACPI[0xF735E620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x86D1B7F8]
\Driver\nvgts[0x86D20288] -> IRP_MJ_CREATE -> 0x86C8785C
error: Read The system cannot find the file specified.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Scsi\nvgts2Port3Path1Target1Lun0 -> \??\SCSI#Disk&Ven_WDC_WD74&Prod_0GD-00FLA2&Rev_31.0#4&8ae9b1c&0&110#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 13:10:07.31 ===============

Attached Files



#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:14 AM

Posted 05 February 2011 - 05:09 PM

Hello execute,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

2.
Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.

3.
Download Bootkit Remover to your desktop

1. Extract the file to your desktop.
2. Double click Remover.exe to run it (Right click and run as Administrator for Vista).
3. It will show a Black screen with some data on it.
4. Right click on the screen and choose [/b]Select All[/b].
5. Press Control+C (to copy the data).
6. Open a notepad, Click on Edit tab > paste.
7. Exit the Remover.exe window.
8. Please post the contents of the notepad when you reply.

Things to include in your next reply::
TDSSKiller log
MBRCheck log
Bootkit Remover log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 execute

execute
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 05 February 2011 - 07:49 PM

After following your instructions, the situation appears to be much improved! I spent some time browsing and there were no redirections. One thing that did happen is TDSSKiller did find a rootkit. After curing it, but before rebooting AVG (my resident virus scanner) detected c:\WINDOWS\TEMP\EXPLORER.EXE as malware. Also GMER caused windows to blue screen again so I was unable to run it to completion.

Here are the logs:
2011/02/05 16:18:45.0687 2384 TDSS rootkit removing tool 2.4.16.0 Feb 1 2011 10:34:03
2011/02/05 16:18:46.0218 2384 ================================================================================
2011/02/05 16:18:46.0218 2384 SystemInfo:
2011/02/05 16:18:46.0218 2384
2011/02/05 16:18:46.0218 2384 OS Version: 5.1.2600 ServicePack: 3.0
2011/02/05 16:18:46.0218 2384 Product type: Workstation
2011/02/05 16:18:46.0218 2384 ComputerName: KEN
2011/02/05 16:18:46.0218 2384 UserName: Ken
2011/02/05 16:18:46.0218 2384 Windows directory: C:\WINDOWS
2011/02/05 16:18:46.0218 2384 System windows directory: C:\WINDOWS
2011/02/05 16:18:46.0218 2384 Processor architecture: Intel x86
2011/02/05 16:18:46.0218 2384 Number of processors: 1
2011/02/05 16:18:46.0218 2384 Page size: 0x1000
2011/02/05 16:18:46.0218 2384 Boot type: Normal boot
2011/02/05 16:18:46.0218 2384 ================================================================================
2011/02/05 16:18:46.0453 2384 Initialize success
2011/02/05 16:19:05.0156 3460 ================================================================================
2011/02/05 16:19:05.0156 3460 Scan started
2011/02/05 16:19:05.0156 3460 Mode: Manual;
2011/02/05 16:19:05.0156 3460 ================================================================================
2011/02/05 16:19:05.0531 3460 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/02/05 16:19:05.0578 3460 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/02/05 16:19:05.0609 3460 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/02/05 16:19:05.0671 3460 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/02/05 16:19:05.0828 3460 ALCXWDM (06dd2362d4d0f62e7f26e7fef2c999f6) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2011/02/05 16:19:05.0968 3460 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/02/05 16:19:06.0078 3460 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/02/05 16:19:06.0093 3460 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/02/05 16:19:06.0234 3460 ati2mtag (c0b86ecb324e50f6bbd529f9d5c6b24b) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/02/05 16:19:06.0343 3460 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/02/05 16:19:06.0375 3460 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/02/05 16:19:06.0421 3460 AVGIDSDriver (0c61f066f4d94bd67063dc6691935143) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
2011/02/05 16:19:06.0437 3460 AVGIDSEH (84853f800cd69252c3c764fe50d0346f) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
2011/02/05 16:19:06.0468 3460 AVGIDSFilter (28d6adcd03e10f3838488b9b5d407dd4) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
2011/02/05 16:19:06.0500 3460 AVGIDSShim (0eb16f4dbbb946360af30d2b13a52d1d) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
2011/02/05 16:19:06.0531 3460 Avgldx86 (5fe5a2c2330c376a1d8dcff8d2680a2d) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
2011/02/05 16:19:06.0562 3460 Avgmfx86 (54f1a9b4c9b540c2d8ac4baa171696b1) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
2011/02/05 16:19:06.0593 3460 Avgrkx86 (8da3b77993c5f354cc2977b7ea06d03a) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
2011/02/05 16:19:06.0625 3460 Avgtdix (660788ec46f10ece80274d564fa8b4aa) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
2011/02/05 16:19:06.0656 3460 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/02/05 16:19:06.0703 3460 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/02/05 16:19:06.0750 3460 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/02/05 16:19:06.0796 3460 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/02/05 16:19:06.0828 3460 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/02/05 16:19:06.0968 3460 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/02/05 16:19:07.0015 3460 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/02/05 16:19:07.0078 3460 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/02/05 16:19:07.0093 3460 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/02/05 16:19:07.0125 3460 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/02/05 16:19:07.0187 3460 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/02/05 16:19:07.0218 3460 EPoXUSDM (7c932084d02c31ad63ca65ed91b165c9) C:\WINDOWS\system32\drivers\EPoXUSDM.sys
2011/02/05 16:19:07.0265 3460 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/02/05 16:19:07.0281 3460 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/02/05 16:19:07.0312 3460 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/02/05 16:19:07.0343 3460 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/02/05 16:19:07.0359 3460 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/02/05 16:19:07.0390 3460 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/02/05 16:19:07.0406 3460 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/02/05 16:19:07.0437 3460 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2011/02/05 16:19:07.0468 3460 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/02/05 16:19:07.0500 3460 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/02/05 16:19:07.0531 3460 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/02/05 16:19:07.0593 3460 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/02/05 16:19:07.0656 3460 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/02/05 16:19:07.0687 3460 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/02/05 16:19:07.0765 3460 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/02/05 16:19:07.0796 3460 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/02/05 16:19:07.0828 3460 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/02/05 16:19:07.0859 3460 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/02/05 16:19:07.0890 3460 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/02/05 16:19:07.0906 3460 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/02/05 16:19:07.0937 3460 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/02/05 16:19:07.0953 3460 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/02/05 16:19:07.0984 3460 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/02/05 16:19:08.0015 3460 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/02/05 16:19:08.0078 3460 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/02/05 16:19:08.0093 3460 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/02/05 16:19:08.0125 3460 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/02/05 16:19:08.0156 3460 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/02/05 16:19:08.0171 3460 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/02/05 16:19:08.0218 3460 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/02/05 16:19:08.0281 3460 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/02/05 16:19:08.0312 3460 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/02/05 16:19:08.0328 3460 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/02/05 16:19:08.0343 3460 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/02/05 16:19:08.0375 3460 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/02/05 16:19:08.0390 3460 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/02/05 16:19:08.0421 3460 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/02/05 16:19:08.0453 3460 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/02/05 16:19:08.0468 3460 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/02/05 16:19:08.0500 3460 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/02/05 16:19:08.0531 3460 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/02/05 16:19:08.0562 3460 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/02/05 16:19:08.0578 3460 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/02/05 16:19:08.0609 3460 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/02/05 16:19:08.0656 3460 NgFilter (7cec6699d1eed74a0b50d7e4cd486bfe) C:\WINDOWS\system32\DRIVERS\ngfilter.sys
2011/02/05 16:19:08.0687 3460 NgLog (af8e5020c09481608dd408ef9fd0e0a4) C:\WINDOWS\system32\DRIVERS\nglog.sys
2011/02/05 16:19:08.0718 3460 NgVpn (3b6e6a44690fd2bbab3d903b9038e711) C:\WINDOWS\system32\DRIVERS\ngvpn.sys
2011/02/05 16:19:08.0734 3460 NgWfp (edcdc9a1a400a9c1d208d5683294492b) C:\WINDOWS\system32\DRIVERS\ngwfp.sys
2011/02/05 16:19:08.0750 3460 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/02/05 16:19:08.0781 3460 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/02/05 16:19:08.0828 3460 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/02/05 16:19:08.0875 3460 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/02/05 16:19:08.0906 3460 NVENETFD (7d275ecda4628318912f6c945d5cf963) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2011/02/05 16:19:08.0937 3460 nvgts (ea98bfe4931bd13d747d647c1859796e) C:\WINDOWS\system32\DRIVERS\nvgts.sys
2011/02/05 16:19:08.0968 3460 nvnetbus (b64aacefad2be5bff5353fe681253c67) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2011/02/05 16:19:09.0015 3460 NVTCP (7c5172dbd67e8e4ab611b56abf831e97) C:\WINDOWS\system32\DRIVERS\NVTcp.sys
2011/02/05 16:19:09.0062 3460 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/02/05 16:19:09.0078 3460 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/02/05 16:19:09.0093 3460 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/02/05 16:19:09.0125 3460 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/02/05 16:19:09.0156 3460 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/02/05 16:19:09.0187 3460 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/02/05 16:19:09.0218 3460 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/02/05 16:19:09.0265 3460 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/02/05 16:19:09.0296 3460 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/02/05 16:19:09.0468 3460 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/02/05 16:19:09.0500 3460 PRISM_ICB (9d04bdcb80ef3505b09911bad678c62e) C:\WINDOWS\system32\DRIVERS\smc2802w.sys
2011/02/05 16:19:09.0531 3460 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/02/05 16:19:09.0562 3460 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/02/05 16:19:09.0578 3460 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/02/05 16:19:09.0609 3460 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/02/05 16:19:09.0718 3460 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/02/05 16:19:09.0750 3460 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/02/05 16:19:09.0781 3460 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/02/05 16:19:09.0796 3460 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/02/05 16:19:09.0828 3460 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/02/05 16:19:09.0843 3460 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/02/05 16:19:09.0875 3460 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/02/05 16:19:09.0921 3460 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/02/05 16:19:09.0953 3460 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/02/05 16:19:10.0015 3460 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/02/05 16:19:10.0046 3460 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/02/05 16:19:10.0062 3460 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/02/05 16:19:10.0093 3460 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/02/05 16:19:10.0171 3460 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2011/02/05 16:19:10.0218 3460 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/02/05 16:19:10.0234 3460 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/02/05 16:19:10.0281 3460 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/02/05 16:19:10.0328 3460 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/02/05 16:19:10.0359 3460 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/02/05 16:19:10.0468 3460 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/02/05 16:19:10.0515 3460 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/02/05 16:19:10.0562 3460 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/02/05 16:19:10.0593 3460 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/02/05 16:19:10.0625 3460 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/02/05 16:19:10.0687 3460 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/02/05 16:19:10.0750 3460 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/02/05 16:19:10.0796 3460 USBAAPL (026f7f224f088ee11e383bca448fff81) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/02/05 16:19:10.0828 3460 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/02/05 16:19:10.0859 3460 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/02/05 16:19:10.0875 3460 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/02/05 16:19:10.0906 3460 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/02/05 16:19:10.0937 3460 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/02/05 16:19:10.0968 3460 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/02/05 16:19:11.0000 3460 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/02/05 16:19:11.0046 3460 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/02/05 16:19:11.0093 3460 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/02/05 16:19:11.0171 3460 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/02/05 16:19:11.0234 3460 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/02/05 16:19:11.0234 3460 ================================================================================
2011/02/05 16:19:11.0234 3460 Scan finished
2011/02/05 16:19:11.0234 3460 ================================================================================
2011/02/05 16:19:11.0250 2428 Detected object count: 1
2011/02/05 16:20:10.0203 2428 \HardDisk0 - will be cured after reboot
2011/02/05 16:20:10.0203 2428 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/02/05 16:20:24.0171 3280 Deinitialize success

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000d

Kernel Drivers (total 136):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF7358000 ACPI.sys
0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7347000 pci.sys
0xF7487000 isapnp.sys
0xF7497000 ohci1394.sys
0xF74A7000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF74B7000 MountMgr.sys
0xF7328000 ftdisk.sys
0xF798B000 dmload.sys
0xF7302000 dmio.sys
0xF770F000 PartMgr.sys
0xF74C7000 VolSnap.sys
0xF72EA000 atapi.sys
0xF72C5000 nvgts.sys
0xF72AD000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF74D7000 disk.sys
0xF74E7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF728D000 fltmgr.sys
0xF727B000 sr.sys
0xF7717000 PxHelp20.sys
0xF7264000 KSecDD.sys
0xF71D7000 Ntfs.sys
0xF71AA000 NDIS.sys
0xF7190000 Mup.sys
0xF771F000 avgrkx86.sys
0xF74F7000 AVGIDSEH.Sys
0xF7527000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF6CAF000 \SystemRoot\system32\DRIVERS\processr.sys
0xF7887000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF6BFB000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF788F000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF69C8000 \SystemRoot\system32\drivers\ALCXWDM.SYS
0xF69A4000 \SystemRoot\system32\drivers\portcls.sys
0xF6C9F000 \SystemRoot\system32\drivers\drmk.sys
0xF6981000 \SystemRoot\system32\drivers\ks.sys
0xF6C8F000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF6C7F000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF6C6F000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF774F000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF6C5F000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
0xF6897000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
0xF64E1000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xEB0F9000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7817000 \SystemRoot\system32\DRIVERS\fdc.sys
0xEB5C0000 \SystemRoot\system32\DRIVERS\serial.sys
0xEF0DC000 \SystemRoot\system32\DRIVERS\serenum.sys
0xEB0E5000 \SystemRoot\system32\DRIVERS\parport.sys
0xEB5B0000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF781F000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xEF0D8000 \SystemRoot\system32\DRIVERS\gameenum.sys
0xEB0D0000 \SystemRoot\system32\DRIVERS\ngvpn.sys
0xF77EF000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xEB114000 \SystemRoot\system32\DRIVERS\audstub.sys
0xEB5A0000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xEF0CC000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xEB0B9000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xEB590000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xEFA33000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xEB0A8000 \SystemRoot\system32\DRIVERS\psched.sys
0xEFA23000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7827000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7837000 \SystemRoot\system32\DRIVERS\raspti.sys
0xEB078000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xEB14E000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF783F000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xECD7E000 \SystemRoot\system32\DRIVERS\swenum.sys
0xEB01A000 \SystemRoot\system32\DRIVERS\update.sys
0xF796F000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xEF5F1000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xECD7C000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xEF5E1000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xEF581000 \SystemRoot\system32\DRIVERS\NVENETFD.sys
0xEFCF2000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xEE5DE000 \SystemRoot\system32\DRIVERS\avgmfx86.sys
0xECD72000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xEE88D000 \SystemRoot\System32\Drivers\Null.SYS
0xECD70000 \SystemRoot\System32\Drivers\Beep.SYS
0xEFAD6000 \SystemRoot\System32\drivers\vga.sys
0xECD6E000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xECD6C000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xEFACE000 \SystemRoot\System32\Drivers\Msfs.SYS
0xEFAC6000 \SystemRoot\System32\Drivers\Npfs.SYS
0xEF73A000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAE77B000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAE722000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xAE6C2000 \SystemRoot\system32\DRIVERS\avgtdix.sys
0xAE69C000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xEE5CE000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xEE5BE000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xAE674000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF7118000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xAE652000 \SystemRoot\System32\drivers\afd.sys
0xEE5AE000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAE627000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xAE5B7000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xEE59E000 \SystemRoot\System32\Drivers\Fips.SYS
0xAE57B000 \SystemRoot\system32\DRIVERS\avgldx86.sys
0xF3A1B000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF395E000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xEFAB6000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF3A23000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xAE56A000 \SystemRoot\System32\Drivers\Udfs.SYS
0xEF56D000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0xAE517000 \SystemRoot\System32\Drivers\dump_nvgts.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xEF555000 \SystemRoot\System32\drivers\Dxapi.sys
0xF4523000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xEB113000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF065000 \SystemRoot\System32\ati2cqag.dll
0xBF0FE000 \SystemRoot\System32\atikvmag.dll
0xBF182000 \SystemRoot\System32\atiok3x2.dll
0xBF1CD000 \SystemRoot\System32\ati3duag.dll
0xBF572000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF7627000 \SystemRoot\system32\DRIVERS\nglog.sys
0xAC182000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF79FF000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xF7537000 \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys
0xEC0E5000 \SystemRoot\System32\Drivers\EPoXUSDM.SYS
0xAC08A000 \SystemRoot\system32\DRIVERS\srv.sys
0xEFF87000 \SystemRoot\system32\DRIVERS\secdrv.sys
0xF7557000 \SystemRoot\system32\DRIVERS\AVGIDSFilter.Sys
0xABF22000 \SystemRoot\system32\DRIVERS\AVGIDSDriver.Sys
0xABBDE000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xAB9BD000 \SystemRoot\System32\Drivers\HTTP.sys
0xAB840000 \SystemRoot\system32\drivers\wdmaud.sys
0xABA26000 \SystemRoot\system32\drivers\sysaudio.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 53):
0 System Idle Process
4 System
664 C:\WINDOWS\system32\smss.exe
712 C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
768 C:\PROGRA~1\AVG\AVG10\avgrsx.exe
912 csrss.exe
964 C:\WINDOWS\system32\winlogon.exe
1008 C:\WINDOWS\system32\services.exe
1020 C:\WINDOWS\system32\lsass.exe
1180 C:\WINDOWS\system32\ati2evxx.exe
1200 C:\WINDOWS\system32\svchost.exe
1260 svchost.exe
1368 C:\WINDOWS\system32\svchost.exe
1440 C:\WINDOWS\system32\ati2evxx.exe
1480 svchost.exe
1556 svchost.exe
1568 C:\WINDOWS\system32\ngvpnmgr.exe
1672 C:\WINDOWS\system32\spoolsv.exe
1920 svchost.exe
1960 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1984 C:\Program Files\AVG\AVG10\avgwdsvc.exe
2020 C:\Program Files\Bonjour\mDNSResponder.exe
372 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
304 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
680 C:\Program Files\Google\Update\GoogleUpdate.exe
940 C:\WINDOWS\system32\PnkBstrA.exe
1512 C:\WINDOWS\system32\svchost.exe
1648 wdfmgr.exe
1412 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
1880 C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
1336 C:\Program Files\AVG\AVG10\avgnsx.exe
1360 C:\Program Files\AVG\AVG10\avgemcx.exe
2504 alg.exe
3168 C:\WINDOWS\system32\svchost.exe
1976 C:\WINDOWS\explorer.exe
2452 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
2460 C:\WINDOWS\SOUNDMAN.EXE
588 C:\Program Files\EPoX\USDM\USDM.EXE
2580 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
2604 C:\Program Files\QuickTime\QTTask.exe
2612 C:\Program Files\iTunes\iTunesHelper.exe
2620 C:\Program Files\AVG\AVG10\avgtray.exe
2628 C:\WINDOWS\system32\ctfmon.exe
2660 C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
2740 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
272 C:\Program Files\OpenOffice.org 3\program\soffice.exe
2860 C:\Program Files\OpenOffice.org 3\program\soffice.bin
3280 C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
260 C:\Program Files\iPod\bin\iPodService.exe
3464 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
2688 C:\Program Files\Mozilla Firefox\firefox.exe
252 wmiprvse.exe
2668 C:\Documents and Settings\Ken\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD740GD-00FLA2, Rev: 31.08F31

Size Device Name MBR Status
--------------------------------------------
69 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

Bootkit Remover
© 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
ATA_Read(): DeviceIoControl() ERROR 1
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
69 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:14 AM

Posted 06 February 2011 - 03:34 PM

Hello,


You had a MBR rootkit infection but it has been cured. Lets run a couple of scanners to make sure nothing else is involved with this rootkit.


1.
Please download Malwarebytes' Anti-Malware (v1.50) and save it to your desktop.
Download Link 1
Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.

2.
Please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives

5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply along with a fresh DDS log.

Things to include in your next reply::
MBAM log
Kaspersky log
A new DDS log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 execute

execute
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 06 February 2011 - 11:41 PM

I ran Malwarebytes successfully. However, the Kaspersky website failed to scan my system and returned the following messge:

The program is starting. Please wait...
Updates source is selected: http://www.kaspersky.com
File download: packages/kos-extras.jar
The program is started.

Updating the anti-virus database. Please wait...

Update has failed The program could not be started. Please close the window of Kaspersky Online Scanner 7.0 and start the program again from the web site of Kaspersky Lab. Successful updating of Kaspersky Online Scanner 7.0 and scanning of your computer requires uninterrupted Internet connection. Please make sure that the Internet connection is established. [ERROR: License has expired]

Here is the MBAM log:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5697

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/6/2011 2:31:19 PM
mbam-log-2011-02-06 (14-31-19).txt

Scan type: Quick scan
Objects scanned: 227822
Time elapsed: 12 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Trojan.Dropper) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\Temp\28.tmp (PUP.BHO) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\8.917723241318479e8.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\mhki\setup.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\YDC01W4J\whitesmoketoolbar[1].exe (PUP.WhiteSmoke) -> Quarantined and deleted successfully.

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:14 AM

Posted 07 February 2011 - 12:25 AM

Hello,

Lets run another online scanner that is good.

1.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
Posted Image
You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

2.
Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

* When done, DDS will open two (2) logs:

1. DDS.txt
2. Attach.txt

Save both reports to your desktop post the contents of the DDS.txt log. Save the other report incase I need to look at it later.


Things to include in your next reply::
ESET log
DDS.txt
Attach.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 execute

execute
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 07 February 2011 - 02:20 AM

I ran ESET and it did not find any threats so there was no log file to export.
My computer is not showing any symptoms of a virus. Things look good.

Here are the results from DDS:

DDS (Ver_10-12-12.02) - NTFSx86
Run by Ken at 23:23:25.62 on Sun 02/06/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.350 [GMT -8:00]

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: NVIDIA Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\EPoX\USDM\USDM.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG10\avgui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Ken\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [nTrayFw] c:\program files\nvidia corporation\networkaccessmanager\bin\nTrayFw.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [<NO NAME>]
mRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\\nTune.exe" clear
mRun: [EPoXUSDM] "c:\program files\epox\usdm\USDM.EXE" "5000"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {5F572187-3588-40AC-B72B-A9FD0B5E0643} = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ken\applic~1\mozilla\firefox\profiles\kz9iejyy.default\
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R2 app_filter;app_filter;c:\program files\nvidia corporation\networkaccessmanager\bin\nSvcAppFlt.exe [2004-11-24 139264]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe [2010-7-20 291496]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 26192]
R3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys [2010-7-20 27160]
R3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\ngvpn.sys [2010-7-20 77336]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
S2 gupdate1c998a67f11a268;Google Update Service (gupdate1c998a67f11a268);c:\program files\google\update\GoogleUpdate.exe [2009-2-26 133104]
S3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys [2010-7-20 23064]
S3 NgWfp;Aventail VPN Callout;c:\windows\system32\drivers\ngwfp.sys [2010-7-20 25112]
S3 PRISM_ICB;SMC2802W 2.4GHz 54Mbps Wireless PCI Card;c:\windows\system32\drivers\smc2802w.sys [2005-6-6 56512]

=============== Created Last 30 ================

2011-02-07 05:41:40 -------- d-----w- c:\program files\ESET
2011-02-06 22:35:43 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-06 22:35:43 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-06 22:35:43 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-02-06 04:58:15 -------- d-----w- c:\docume~1\ken\applic~1\SumatraPDF
2011-02-06 04:58:12 -------- d-----w- c:\program files\SumatraPDF
2011-02-05 07:09:06 -------- d--h--w- C:\$AVG
2011-02-05 06:26:49 -------- d-----w- c:\docume~1\ken\applic~1\AVG10
2011-02-05 06:25:36 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2011-02-05 06:24:32 -------- d-----w- c:\windows\system32\drivers\AVG
2011-02-05 06:24:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-02-05 06:24:08 -------- d-----w- c:\program files\AVG
2011-02-05 06:04:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-02-04 17:42:52 -------- d-----w- c:\docume~1\ken\applic~1\Malwarebytes
2011-02-04 17:42:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-04 17:42:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-02-04 17:42:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-04 17:42:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-04 17:20:10 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-02-04 17:20:10 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-26 02:32:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\Aventail
2011-01-26 02:32:39 -------- d-----w- c:\program files\Aventail Connect
2011-01-26 02:30:21 -------- d-----w- c:\docume~1\ken\applic~1\Aventail

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll

============= FINISH: 23:23:51.73 ===============

Attached Files



#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:14 AM

Posted 10 February 2011 - 04:38 PM

Hello, execute.
Congratulations! You now appear clean! :cool:

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

We Need to Clean Up Our Mess
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Reset System Restore
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install and maintain an outbound firewall
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:14 AM

Posted 12 February 2011 - 05:42 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding :)

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:14 AM

Posted 14 February 2011 - 01:31 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users