Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google searches hijacked. Is this Malware?


  • Please log in to reply
3 replies to this topic

#1 Bob A. H.

Bob A. H.

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 27 February 2011 - 06:55 AM

My name is Robert.

I am running Windows XP professional. I have etrust antivirus software, and since my problem appeared I also installed AVG internet security 2011.

My problem started with popups which claimed they were scanning for viruses. I think I tried to stop these pop ups, but I am not sure if they did not complete.

The next thing I knew was that all my Google searches were being hijacked to totally unrelated sites.

I downloaded Malwarebytes AntiMalware software and run it. This found a three Trojans (cannot remember their names) and I deleted these.

My etrust antivirus software and my AVG Internet Security 2011 scans find nothing.

It did not solve my problem. I also read somewhere about hijack this and I downloaded this and ran it. I have not done anything with this other than look at the log.

I still have my problem of hijacked Google searches.

Can any one help me sort this apparent Malware problem out?

Robert

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:27 AM

Posted 27 February 2011 - 02:24 PM

Hello Robert,yes it is a malware,probably a rootkit.

have etrust antivirus software, and since my problem appeared I also installed AVG

If you have 2 active AV's running,you will get conflicts,slowness and probable false positives. One has to go.

Please post that MBAM log you have.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Now run these

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Bob A. H.

Bob A. H.
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 09 March 2011 - 10:23 AM

Old Malwarebytes log

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5882

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

27/02/2011 6:56:45 AM
mbam-log-2011-02-27 (06-56-45).txt

Scan type: Full scan (C:\|)
Objects scanned: 32781
Time elapsed: 1 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2ED2390A-E6F6-F895-FE75-013E2D97184A} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2ED2390A-E6F6-F895-FE75-013E2D97184A} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


TDS Killer Log

2011/03/10 00:37:05.0040 0168 TDSS rootkit removing tool 2.4.20.0 Mar 2 2011 10:44:30
2011/03/10 00:37:07.0040 0168 ================================================================================
2011/03/10 00:37:07.0040 0168 SystemInfo:
2011/03/10 00:37:07.0040 0168
2011/03/10 00:37:07.0040 0168 OS Version: 5.1.2600 ServicePack: 3.0
2011/03/10 00:37:07.0040 0168 Product type: Workstation
2011/03/10 00:37:07.0040 0168 ComputerName: CHURCHLAPTOP
2011/03/10 00:37:07.0040 0168 UserName: Liturgy
2011/03/10 00:37:07.0040 0168 Windows directory: C:\WINDOWS
2011/03/10 00:37:07.0040 0168 System windows directory: C:\WINDOWS
2011/03/10 00:37:07.0040 0168 Processor architecture: Intel x86
2011/03/10 00:37:07.0040 0168 Number of processors: 2
2011/03/10 00:37:07.0040 0168 Page size: 0x1000
2011/03/10 00:37:07.0040 0168 Boot type: Normal boot
2011/03/10 00:37:07.0040 0168 ================================================================================
2011/03/10 00:37:10.0213 0168 Initialize success
2011/03/10 00:37:17.0918 2884 ================================================================================
2011/03/10 00:37:17.0918 2884 Scan started
2011/03/10 00:37:17.0918 2884 Mode: Manual;
2011/03/10 00:37:17.0918 2884 ================================================================================
2011/03/10 00:37:19.0934 2884 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/03/10 00:37:20.0481 2884 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/03/10 00:37:21.0450 2884 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/03/10 00:37:22.0075 2884 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/03/10 00:37:23.0247 2884 AgereSoftModem (c41a5740468d0b9cb46e6390a0e15ce3) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2011/03/10 00:37:27.0529 2884 Ambfilt (267fc636801edc5ab28e14036349e3be) C:\WINDOWS\system32\drivers\Ambfilt.sys
2011/03/10 00:37:29.0749 2884 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/03/10 00:37:31.0812 2884 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/03/10 00:37:32.0530 2884 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/03/10 00:37:33.0484 2884 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/03/10 00:37:34.0000 2884 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/03/10 00:37:34.0781 2884 Avgfwdx (0c5941af0b6bf2fdf378937392865217) C:\WINDOWS\system32\DRIVERS\avgfwdx.sys
2011/03/10 00:37:34.0812 2884 Avgfwfd (0c5941af0b6bf2fdf378937392865217) C:\WINDOWS\system32\DRIVERS\avgfwdx.sys
2011/03/10 00:37:35.0500 2884 AVGIDSDriver (0c61f066f4d94bd67063dc6691935143) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
2011/03/10 00:37:36.0047 2884 AVGIDSEH (84853f800cd69252c3c764fe50d0346f) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
2011/03/10 00:37:36.0828 2884 AVGIDSFilter (28d6adcd03e10f3838488b9b5d407dd4) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
2011/03/10 00:37:37.0657 2884 AVGIDSShim (0eb16f4dbbb946360af30d2b13a52d1d) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
2011/03/10 00:37:38.0422 2884 Avgldx86 (5fe5a2c2330c376a1d8dcff8d2680a2d) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
2011/03/10 00:37:39.0047 2884 Avgmfx86 (54f1a9b4c9b540c2d8ac4baa171696b1) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
2011/03/10 00:37:39.0735 2884 Avgrkx86 (8da3b77993c5f354cc2977b7ea06d03a) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
2011/03/10 00:37:40.0563 2884 Avgtdix (660788ec46f10ece80274d564fa8b4aa) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
2011/03/10 00:37:41.0189 2884 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/03/10 00:37:41.0907 2884 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/03/10 00:37:42.0970 2884 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/03/10 00:37:43.0767 2884 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/03/10 00:37:44.0533 2884 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/03/10 00:37:45.0439 2884 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/03/10 00:37:46.0361 2884 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/03/10 00:37:48.0127 2884 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/03/10 00:37:49.0034 2884 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/03/10 00:37:50.0081 2884 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/03/10 00:37:50.0597 2884 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/03/10 00:37:51.0066 2884 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/03/10 00:37:52.0550 2884 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/03/10 00:37:53.0394 2884 e1express (e1fa10ed8f9f700c1be1eae05a80ef57) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2011/03/10 00:37:54.0613 2884 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/03/10 00:37:55.0551 2884 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/03/10 00:37:56.0035 2884 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/03/10 00:37:57.0004 2884 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/03/10 00:37:58.0098 2884 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/03/10 00:37:59.0052 2884 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/03/10 00:37:59.0692 2884 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/03/10 00:38:00.0349 2884 GhMon (3596f0e6a10c8f1a670be62f8f21380f) C:\WINDOWS\system32\Drivers\ghmon.sys
2011/03/10 00:38:00.0943 2884 GhPostConfig (7981deea2c12913bb05df6dab84d8ee3) C:\WINDOWS\system32\Drivers\ghpcw2k.sys
2011/03/10 00:38:01.0240 2884 GhPostConfig_Auto (7981deea2c12913bb05df6dab84d8ee3) C:\WINDOWS\system32\Drivers\ghpcw2k.sys
2011/03/10 00:38:01.0708 2884 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/03/10 00:38:02.0271 2884 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/03/10 00:38:02.0880 2884 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/03/10 00:38:04.0053 2884 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/03/10 00:38:05.0490 2884 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/03/10 00:38:06.0647 2884 ialm (0f0194c4b635c10c3f785e4fee52d641) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/03/10 00:38:07.0803 2884 IFXTPM (0b556e950404d90d097c687e65238730) C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
2011/03/10 00:38:08.0303 2884 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/03/10 00:38:12.0617 2884 IntcAzAudAddService (988a112c4061f309ce9c1abfc971d001) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/03/10 00:38:16.0555 2884 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/03/10 00:38:17.0071 2884 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/03/10 00:38:17.0743 2884 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/03/10 00:38:18.0259 2884 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/03/10 00:38:18.0821 2884 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/03/10 00:38:19.0462 2884 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/03/10 00:38:19.0978 2884 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/03/10 00:38:20.0478 2884 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/03/10 00:38:21.0040 2884 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/03/10 00:38:21.0525 2884 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/03/10 00:38:22.0072 2884 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/03/10 00:38:22.0619 2884 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/03/10 00:38:23.0619 2884 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/03/10 00:38:24.0197 2884 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/03/10 00:38:25.0416 2884 Monfilt (c7d9f9717916b34c1b00dd4834af485c) C:\WINDOWS\system32\drivers\Monfilt.sys
2011/03/10 00:38:26.0620 2884 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/03/10 00:38:27.0104 2884 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/03/10 00:38:27.0698 2884 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/03/10 00:38:28.0636 2884 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/03/10 00:38:29.0433 2884 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/03/10 00:38:30.0120 2884 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/03/10 00:38:30.0652 2884 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/03/10 00:38:31.0105 2884 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/03/10 00:38:31.0605 2884 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/03/10 00:38:32.0090 2884 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/03/10 00:38:32.0605 2884 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/03/10 00:38:33.0184 2884 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/03/10 00:38:33.0762 2884 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/03/10 00:38:34.0215 2884 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/03/10 00:38:34.0950 2884 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/03/10 00:38:35.0668 2884 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/03/10 00:38:36.0137 2884 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/03/10 00:38:36.0997 2884 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/03/10 00:38:37.0888 2884 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/03/10 00:38:38.0528 2884 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/03/10 00:38:39.0435 2884 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/03/10 00:38:40.0201 2884 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/03/10 00:38:40.0654 2884 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/03/10 00:38:41.0170 2884 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/03/10 00:38:41.0685 2884 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/03/10 00:38:42.0264 2884 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/03/10 00:38:42.0748 2884 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/03/10 00:38:43.0201 2884 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/03/10 00:38:43.0686 2884 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/03/10 00:38:44.0608 2884 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/03/10 00:38:45.0170 2884 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/03/10 00:38:48.0030 2884 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/03/10 00:38:48.0796 2884 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/03/10 00:38:49.0609 2884 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/03/10 00:38:50.0093 2884 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/03/10 00:38:52.0906 2884 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/03/10 00:38:53.0391 2884 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/03/10 00:38:53.0875 2884 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/03/10 00:38:54.0469 2884 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/03/10 00:38:55.0063 2884 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/03/10 00:38:55.0626 2884 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/03/10 00:38:56.0204 2884 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/03/10 00:38:56.0892 2884 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/03/10 00:38:57.0579 2884 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/03/10 00:38:58.0282 2884 SBRE (c1ae5d1f53285d79a0b73a62af20734f) C:\WINDOWS\system32\drivers\SBREdrv.sys
2011/03/10 00:38:58.0876 2884 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/03/10 00:38:59.0455 2884 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/03/10 00:38:59.0923 2884 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/03/10 00:39:00.0408 2884 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/03/10 00:39:00.0939 2884 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
2011/03/10 00:39:01.0549 2884 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
2011/03/10 00:39:02.0221 2884 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2011/03/10 00:39:03.0987 2884 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/03/10 00:39:04.0659 2884 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/03/10 00:39:05.0534 2884 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/03/10 00:39:06.0518 2884 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/03/10 00:39:07.0050 2884 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/03/10 00:39:09.0285 2884 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/03/10 00:39:10.0082 2884 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/03/10 00:39:10.0722 2884 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/03/10 00:39:11.0223 2884 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/03/10 00:39:11.0801 2884 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/03/10 00:39:12.0613 2884 Thpdrv (9a932560e9246b0d370fb97789bc0fd4) C:\WINDOWS\system32\DRIVERS\thpdrv.sys
2011/03/10 00:39:13.0364 2884 Thpevm (51b3dfbe72ce64faf326c07ccbb5d632) C:\WINDOWS\system32\DRIVERS\Thpevm.SYS
2011/03/10 00:39:14.0286 2884 TVALZ (ccf4f8f8240f7057bf864ef73e91dcbb) C:\WINDOWS\system32\DRIVERS\TVALZ.SYS
2011/03/10 00:39:14.0833 2884 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/03/10 00:39:15.0942 2884 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/03/10 00:39:16.0614 2884 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/03/10 00:39:17.0114 2884 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/03/10 00:39:17.0755 2884 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/03/10 00:39:18.0271 2884 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/03/10 00:39:18.0740 2884 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/03/10 00:39:19.0287 2884 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/03/10 00:39:19.0834 2884 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/03/10 00:39:20.0725 2884 VolSnap (7c38f81f40d61d1607ddb62fe5817bb9) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/03/10 00:39:20.0756 2884 Suspicious file (Forged): C:\WINDOWS\system32\drivers\VolSnap.sys. Real md5: 7c38f81f40d61d1607ddb62fe5817bb9, Fake md5: 4c8fcb5cc53aab716d810740fe59d025
2011/03/10 00:39:20.0756 2884 VolSnap - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/03/10 00:39:21.0881 2884 w39n51 (b1f126e7e28877106d60e6ff3998d033) C:\WINDOWS\system32\DRIVERS\w39n51.sys
2011/03/10 00:39:23.0194 2884 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/03/10 00:39:24.0460 2884 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/03/10 00:39:25.0116 2884 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/03/10 00:39:25.0616 2884 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/03/10 00:39:26.0148 2884 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/03/10 00:39:26.0726 2884 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/03/10 00:39:27.0226 2884 ================================================================================
2011/03/10 00:39:27.0226 2884 Scan finished
2011/03/10 00:39:27.0226 2884 ================================================================================
2011/03/10 00:39:27.0257 1504 Detected object count: 1
2011/03/10 00:40:01.0858 1504 VolSnap (7c38f81f40d61d1607ddb62fe5817bb9) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/03/10 00:40:01.0889 1504 Suspicious file (Forged): C:\WINDOWS\system32\drivers\VolSnap.sys. Real md5: 7c38f81f40d61d1607ddb62fe5817bb9, Fake md5: 4c8fcb5cc53aab716d810740fe59d025
2011/03/10 00:40:07.0172 1504 Backup copy found, using it..
2011/03/10 00:40:07.0250 1504 C:\WINDOWS\system32\drivers\VolSnap.sys - will be cured after reboot
2011/03/10 00:40:07.0250 1504 Rootkit.Win32.TDSS.tdl3(VolSnap) - User select action: Cure
2011/03/10 00:40:19.0705 3812 Deinitialize success

The new Malwarebytes scan log since cure with TDSSkiller.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5998

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/03/2011 1:18:14 AM
mbam-log-2011-03-10 (01-18-14).txt

Scan type: Quick scan
Objects scanned: 182290
Time elapsed: 22 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


This seems to have worked. TDSKiller seems to have detected and cured something called VolSnap. Once this was cured and the computer rebooted it now seems that my Google searches are not being hijacked. So far so good. Thank you so much. I am so grateful.

Robert Hollow

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:27 AM

Posted 09 March 2011 - 02:25 PM

Great!! That should be the problem..
If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users