Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirecting to strange pages


  • Please log in to reply
12 replies to this topic

#1 duncan76

duncan76

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 14 March 2011 - 09:35 AM

Hello,

About 2 days ago, I noticed I could not click on a search result from google with out being redirected to some random page. I discovered I could hold down the "shift" key to open the link in a new window to work around the problem, but today that isn't even helping. I have installed and run Malwarebytes. The first time it found 22 infected files and removed them. After a reboot, the issue was still happening, so I ran it again and it only found 1 infected file which it then removed. Needless to say, I am still having the same issue. I have googled the topic and read several threads about using combofix, but all threads also cautioned beginners from using this product. I am not a beginner (not anywhere near an expert either), but I thought I would consult the real experts before digging myself into a hole.

Any help is greatly appreciated.


Thank you!

BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:07:51 PM

Posted 14 March 2011 - 09:46 AM

duncan76,

This thread will be shortly moved to Am I Infected forum.

Can you please post the MalwareBytes' Anti-Malware log?

Malwarebytes' Anti-Malware

  • Open Malwarebytes' Anti-Malware
  • Select the Logs tab
  • Click on the latest log. The bottom most log is the latest
  • Click Open
  • Notepad will open. Please post this log in your next reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 duncan76

duncan76
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 14 March 2011 - 09:49 AM

SweetTech - Thank you so much for your help. Below is the most recent log (when it only found 1 infected file).

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6034

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/13/2011 9:34:29 AM
mbam-log-2011-03-13 (09-34-29).txt

Scan type: Full scan (C:\|)
Objects scanned: 235808
Time elapsed: 58 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\the curnuttes\local settings\temporary internet files\Content.IE5\1247FYAH\couponalert[1].exe (PUP.FunWebProducts) -> Quarantined and deleted successfully.

#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:07:51 PM

Posted 14 March 2011 - 09:52 AM

Could you post the MBAM log where it found the 22 infected items?

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#5 duncan76

duncan76
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 14 March 2011 - 09:56 AM

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6034

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/12/2011 12:11:54 PM
mbam-log-2011-03-12 (12-11-54).txt

Scan type: Full scan (C:\|)
Objects scanned: 234860
Time elapsed: 55 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\QueryExplorer Service (Adware.QueryExplorer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{0D82ACD6-A652-4496-A298-2BDE705F4227} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{7025E484-D4B0-441a-9F0B-69063BD679CE} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{8258B35C-05B8-4c0e-9525-9BCCC70F8F2D} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{A89256AD-EC17-4a83-BEF5-4B8BC4F39306} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{100EB1FD-D03E-47FD-81F3-EE91287F9465} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1602F07D-8BF3-4C08-BDD6-DDDB1C48AEDC} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{A7CDDCDC-BEEB-4685-A062-978F5E07CEEE} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QueryExplorer (Adware.QueryExplorer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.Reporter (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ShopperReports.Reporter.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\QueryExplorer (Adware.QueryExplorer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_QUERYEXPLORER_SERVICE (Adware.QueryExplorer) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\SRS_IT_E8790576B6765C5032AD90 (Malware.Trace) -> Value: SRS_IT_E8790576B6765C5032AD90 -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\all users\application data\queryexplorer (Adware.QueryExplorer) -> Quarantined and deleted successfully.
c:\program files\queryexplorer (Adware.QueryExplorer) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\all users\application data\queryexplorer\queryexplorer115.exe (Adware.QueryExplorer) -> Quarantined and deleted successfully.
c:\documents and settings\the curnuttes\local settings\Temp\F.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\the curnuttes\local settings\temporary internet files\Content.IE5\1247FYAH\couponalert[1].exe (PUP.FunWebProducts) -> Not selected for removal.
c:\program files\queryexplorer\queryexplorer.exe (Adware.QueryExplorer) -> Quarantined and deleted successfully.
c:\program files\queryexplorer\uninstall.exe (Adware.QueryExplorer) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\10.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#6 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:07:51 PM

Posted 14 March 2011 - 10:01 AM

Okay, we need to hang tight for a little bit, I want to wait for a moderator to move this thread, before I proceed with giving you additional instructions to complete.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#7 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:07:51 PM

Posted 14 March 2011 - 10:44 AM

duncan76,


Running TDSSKiller

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#8 duncan76

duncan76
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 14 March 2011 - 10:58 AM

2011/03/14 11:56:59.0496 4084 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/03/14 11:57:00.0017 4084 ================================================================================
2011/03/14 11:57:00.0017 4084 SystemInfo:
2011/03/14 11:57:00.0017 4084
2011/03/14 11:57:00.0017 4084 OS Version: 5.1.2600 ServicePack: 3.0
2011/03/14 11:57:00.0017 4084 Product type: Workstation
2011/03/14 11:57:00.0017 4084 ComputerName: LAPTOP
2011/03/14 11:57:00.0017 4084 UserName: The Curnuttes
2011/03/14 11:57:00.0017 4084 Windows directory: C:\WINDOWS
2011/03/14 11:57:00.0017 4084 System windows directory: C:\WINDOWS
2011/03/14 11:57:00.0017 4084 Processor architecture: Intel x86
2011/03/14 11:57:00.0017 4084 Number of processors: 1
2011/03/14 11:57:00.0017 4084 Page size: 0x1000
2011/03/14 11:57:00.0017 4084 Boot type: Normal boot
2011/03/14 11:57:00.0017 4084 ================================================================================
2011/03/14 11:57:00.0608 4084 Initialize success
2011/03/14 11:57:03.0382 4460 ================================================================================
2011/03/14 11:57:03.0382 4460 Scan started
2011/03/14 11:57:03.0392 4460 Mode: Manual;
2011/03/14 11:57:03.0392 4460 ================================================================================
2011/03/14 11:57:05.0184 4460 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/03/14 11:57:05.0264 4460 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/03/14 11:57:05.0505 4460 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/03/14 11:57:05.0755 4460 AegisP (2c5c22990156a1063e19ad162191dc1d) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/03/14 11:57:05.0865 4460 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/03/14 11:57:06.0145 4460 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/03/14 11:57:06.0666 4460 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/03/14 11:57:06.0977 4460 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/03/14 11:57:07.0137 4460 atapi (16e8b4f35c1594141cd2617f06fe07e2) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/03/14 11:57:07.0137 4460 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\atapi.sys. Real md5: 16e8b4f35c1594141cd2617f06fe07e2, Fake md5: 9f3a2f5aa6875c72bf062c712cfa2674
2011/03/14 11:57:07.0157 4460 atapi - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/03/14 11:57:07.0417 4460 ati2mtag (03621f7f968ff63713943405deb777f9) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/03/14 11:57:07.0568 4460 ATIXPGAA (f21a181099887722a775d575e51ecf3d) C:\Dell\Drivers\R88754\ATIXPGAA.SYS
2011/03/14 11:57:07.0698 4460 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/03/14 11:57:07.0828 4460 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/03/14 11:57:08.0008 4460 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\system32\Drivers\avgldx86.sys
2011/03/14 11:57:08.0168 4460 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\system32\Drivers\avgmfx86.sys
2011/03/14 11:57:08.0259 4460 AvgTdiX (22e3b793c3e61720f03d3a22351af410) C:\WINDOWS\system32\Drivers\avgtdix.sys
2011/03/14 11:57:08.0349 4460 bcm4sbxp (e727776a56a51b7e6b7c87c02ea8b405) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
2011/03/14 11:57:08.0459 4460 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/03/14 11:57:08.0569 4460 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/03/14 11:57:08.0739 4460 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/03/14 11:57:08.0919 4460 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/03/14 11:57:09.0100 4460 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/03/14 11:57:09.0200 4460 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/03/14 11:57:09.0370 4460 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/03/14 11:57:09.0530 4460 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/03/14 11:57:09.0901 4460 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/03/14 11:57:10.0091 4460 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/03/14 11:57:10.0311 4460 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/03/14 11:57:10.0422 4460 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/03/14 11:57:10.0582 4460 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/03/14 11:57:10.0812 4460 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/03/14 11:57:10.0932 4460 drvmcdb (b15f9e526ba511a48b1b1b8537815740) C:\WINDOWS\system32\drivers\drvmcdb.sys
2011/03/14 11:57:11.0012 4460 drvnddm (fa4670cae95ae2bb857c68e535661145) C:\WINDOWS\system32\drivers\drvnddm.sys
2011/03/14 11:57:11.0163 4460 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/03/14 11:57:11.0293 4460 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/03/14 11:57:11.0403 4460 FilterService (b73ec688c29f81f9da0fcf63682b3ecb) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
2011/03/14 11:57:11.0563 4460 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/03/14 11:57:11.0673 4460 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/03/14 11:57:11.0774 4460 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/03/14 11:57:11.0904 4460 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/03/14 11:57:11.0984 4460 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/03/14 11:57:12.0134 4460 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/03/14 11:57:12.0284 4460 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/03/14 11:57:12.0425 4460 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/03/14 11:57:12.0665 4460 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/03/14 11:57:12.0995 4460 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/03/14 11:57:13.0146 4460 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/03/14 11:57:13.0346 4460 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/03/14 11:57:13.0416 4460 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/03/14 11:57:13.0506 4460 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/03/14 11:57:13.0626 4460 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/03/14 11:57:13.0726 4460 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/03/14 11:57:13.0867 4460 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/03/14 11:57:13.0967 4460 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/03/14 11:57:14.0137 4460 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/03/14 11:57:14.0247 4460 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/03/14 11:57:14.0357 4460 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/03/14 11:57:14.0477 4460 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/03/14 11:57:14.0578 4460 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/03/14 11:57:14.0828 4460 LVPr2Mon (1a7db7a00a4b0d8da24cd691a4547291) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
2011/03/14 11:57:15.0008 4460 LVRS (37072ec9299e825f4335cc554b6fac6a) C:\WINDOWS\system32\DRIVERS\lvrs.sys
2011/03/14 11:57:15.0539 4460 LVUVC (a240e42a7402e927a71b6e8aa4629b13) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
2011/03/14 11:57:15.0809 4460 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/03/14 11:57:15.0920 4460 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/03/14 11:57:16.0040 4460 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/03/14 11:57:16.0240 4460 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/03/14 11:57:16.0420 4460 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/03/14 11:57:16.0560 4460 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/03/14 11:57:16.0721 4460 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/03/14 11:57:16.0901 4460 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/03/14 11:57:17.0041 4460 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/03/14 11:57:17.0141 4460 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/03/14 11:57:17.0492 4460 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/03/14 11:57:17.0572 4460 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/03/14 11:57:17.0682 4460 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/03/14 11:57:17.0792 4460 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/03/14 11:57:17.0912 4460 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/03/14 11:57:18.0033 4460 NAL (ebbef7d3ddeb24239ab8d067f3a27ccf) C:\WINDOWS\system32\Drivers\iqvw32.sys
2011/03/14 11:57:18.0193 4460 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/03/14 11:57:18.0383 4460 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/03/14 11:57:18.0523 4460 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/03/14 11:57:18.0593 4460 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/03/14 11:57:18.0673 4460 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/03/14 11:57:18.0794 4460 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/03/14 11:57:18.0864 4460 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/03/14 11:57:18.0994 4460 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/03/14 11:57:19.0114 4460 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/03/14 11:57:19.0274 4460 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/03/14 11:57:19.0455 4460 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/03/14 11:57:19.0585 4460 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/03/14 11:57:19.0695 4460 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/03/14 11:57:19.0795 4460 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/03/14 11:57:19.0895 4460 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/03/14 11:57:20.0025 4460 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/03/14 11:57:20.0096 4460 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/03/14 11:57:20.0256 4460 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/03/14 11:57:20.0616 4460 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/03/14 11:57:20.0756 4460 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2011/03/14 11:57:20.0827 4460 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/03/14 11:57:21.0407 4460 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/03/14 11:57:21.0518 4460 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/03/14 11:57:21.0628 4460 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/03/14 11:57:21.0768 4460 PxHelp20 (30cbae0a34359f1cd19d1576245149ed) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/03/14 11:57:22.0159 4460 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/03/14 11:57:22.0299 4460 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/03/14 11:57:22.0399 4460 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/03/14 11:57:22.0579 4460 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/03/14 11:57:22.0669 4460 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/03/14 11:57:22.0739 4460 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/03/14 11:57:22.0819 4460 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/03/14 11:57:22.0930 4460 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/03/14 11:57:23.0040 4460 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/03/14 11:57:23.0250 4460 s24trans (423ae506c8d55bba9e429eeeec035a40) C:\WINDOWS\system32\DRIVERS\s24trans.sys
2011/03/14 11:57:23.0420 4460 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/03/14 11:57:23.0591 4460 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/03/14 11:57:23.0731 4460 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/03/14 11:57:23.0821 4460 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/03/14 11:57:24.0021 4460 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/03/14 11:57:24.0171 4460 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/03/14 11:57:24.0322 4460 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/03/14 11:57:24.0502 4460 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/03/14 11:57:24.0702 4460 sscdbhk5 (d7968049be0adbb6a57cee3960320911) C:\WINDOWS\system32\drivers\sscdbhk5.sys
2011/03/14 11:57:24.0832 4460 ssrtln (c3ffd65abfb6441e7606cf74f1155273) C:\WINDOWS\system32\drivers\ssrtln.sys
2011/03/14 11:57:24.0993 4460 STAC97 (305cc42945a713347f978d78566113f3) C:\WINDOWS\system32\drivers\STAC97.sys
2011/03/14 11:57:25.0113 4460 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/03/14 11:57:25.0203 4460 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/03/14 11:57:25.0303 4460 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/03/14 11:57:25.0744 4460 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/03/14 11:57:25.0894 4460 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/03/14 11:57:26.0084 4460 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/03/14 11:57:26.0244 4460 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/03/14 11:57:26.0365 4460 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/03/14 11:57:26.0485 4460 tfsnboio (1d265cd2fb1673a0873bf8cec19ddc7f) C:\WINDOWS\system32\dla\tfsnboio.sys
2011/03/14 11:57:26.0525 4460 tfsncofs (62e4901295e0467cac78e5b4b131ae5c) C:\WINDOWS\system32\dla\tfsncofs.sys
2011/03/14 11:57:26.0565 4460 tfsndrct (a2f380f9252ab3464c859adf91eead9c) C:\WINDOWS\system32\dla\tfsndrct.sys
2011/03/14 11:57:26.0615 4460 tfsndres (eee79bbefe9c6a2a3ce6c8753cfea950) C:\WINDOWS\system32\dla\tfsndres.sys
2011/03/14 11:57:26.0655 4460 tfsnifs (9d644eb11fec9487450c4cfcd63a5df4) C:\WINDOWS\system32\dla\tfsnifs.sys
2011/03/14 11:57:26.0725 4460 tfsnopio (e656af05c67edb7c0e9230a5df71ed1b) C:\WINDOWS\system32\dla\tfsnopio.sys
2011/03/14 11:57:26.0765 4460 tfsnpool (64fccb9cce703ca507dffc3cebf6b2cb) C:\WINDOWS\system32\dla\tfsnpool.sys
2011/03/14 11:57:26.0795 4460 tfsnudf (48bc9d8ab4e4b9bff70fb18e55cec3d6) C:\WINDOWS\system32\dla\tfsnudf.sys
2011/03/14 11:57:26.0845 4460 tfsnudfa (79f60822224256b49bfc855da8d651d5) C:\WINDOWS\system32\dla\tfsnudfa.sys
2011/03/14 11:57:26.0975 4460 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/03/14 11:57:27.0116 4460 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/03/14 11:57:27.0246 4460 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/03/14 11:57:27.0396 4460 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/03/14 11:57:27.0566 4460 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/03/14 11:57:27.0727 4460 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/03/14 11:57:27.0837 4460 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/03/14 11:57:27.0967 4460 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/03/14 11:57:28.0077 4460 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/03/14 11:57:28.0167 4460 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/03/14 11:57:28.0307 4460 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/03/14 11:57:28.0478 4460 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/03/14 11:57:28.0668 4460 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/03/14 11:57:28.0868 4460 w70n51 (fb4d7a34ef3b49c2b5439e330b785313) C:\WINDOWS\system32\DRIVERS\w70n51.sys
2011/03/14 11:57:28.0948 4460 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/03/14 11:57:29.0149 4460 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/03/14 11:57:29.0369 4460 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/03/14 11:57:29.0729 4460 ================================================================================
2011/03/14 11:57:29.0729 4460 Scan finished
2011/03/14 11:57:29.0729 4460 ================================================================================
2011/03/14 11:57:29.0769 1592 Detected object count: 1
2011/03/14 11:57:39.0223 1592 atapi (16e8b4f35c1594141cd2617f06fe07e2) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/03/14 11:57:39.0223 1592 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\atapi.sys. Real md5: 16e8b4f35c1594141cd2617f06fe07e2, Fake md5: 9f3a2f5aa6875c72bf062c712cfa2674
2011/03/14 11:57:40.0966 1592 Backup copy found, using it..

#9 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:07:51 PM

Posted 14 March 2011 - 11:03 AM

duncan76,

Please note the following warning after the snippet:

2011/03/14 11:57:29.0769 1592 Detected object count: 1
2011/03/14 11:57:39.0223 1592 atapi (16e8b4f35c1594141cd2617f06fe07e2) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/03/14 11:57:39.0223 1592 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\atapi.sys. Real md5: 16e8b4f35c1594141cd2617f06fe07e2, Fake md5: 9f3a2f5aa6875c72bf062c712cfa2674
2011/03/14 11:57:40.0966 1592 Backup copy found, using it..



Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


NEXT:


ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
    • Enable Anti-Stealth technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#10 duncan76

duncan76
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 14 March 2011 - 11:23 AM

Wow. So I will change all of my passwords from a clean machine ASAP. I am thinking that instead of trying to clean it, I should reformat and install from scratch. I am just worried that I won't get it all.

Do you think that is too rash?

#11 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:07:51 PM

Posted 14 March 2011 - 12:11 PM

When you perform a reformat and re-install you are starting over with a clean fresh computer. I can tell you that the infection you have/had is one that is very common, and I have helped users clean there computer of it on multiple occasions. The decision on how you wish to proceed is totally up to you.

Please let me know what you decide.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#12 duncan76

duncan76
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 14 March 2011 - 04:48 PM

Thank you for all of your help. I am going to start from scratch and reformat. I have needed a clean install anyway.

#13 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:07:51 PM

Posted 14 March 2011 - 06:14 PM

Okay, thanks for posting back and informing me of your decision. I appreciate it. :)

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users