Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Malware Infection-changed permissions, corrupted program files


  • Please log in to reply
18 replies to this topic

#1 StephL67

StephL67

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Georgia
  • Local time:08:30 AM

Posted 27 March 2011 - 05:21 PM

*Quote original post...
Running Win7 on a Dell Inspiron 1520 with upgraded RAM, otherwise the laptop is stock. Laptop came with WindowsXP installed, I upgraded to Vista, ran flawlessly for 3 years but had accumulated junk and system was running painfully slow. I decided to do some cleanup and went to cnet to find good cleanup utilities. I am assuming that is where I inadvertanly downloaded an infected program. The cleanup was going well, freed up a lot of space and the system seemed to run faster although boot up was still painfully long and it seemed the hd was running very hard in the background.

I first noticed a problem with my AV Webroot with SpySweeper. It was not loaded to actively scan and protect me, when I tried I got an error I never saw before that said webroot had to close and to restart the program, and a status bar showed a progress of closing the program. but after it finished and I clicked OK the program would not start at all nor could I run any scans.

Then I noticed Windows Defender was turned off, and I turned it on but a scan would not start. I tried Malwarebytes and it ran once, said it found something but needed to reboot to fix, I rebooted and malwarebytes did not load and run nor could I ever get it to run a scan after that and I could never find what it had found. The same scenario happened with AVG free and any other scanner I tried including kaspersky. I even tried donloading them from another computer to a flash drive and installing from it but still could not get any scans to run. I now suspect the flash drive is infected. Its a 4gb flash drive but after a format only 3.76GB is available and sometimes a file named HIMEM appears on the drive which I am able to right click and delete.

After 3 weeks of getting no where I decided to delete the hard drive and do a clean install of WIN7. I ran Killdisk twice, then installed Win7 from Microsoft CD. Things seemed great for a couple of hours, running Windows updates, got AVG free and then the problems started again the moment I installed AVG it would not work right, if it ran a scan everything reported OK nothing found.

I have managed to get webroot installed and working but it still does not find anything. I am new to Win7 but the file tree seems wrong, there is multiple sets of the file tree, Multiple Documents folders and some are locked and look like shortcuts but say they are folders and I get "access denied" when trying to even click on the folder.

I was able to get ThreatFire to work for about a day and it would pop up with alerts on almost everything I tried to do, any program launched would include additional operations like deleting and creating registry keys. The whole file system seems suspect to me but again I am unfamiliar with WIN7. I also found locked files located in temp folders in all of the sets of folders. I have found at least 5 different temp folders in various areas. I ran ATF but it did not delete all of the items in these folders.

My goal is to have a completely clean install of Win7 with NO residual files from prior versions or software. I have already backed up any documents I wanted to keep and located the drivers needed for my video, audio, etc. But it appears whatever this Malware is Killdisk does not kill it.

I have installed all the recommended software, tried uninstalling the antivirus applications and reinstalling. It seems as iff the moment the exe is ran the Malware infects it. I do see the AVG, MBAM and Webroot engines running in services but yet I cannot access the programs nor run scans with the exception of Webroot, which I located the exe file in explorer and directly right clicked and ran as admin, then I was able to load the Home panel and perform an update (something else I could not do before with any security software)but it always comes back clean and occassionly 6 common cookies that keep returning but are low threat.

I believe this is a very nasty infection that is able to corrupt valid system files, prevent being seen and I think is opening a backdoor connection. Some of the suspect files I have searched have pointed to different Trojans but I can not get any info on any of them, the infection will not let me view those pages. I have tried to set all security levels to the highest, turned off activex and java etc. But it does not seem to make any difference.

Please advise...

Thanks, Stephanie

*End Quote*

Let me also clarify here that my copy of Windows 7 is a legitimate purchased genuine copy obtained through my technical college. I do not knowlingly use pirated software and make every attempt to download from reputable websites and verify the URL of said sites.


I followed boopme's instructions and downloaded DDS and GMER. The dds log follows but I could not get GMER to display the same as in the screenshot samples on the instruction page. The program had almost all options UNCHECKED and greyed out (disabled) The only items checked were Services, Registry, Files and ADS. I ran a scan with these defaults set but the results returned nothing found. I did try to d/l GMER from another computer and run it from a flash drive but got the same results. Also I was not able to stop Webroot nor any other security software, the commands just are not available to me, either the program wont let me access it at all or the settings are greyed out (disabled)

DDS LOG....

.
DDS (Ver_11-03-05.01) - NTFS_AMD64 NETWORK
Run by Stephanie at 17:14:29.58 on Sun 03/27/2011
Internet Explorer: 8.0.7601.17514
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4094.3141 [GMT -4:00]
.
AV: Webroot AntiVirus with Spy Sweeper *Enabled/Updated* {53211D91-0C31-95F2-E3A5-7661FB22889E}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Webroot AntiVirus with Spy Sweeper *Enabled/Updated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\Webroot\Security\Current\Framework\WRConsumerService.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Webroot\Security\current\plugins\antimalware\AEI.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files (x86)\ThreatFire\TFTray.exe
C:\Program Files (x86)\Webroot\Security\Current\Framework\WRTray.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\ThreatFire\TFService.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Stephanie\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mWinlogon: Userinit=userinit.exe
mRun: [WebrootTrayApp] "C:\Program Files (x86)\Webroot\Security\Current\Framework\WRTray.exe"
mRun: [ThreatFire] "C:\Program Files (x86)\ThreatFire\TFTray.exe"
mRunOnce: [GrpConv] grpconv -o
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
Trusted Zone: driveragent.com
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
mRun-x64: [NVHotkey] "rundll32.exe" C:\Windows\system32\nvHotkey.dll,Start
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;C:\Program Files (x86)\Webroot\Security\Current\plugins\antimalware\AEI.exe [2011-3-25 3899008]
R2 WRConsumerService;Webroot Client Service;C:\Program Files (x86)\Webroot\Security\Current\Framework\WRConsumerService.exe [2011-3-25 3251928]
R3 bcm44amd64;Broadcom 440x 10/100 Integrated Controller XP Driver;C:\Windows\System32\drivers\b44amd64.sys [2009-6-10 87552]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 ssfmonm;ssfmonm;C:\Windows\System32\drivers\ssfmonm.sys [2011-3-25 55360]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-1-7 378984]
S2 ThreatFire;ThreatFire;C:\Program Files (x86)\ThreatFire\TFService.exe service --> C:\Program Files (x86)\ThreatFire\TFService.exe service [?]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-3-25 59392]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-3-25 1255736]
.
=============== Created Last 30 ================
.
2011-03-27 02:16:29 -------- d-----w- C:\Program Files (x86)\SystemRequirementsLab
2011-03-27 00:10:06 -------- d-----w- C:\Users\STEPHA~1\AppData\Local\ElevatedDiagnostics
2011-03-26 20:34:32 74824 ----a-w- C:\Windows\System32\drivers\TfSysMon.sys
2011-03-26 20:34:32 65072 ----a-w- C:\Windows\System32\drivers\TfFsMon.sys
2011-03-26 20:34:32 41888 ----a-w- C:\Windows\System32\drivers\TfNetMon.sys
2011-03-26 20:34:29 -------- d-----w- C:\Program Files (x86)\ThreatFire
2011-03-26 20:34:29 -------- d-----w- C:\PROGRA~3\PC Tools
2011-03-26 02:42:32 -------- d-----w- C:\Windows\System32\SPReview
2011-03-26 02:39:00 48976 ----a-w- C:\Windows\System32\netfxperf.dll
2011-03-26 02:39:00 1942856 ----a-w- C:\Windows\System32\dfshim.dll
2011-03-26 02:37:59 1548288 ----a-w- C:\Windows\SysWow64\tquery.dll
2011-03-26 02:36:59 293376 ----a-w- C:\Program Files\Internet Explorer\IEShims.dll
2011-03-26 02:35:59 69120 ----a-w- C:\Windows\System32\dot3cfg.dll
2011-03-26 02:34:59 98304 ----a-w- C:\Windows\SysWow64\fphc.dll
2011-03-26 02:33:50 323072 ----a-w- C:\Windows\SysWow64\drvstore.dll
2011-03-26 02:33:50 257024 ----a-w- C:\Windows\SysWow64\dpx.dll
2011-03-26 02:33:42 606208 ----a-w- C:\Windows\SysWow64\wbem\fastprox.dll
2011-03-26 02:33:42 363008 ----a-w- C:\Windows\SysWow64\wbemcomn.dll
2011-03-26 02:30:22 529408 ----a-w- C:\Windows\System32\wbemcomn.dll
2011-03-26 02:30:22 524288 ----a-w- C:\Windows\System32\wmicmiplugin.dll
2011-03-26 02:30:22 1225216 ----a-w- C:\Windows\System32\wbem\wbemcore.dll
2011-03-26 02:30:06 933376 ----a-w- C:\Windows\System32\SmiEngine.dll
2011-03-26 02:29:58 199168 ----a-w- C:\Windows\System32\PkgMgr.exe
2011-03-26 02:29:15 422912 ----a-w- C:\Windows\System32\drvstore.dll
2011-03-26 02:29:14 399872 ----a-w- C:\Windows\System32\dpx.dll
2011-03-26 01:51:12 -------- d-----w- C:\Windows\System32\EventProviders
2011-03-26 01:17:24 321024 ----a-w- C:\Windows\System32\d3d10_1core.dll
2011-03-26 01:17:24 197120 ----a-w- C:\Windows\System32\d3d10_1.dll
2011-03-26 01:17:24 161792 ----a-w- C:\Windows\SysWow64\d3d10_1.dll
2011-03-26 01:17:23 219136 ----a-w- C:\Windows\SysWow64\d3d10_1core.dll
2011-03-26 01:17:06 1544192 ----a-w- C:\Windows\System32\DWrite.dll
2011-03-26 01:17:06 1139200 ----a-w- C:\Windows\System32\FntCache.dll
2011-03-26 01:17:06 1076736 ----a-w- C:\Windows\SysWow64\DWrite.dll
2011-03-26 01:17:05 902656 ----a-w- C:\Windows\System32\d2d1.dll
2011-03-26 01:17:05 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll
2011-03-26 00:23:57 -------- d-----w- C:\Windows\SysWow64\Wat
2011-03-26 00:23:57 -------- d-----w- C:\Windows\System32\Wat
2011-03-26 00:17:22 8424784 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{F373792D-567A-4523-AA82-A852CBB6BC4E}\mpengine.dll
2011-03-25 22:52:58 55360 ----a-w- C:\Windows\System32\drivers\ssfmonm.sys
2011-03-25 22:49:46 -------- d-----w- C:\PROGRA~3\webroot
2011-03-25 22:48:50 -------- d-----w- C:\Users\STEPHA~1\AppData\Local\PackageAware
2011-03-19 20:57:55 137248 ----a-w- C:\Windows\System32\drivers\ssidrv.sys
2011-03-19 20:57:45 -------- d-----w- C:\Program Files (x86)\Webroot
2011-03-16 03:55:34 -------- d-----w- C:\Windows\SysWow64\wbem\Logs
2011-03-16 03:37:34 7947600 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-03-16 03:14:32 -------- d-----w- C:\Users\STEPHA~1\AppData\Local\Apps
2011-03-16 03:10:21 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-03-16 03:10:21 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-03-16 03:08:54 715776 ----a-w- C:\Windows\System32\kerberos.dll
2011-03-16 03:08:54 542208 ----a-w- C:\Windows\SysWow64\kerberos.dll
2011-03-16 03:08:46 70656 ----a-w- C:\Windows\SysWow64\fontsub.dll
2011-03-16 03:08:46 46080 ----a-w- C:\Windows\System32\atmlib.dll
2011-03-16 03:08:46 366592 ----a-w- C:\Windows\System32\atmfd.dll
2011-03-16 03:08:46 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2011-03-16 03:08:46 294400 ----a-w- C:\Windows\SysWow64\atmfd.dll
2011-03-16 03:08:46 100864 ----a-w- C:\Windows\System32\fontsub.dll
2011-03-16 03:08:44 3129344 ----a-w- C:\Windows\System32\win32k.sys
2011-03-16 03:08:13 214016 ----a-w- C:\Windows\System32\winsrv.dll
2011-03-16 03:00:08 -------- d-----w- C:\Users\STEPHA~1\AppData\Local\Diagnostics
2011-03-14 04:18:07 -------- d-----w- C:\Program Files (x86)\NVIDIA Corporation
2011-03-14 04:16:24 -------- d-----w- C:\PROGRA~3\NVIDIA Corporation
2011-03-14 04:14:26 -------- d-----w- C:\Program Files\NVIDIA Corporation
2011-03-14 04:13:45 -------- d-----w- C:\NVIDIA
2011-03-14 03:50:40 -------- d--h--w- C:\PROGRA~3\Common Files
2011-03-14 03:48:50 -------- d-----w- C:\PROGRA~3\AVG10
2011-03-14 03:48:02 -------- d-----w- C:\Program Files (x86)\AVG
2011-03-14 03:42:04 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-03-14 03:38:53 -------- d-sh--w- C:\Windows\Installer
2011-03-14 03:38:35 -------- d-----w- C:\PROGRA~3\MFAData
.
==================== Find3M ====================
.
2011-03-26 02:51:00 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2011-03-26 02:50:59 175616 ----a-w- C:\Windows\System32\msclmd.dll
2011-01-08 00:50:14 795752 ----a-w- C:\Windows\System32\easyUpdatusAPIU64.dll
2011-01-08 00:50:08 6143080 ----a-w- C:\Windows\System32\nvcpl.dll
2011-01-08 00:49:50 3156072 ----a-w- C:\Windows\System32\nvsvc64.dll
2011-01-08 00:49:28 117864 ----a-w- C:\Windows\System32\nvmctray.dll
2011-01-08 00:49:26 61032 ----a-w- C:\Windows\System32\nvshext.dll
2011-01-08 00:49:26 313448 ----a-w- C:\Windows\System32\nvhotkey.dll
2011-01-08 00:49:26 2558568 ----a-w- C:\Windows\System32\nvsvcr.dll
2011-01-08 00:49:26 1005160 ----a-w- C:\Windows\System32\nvvsvc.exe
2011-01-07 12:17:52 475648 ----a-w- C:\Windows\System32\XpsGdiConverter.dll
2011-01-07 12:17:52 1465344 ----a-w- C:\Windows\System32\XpsPrint.dll
2011-01-07 07:46:34 870912 ----a-w- C:\Windows\SysWow64\XpsPrint.dll
2011-01-07 07:46:34 288256 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll
2011-01-05 10:34:00 612864 ----a-w- C:\Windows\System32\vbscript.dll
2011-01-05 05:55:55 428032 ----a-w- C:\Windows\SysWow64\vbscript.dll
.
============= FINISH: 17:15:35.66 ===============

BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:30 PM

Posted 03 April 2011 - 08:45 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.
If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system.
If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.


Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    wininit.exe
    hlp.dat
    /md5stop
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 StephL67

StephL67
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Georgia
  • Local time:08:30 AM

Posted 03 April 2011 - 01:37 PM

This is a dell 1520 laptop that has been wiped with killdisk 2 times then a new install of Windows 7 Professional from a genuine windows cd.

No security software will run properly, settings are changed, permissions are changed, It appears that I have multiple duplicated directories such as desktop, documents, programs files, appdata etc...

First attempt to run OTL in regular ended with program not responding after 4 hours second attemp completed successfully in safe mode after approx 30 min.

Could not post the log files, post was too long, I atached both files.

Thanks StephanieAttached File  OTL.Txt   355.09KB   2 downloadsAttached File  Extras.Txt   25.13KB   1 downloads

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:30 PM

Posted 03 April 2011 - 03:13 PM

Hi,

Gmer will not run since you have a 64bit OS. This:

I have managed to get webroot installed and working but it still does not find anything. I am new to Win7 but the file tree seems wrong, there is multiple sets of the file tree, Multiple Documents folders and some are locked and look like shortcuts but say they are folders and I get "access denied" when trying to even click on the folder.


Is also perfectly normal behaviour for Windows7. The folders you see are stubs for programs that have not yet become compatible with Vista/Windows7.

Have you checked that the programs you installed are both 64bit and Windows7 compatible?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 StephL67

StephL67
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Georgia
  • Local time:08:30 AM

Posted 03 April 2011 - 04:40 PM

http://support.webroot.com/cgi-bin/webroot.cfg/php/enduser/std_adp.php?p_faqid=418&p_created=1189028995
*QUOTE*
Question
Do Webroot products work on the 64-bit operating systems?

Answer
Yes, Webroot security software versions 5.8 and above are compatible with the 64-bit version of Vista and Windows 7.
*END QUOTE*

*QUOTE*
AVG Antivirus Free Edition 2011 10.0.1209a3533 64-bit
Publisher: Grisoft
Last updated: March 30, 2011
File Size: 170 MB
OS Support: Windows Vista/7 64-bit
License: Freeware
*END QUOTE*

Yes they are compatable, also the problems started in a Windows Vista environment BEFORE I erased the hd and installed Windows 7.

I also get browser redirects when booted in normal mode. I use Windows 7 Pro at work and am in the folders constantly and the whole setup on my work desktop regarding the directory tree just seems different than what I am seeing on my laptop, is it because I have hidden files set to show?

Also Windows security features are disabled including defender, security center and windows update. Control panel looks different and does not even have a security option to select to get to the defender settings.

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:30 PM

Posted 03 April 2011 - 04:46 PM

Hi,

the disabled security center and updates are what points to malware. As said many of the tree-structures may be intentional from Windows.

Do you use a router to go online?

Please run a scan with tdsskiller next:
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 StephL67

StephL67
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Georgia
  • Local time:08:30 AM

Posted 03 April 2011 - 05:39 PM

Here is the log, it didnt find anything. I want to mention that anytime I d/l and choose 'save' the default location is c:\desktop, I have to browse to the top tier desktop. Also I just realized there are items that got saved to the c:\desktop folder that do not appear on my desktop. Thanks so much for your help I really hope you can figure this out! I am prepared to do a complete erase of the HD if needed.

*edit* Sorry I forgot to answer your question, I am on a wireless connection to a linksys router connected to the base desktop pc (my husbands) and a comcast modem.

2011/04/03 18:32:32.0016 2824 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/03 18:32:32.0156 2824 ================================================================================
2011/04/03 18:32:32.0156 2824 SystemInfo:
2011/04/03 18:32:32.0156 2824
2011/04/03 18:32:32.0156 2824 OS Version: 6.1.7601 ServicePack: 1.0
2011/04/03 18:32:32.0156 2824 Product type: Workstation
2011/04/03 18:32:32.0156 2824 ComputerName: STEPHANIE-PC
2011/04/03 18:32:32.0156 2824 UserName: Stephanie
2011/04/03 18:32:32.0156 2824 Windows directory: C:\Windows
2011/04/03 18:32:32.0156 2824 System windows directory: C:\Windows
2011/04/03 18:32:32.0156 2824 Running under WOW64
2011/04/03 18:32:32.0156 2824 Processor architecture: Intel x64
2011/04/03 18:32:32.0156 2824 Number of processors: 2
2011/04/03 18:32:32.0156 2824 Page size: 0x1000
2011/04/03 18:32:32.0156 2824 Boot type: Safe boot with network
2011/04/03 18:32:32.0156 2824 ================================================================================
2011/04/03 18:32:32.0640 2824 Initialize success
2011/04/03 18:32:50.0720 2768 ================================================================================
2011/04/03 18:32:50.0720 2768 Scan started
2011/04/03 18:32:50.0720 2768 Mode: Manual;
2011/04/03 18:32:50.0720 2768 ================================================================================
2011/04/03 18:32:52.0795 2768 1394ohci (a87d604aea360176311474c87a63bb88) C:\Windows\system32\drivers\1394ohci.sys
2011/04/03 18:32:52.0967 2768 a2acc (0b8ed3de81ec30ad50873f033b34b39e) C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2accx64.sys
2011/04/03 18:32:53.0013 2768 a2injectiondriver (f75ddc4047aa1ac85164445cba7601ef) C:\Program Files (x86)\Emsisoft Anti-Malware\a2dix64.sys
2011/04/03 18:32:53.0076 2768 a2util (e41d79682a209f72f4f578cfd4a53952) C:\Program Files (x86)\Emsisoft Anti-Malware\a2util64.sys
2011/04/03 18:32:53.0247 2768 ACPI (d81d9e70b8a6dd14d42d7b4efa65d5f2) C:\Windows\system32\drivers\ACPI.sys
2011/04/03 18:32:53.0341 2768 AcpiPmi (99f8e788246d495ce3794d7e7821d2ca) C:\Windows\system32\drivers\acpipmi.sys
2011/04/03 18:32:53.0435 2768 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys
2011/04/03 18:32:53.0513 2768 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys
2011/04/03 18:32:53.0559 2768 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys
2011/04/03 18:32:53.0700 2768 AFD (d31dc7a16dea4a9baf179f3d6fbdb38c) C:\Windows\system32\drivers\afd.sys
2011/04/03 18:32:53.0793 2768 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\drivers\agp440.sys
2011/04/03 18:32:53.0887 2768 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\drivers\aliide.sys
2011/04/03 18:32:53.0918 2768 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\drivers\amdide.sys
2011/04/03 18:32:53.0996 2768 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\DRIVERS\amdk8.sys
2011/04/03 18:32:54.0059 2768 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys
2011/04/03 18:32:54.0168 2768 amdsata (6ec6d772eae38dc17c14aed9b178d24b) C:\Windows\system32\drivers\amdsata.sys
2011/04/03 18:32:54.0230 2768 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\DRIVERS\amdsbs.sys
2011/04/03 18:32:54.0293 2768 amdxata (1142a21db581a84ea5597b03a26ebaa0) C:\Windows\system32\drivers\amdxata.sys
2011/04/03 18:32:54.0417 2768 AppID (89a69c3f2f319b43379399547526d952) C:\Windows\system32\drivers\appid.sys
2011/04/03 18:32:54.0527 2768 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\DRIVERS\arc.sys
2011/04/03 18:32:54.0542 2768 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\DRIVERS\arcsas.sys
2011/04/03 18:32:54.0589 2768 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/04/03 18:32:54.0683 2768 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\drivers\atapi.sys
2011/04/03 18:32:54.0854 2768 avgntflt (39c2e2870fc0c2ae0595b883cbe716b4) C:\Windows\system32\DRIVERS\avgntflt.sys
2011/04/03 18:32:54.0917 2768 avipbb (c98fa6e5ad0e857d22716bd2b8b1f399) C:\Windows\system32\DRIVERS\avipbb.sys
2011/04/03 18:32:55.0041 2768 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\DRIVERS\bxvbda.sys
2011/04/03 18:32:55.0104 2768 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
2011/04/03 18:32:55.0353 2768 BCM43XX (fb4fda64f2e8552eaeb5986c3f34462c) C:\Windows\system32\DRIVERS\bcmwl664.sys
2011/04/03 18:32:55.0431 2768 bcm44amd64 (2bc7c1697b633692a061a4a36ed9dfdd) C:\Windows\system32\DRIVERS\b44amd64.sys
2011/04/03 18:32:55.0541 2768 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
2011/04/03 18:32:55.0619 2768 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
2011/04/03 18:32:55.0681 2768 bowser (91ce0d3dc57dd377e690a2d324022b08) C:\Windows\system32\DRIVERS\bowser.sys
2011/04/03 18:32:55.0759 2768 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\DRIVERS\BrFiltLo.sys
2011/04/03 18:32:55.0790 2768 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\DRIVERS\BrFiltUp.sys
2011/04/03 18:32:55.0868 2768 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
2011/04/03 18:32:55.0931 2768 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
2011/04/03 18:32:56.0009 2768 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
2011/04/03 18:32:56.0040 2768 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
2011/04/03 18:32:56.0087 2768 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\DRIVERS\bthmodem.sys
2011/04/03 18:32:56.0258 2768 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/04/03 18:32:56.0383 2768 cdrom (f036ce71586e93d94dab220d7bdf4416) C:\Windows\system32\drivers\cdrom.sys
2011/04/03 18:32:56.0477 2768 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\DRIVERS\circlass.sys
2011/04/03 18:32:56.0539 2768 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
2011/04/03 18:32:56.0617 2768 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/04/03 18:32:56.0711 2768 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\drivers\cmdide.sys
2011/04/03 18:32:56.0804 2768 CNG (d5fea92400f12412b3922087c09da6a5) C:\Windows\system32\Drivers\cng.sys
2011/04/03 18:32:56.0898 2768 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys
2011/04/03 18:32:56.0991 2768 CompositeBus (03edb043586cceba243d689bdda370a8) C:\Windows\system32\drivers\CompositeBus.sys
2011/04/03 18:32:57.0054 2768 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\DRIVERS\crcdisk.sys
2011/04/03 18:32:57.0179 2768 CSC (54da3dfd29ed9f1619b6f53f3ce55e49) C:\Windows\system32\drivers\csc.sys
2011/04/03 18:32:57.0350 2768 DfsC (9bb2ef44eaa163b29c4a4587887a0fe4) C:\Windows\system32\Drivers\dfsc.sys
2011/04/03 18:32:57.0413 2768 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
2011/04/03 18:32:57.0475 2768 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\DRIVERS\disk.sys
2011/04/03 18:32:57.0600 2768 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
2011/04/03 18:32:57.0725 2768 DXGKrnl (f5bee30450e18e6b83a5012c100616fd) C:\Windows\System32\drivers\dxgkrnl.sys
2011/04/03 18:32:57.0912 2768 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\DRIVERS\evbda.sys
2011/04/03 18:32:58.0130 2768 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\DRIVERS\elxstor.sys
2011/04/03 18:32:58.0224 2768 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\drivers\errdev.sys
2011/04/03 18:32:58.0380 2768 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
2011/04/03 18:32:58.0411 2768 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
2011/04/03 18:32:58.0458 2768 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\DRIVERS\fdc.sys
2011/04/03 18:32:58.0520 2768 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
2011/04/03 18:32:58.0567 2768 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
2011/04/03 18:32:58.0598 2768 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/04/03 18:32:58.0739 2768 FltMgr (da6b67270fd9db3697b20fce94950741) C:\Windows\system32\drivers\fltmgr.sys
2011/04/03 18:32:58.0832 2768 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
2011/04/03 18:32:58.0879 2768 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys
2011/04/03 18:32:58.0973 2768 fvevol (1f7b25b858fa27015169fe95e54108ed) C:\Windows\system32\DRIVERS\fvevol.sys
2011/04/03 18:32:59.0019 2768 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\DRIVERS\gagp30kx.sys
2011/04/03 18:32:59.0066 2768 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
2011/04/03 18:32:59.0207 2768 HdAudAddService (975761c778e33cd22498059b91e7373a) C:\Windows\system32\drivers\HdAudio.sys
2011/04/03 18:32:59.0269 2768 HDAudBus (97bfed39b6b79eb12cddbfeed51f56bb) C:\Windows\system32\drivers\HDAudBus.sys
2011/04/03 18:32:59.0331 2768 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\DRIVERS\HidBatt.sys
2011/04/03 18:32:59.0363 2768 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\DRIVERS\hidbth.sys
2011/04/03 18:32:59.0394 2768 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\DRIVERS\hidir.sys
2011/04/03 18:32:59.0534 2768 HidUsb (9592090a7e2b61cd582b612b6df70536) C:\Windows\system32\drivers\hidusb.sys
2011/04/03 18:32:59.0597 2768 HpSAMD (39d2abcd392f3d8a6dce7b60ae7b8efc) C:\Windows\system32\drivers\HpSAMD.sys
2011/04/03 18:32:59.0737 2768 HTTP (0ea7de1acb728dd5a369fd742d6eee28) C:\Windows\system32\drivers\HTTP.sys
2011/04/03 18:32:59.0831 2768 hwpolicy (a5462bd6884960c9dc85ed49d34ff392) C:\Windows\system32\drivers\hwpolicy.sys
2011/04/03 18:32:59.0924 2768 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\drivers\i8042prt.sys
2011/04/03 18:33:00.0018 2768 iaStorV (3df4395a7cf8b7a72a5f4606366b8c2d) C:\Windows\system32\drivers\iaStorV.sys
2011/04/03 18:33:00.0080 2768 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\DRIVERS\iirsp.sys
2011/04/03 18:33:00.0236 2768 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\drivers\intelide.sys
2011/04/03 18:33:00.0299 2768 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
2011/04/03 18:33:00.0377 2768 IpFilterDriver (c9f0e1bd74365a8771590e9008d22ab6) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/04/03 18:33:00.0455 2768 IPMIDRV (0fc1aea580957aa8817b8f305d18ca3a) C:\Windows\system32\drivers\IPMIDrv.sys
2011/04/03 18:33:00.0517 2768 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
2011/04/03 18:33:00.0564 2768 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
2011/04/03 18:33:00.0642 2768 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\drivers\isapnp.sys
2011/04/03 18:33:00.0720 2768 iScsiPrt (d931d7309deb2317035b07c9f9e6b0bd) C:\Windows\system32\drivers\msiscsi.sys
2011/04/03 18:33:00.0767 2768 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\drivers\kbdclass.sys
2011/04/03 18:33:00.0829 2768 kbdhid (0705eff5b42a9db58548eec3b26bb484) C:\Windows\system32\drivers\kbdhid.sys
2011/04/03 18:33:00.0923 2768 KSecDD (ccd53b5bd33ce0c889e830d839c8b66e) C:\Windows\system32\Drivers\ksecdd.sys
2011/04/03 18:33:01.0001 2768 KSecPkg (9ff918a261752c12639e8ad4208d2c2f) C:\Windows\system32\Drivers\ksecpkg.sys
2011/04/03 18:33:01.0063 2768 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
2011/04/03 18:33:01.0157 2768 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
2011/04/03 18:33:01.0235 2768 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\DRIVERS\lsi_fc.sys
2011/04/03 18:33:01.0266 2768 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\DRIVERS\lsi_sas.sys
2011/04/03 18:33:01.0344 2768 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\DRIVERS\lsi_sas2.sys
2011/04/03 18:33:01.0391 2768 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\DRIVERS\lsi_scsi.sys
2011/04/03 18:33:01.0469 2768 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
2011/04/03 18:33:01.0515 2768 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\DRIVERS\megasas.sys
2011/04/03 18:33:01.0593 2768 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\DRIVERS\MegaSR.sys
2011/04/03 18:33:01.0671 2768 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
2011/04/03 18:33:01.0734 2768 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
2011/04/03 18:33:01.0843 2768 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\drivers\mouclass.sys
2011/04/03 18:33:01.0921 2768 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
2011/04/03 18:33:02.0015 2768 mountmgr (32e7a3d591d671a6df2db515a5cbe0fa) C:\Windows\system32\drivers\mountmgr.sys
2011/04/03 18:33:02.0093 2768 mpio (a44b420d30bd56e145d6a2bc8768ec58) C:\Windows\system32\drivers\mpio.sys
2011/04/03 18:33:02.0124 2768 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
2011/04/03 18:33:02.0233 2768 MRxDAV (dc722758b8261e1abafd31a3c0a66380) C:\Windows\system32\drivers\mrxdav.sys
2011/04/03 18:33:02.0327 2768 mrxsmb (faf015b07e3a2874a790a39b7d2c579f) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/04/03 18:33:02.0420 2768 mrxsmb10 (08e2345df129082bcdffdc1440f9c00d) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/04/03 18:33:02.0498 2768 mrxsmb20 (108d87409c5812ef47d81e22843e8c9d) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/04/03 18:33:02.0592 2768 msahci (c25f0bafa182cbca2dd3c851c2e75796) C:\Windows\system32\drivers\msahci.sys
2011/04/03 18:33:02.0639 2768 msdsm (db801a638d011b9633829eb6f663c900) C:\Windows\system32\drivers\msdsm.sys
2011/04/03 18:33:02.0732 2768 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
2011/04/03 18:33:02.0795 2768 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
2011/04/03 18:33:02.0841 2768 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\drivers\msisadrv.sys
2011/04/03 18:33:02.0919 2768 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
2011/04/03 18:33:02.0966 2768 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/04/03 18:33:03.0013 2768 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
2011/04/03 18:33:03.0138 2768 MsRPC (759a9eeb0fa9ed79da1fb7d4ef78866d) C:\Windows\system32\drivers\MsRPC.sys
2011/04/03 18:33:03.0247 2768 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\drivers\mssmbios.sys
2011/04/03 18:33:03.0294 2768 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
2011/04/03 18:33:03.0325 2768 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\DRIVERS\MTConfig.sys
2011/04/03 18:33:03.0387 2768 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
2011/04/03 18:33:03.0497 2768 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
2011/04/03 18:33:03.0606 2768 NDIS (79b47fd40d9a817e932f9d26fac0a81c) C:\Windows\system32\drivers\ndis.sys
2011/04/03 18:33:03.0684 2768 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
2011/04/03 18:33:03.0731 2768 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/04/03 18:33:03.0824 2768 Ndisuio (136185f9fb2cc61e573e676aa5402356) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/04/03 18:33:03.0933 2768 NdisWan (53f7305169863f0a2bddc49e116c2e11) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/04/03 18:33:04.0011 2768 NDProxy (015c0d8e0e0421b4cfd48cffe2825879) C:\Windows\system32\drivers\NDProxy.sys
2011/04/03 18:33:04.0089 2768 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
2011/04/03 18:33:04.0183 2768 NetBT (09594d1089c523423b32a4229263f068) C:\Windows\system32\DRIVERS\netbt.sys
2011/04/03 18:33:04.0277 2768 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\DRIVERS\nfrd960.sys
2011/04/03 18:33:04.0323 2768 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
2011/04/03 18:33:04.0370 2768 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
2011/04/03 18:33:04.0526 2768 Ntfs (05d78aa5cb5f3f5c31160bdb955d0b7c) C:\Windows\system32\drivers\Ntfs.sys
2011/04/03 18:33:04.0635 2768 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
2011/04/03 18:33:05.0135 2768 nvlddmkm (f12c5f17d48d9f5c70e4408b3ccb5443) C:\Windows\system32\DRIVERS\nvlddmkm.sys
2011/04/03 18:33:05.0727 2768 nvraid (5d9fd91f3d38dc9da01e3cb5fa89cd48) C:\Windows\system32\drivers\nvraid.sys
2011/04/03 18:33:05.0759 2768 nvstor (f7cd50fe7139f07e77da8ac8033d1832) C:\Windows\system32\drivers\nvstor.sys
2011/04/03 18:33:05.0852 2768 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\drivers\nv_agp.sys
2011/04/03 18:33:05.0930 2768 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\drivers\ohci1394.sys
2011/04/03 18:33:06.0008 2768 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\DRIVERS\parport.sys
2011/04/03 18:33:06.0102 2768 partmgr (871eadac56b0a4c6512bbe32753ccf79) C:\Windows\system32\drivers\partmgr.sys
2011/04/03 18:33:06.0180 2768 pci (94575c0571d1462a0f70bde6bd6ee6b3) C:\Windows\system32\drivers\pci.sys
2011/04/03 18:33:06.0227 2768 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\drivers\pciide.sys
2011/04/03 18:33:06.0289 2768 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/04/03 18:33:06.0336 2768 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
2011/04/03 18:33:06.0429 2768 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
2011/04/03 18:33:06.0773 2768 PptpMiniport (f92a2c41117a11a00be01ca01a7fcde9) C:\Windows\system32\DRIVERS\raspptp.sys
2011/04/03 18:33:06.0835 2768 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\DRIVERS\processr.sys
2011/04/03 18:33:06.0975 2768 Psched (0557cf5a2556bd58e26384169d72438d) C:\Windows\system32\DRIVERS\pacer.sys
2011/04/03 18:33:07.0085 2768 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\DRIVERS\ql2300.sys
2011/04/03 18:33:07.0178 2768 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\DRIVERS\ql40xx.sys
2011/04/03 18:33:07.0241 2768 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
2011/04/03 18:33:07.0287 2768 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
2011/04/03 18:33:07.0365 2768 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
2011/04/03 18:33:07.0459 2768 Rasl2tp (471815800ae33e6f1c32fb1b97c490ca) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/04/03 18:33:07.0521 2768 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/04/03 18:33:07.0568 2768 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
2011/04/03 18:33:07.0662 2768 rdbss (77f665941019a1594d887a74f301fa2f) C:\Windows\system32\DRIVERS\rdbss.sys
2011/04/03 18:33:07.0724 2768 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys
2011/04/03 18:33:07.0787 2768 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/04/03 18:33:07.0896 2768 RDPDR (1b6163c503398b23ff8b939c67747683) C:\Windows\system32\drivers\rdpdr.sys
2011/04/03 18:33:07.0927 2768 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
2011/04/03 18:33:07.0974 2768 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
2011/04/03 18:33:08.0067 2768 RDPWD (15b66c206b5cb095bab980553f38ed23) C:\Windows\system32\drivers\RDPWD.sys
2011/04/03 18:33:08.0208 2768 rdyboost (34ed295fa0121c241bfef24764fc4520) C:\Windows\system32\drivers\rdyboost.sys
2011/04/03 18:33:08.0317 2768 rimmptsk (e31960692cbb3a8bcdf300bc1d889e1f) C:\Windows\system32\DRIVERS\rimmpx64.sys
2011/04/03 18:33:08.0426 2768 rimsptsk (bb9edc55b0b8cb4fcd713428820e0776) C:\Windows\system32\DRIVERS\rimspx64.sys
2011/04/03 18:33:08.0473 2768 rismxdp (481c3fdeacaae04b74c58288dbc91df9) C:\Windows\system32\DRIVERS\rixdpx64.sys
2011/04/03 18:33:08.0598 2768 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
2011/04/03 18:33:08.0676 2768 s3cap (e60c0a09f997826c7627b244195ab581) C:\Windows\system32\drivers\vms3cap.sys
2011/04/03 18:33:08.0801 2768 sbp2port (ac03af3329579fffb455aa2daabbe22b) C:\Windows\system32\drivers\sbp2port.sys
2011/04/03 18:33:08.0879 2768 scfilter (253f38d0d7074c02ff8deb9836c97d2b) C:\Windows\system32\DRIVERS\scfilter.sys
2011/04/03 18:33:09.0003 2768 sdbus (111e0ebc0ad79cb0fa014b907b231cf0) C:\Windows\system32\drivers\sdbus.sys
2011/04/03 18:33:09.0066 2768 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
2011/04/03 18:33:09.0128 2768 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys
2011/04/03 18:33:09.0206 2768 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys
2011/04/03 18:33:09.0315 2768 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\DRIVERS\sermouse.sys
2011/04/03 18:33:09.0425 2768 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\drivers\sffdisk.sys
2011/04/03 18:33:09.0471 2768 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\drivers\sffp_mmc.sys
2011/04/03 18:33:09.0503 2768 sffp_sd (dd85b78243a19b59f0637dcf284da63c) C:\Windows\system32\drivers\sffp_sd.sys
2011/04/03 18:33:09.0581 2768 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\DRIVERS\sfloppy.sys
2011/04/03 18:33:09.0627 2768 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\DRIVERS\SiSRaid2.sys
2011/04/03 18:33:09.0705 2768 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\DRIVERS\sisraid4.sys
2011/04/03 18:33:09.0752 2768 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
2011/04/03 18:33:09.0830 2768 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
2011/04/03 18:33:09.0955 2768 srv (2098b8556d1cec2aca9a29cd479e3692) C:\Windows\system32\DRIVERS\srv.sys
2011/04/03 18:33:10.0080 2768 srv2 (d0f73a42040f21f92fd314b42ac5c9e7) C:\Windows\system32\DRIVERS\srv2.sys
2011/04/03 18:33:10.0158 2768 SrvHsfHDA (0c4540311e11664b245a263e1154cef8) C:\Windows\system32\DRIVERS\VSTAZL6.SYS
2011/04/03 18:33:10.0236 2768 SrvHsfV92 (02071d207a9858fbe3a48cbfd59c4a04) C:\Windows\system32\DRIVERS\VSTDPV6.SYS
2011/04/03 18:33:10.0345 2768 SrvHsfWinac (18e40c245dbfaf36fd0134a7ef2df396) C:\Windows\system32\DRIVERS\VSTCNXT6.SYS
2011/04/03 18:33:10.0485 2768 srvnet (2ba8f3250828ccdb4204ecf2c6f40b6a) C:\Windows\system32\DRIVERS\srvnet.sys
2011/04/03 18:33:10.0595 2768 ssfmonm (23bf9353520ca427bfc8e021ea948011) C:\Windows\system32\DRIVERS\ssfmonm.sys
2011/04/03 18:33:10.0688 2768 ssidrv (5012dfc0920f61ef842abb5d07df59d5) C:\Windows\system32\DRIVERS\ssidrv.sys
2011/04/03 18:33:10.0797 2768 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\DRIVERS\stexstor.sys
2011/04/03 18:33:10.0907 2768 storflt (7785dc213270d2fc066538daf94087e7) C:\Windows\system32\drivers\vmstorfl.sys
2011/04/03 18:33:10.0938 2768 storvsc (d34e4943d5ac096c8edeebfd80d76e23) C:\Windows\system32\drivers\storvsc.sys
2011/04/03 18:33:11.0031 2768 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\drivers\swenum.sys
2011/04/03 18:33:11.0281 2768 Tcpip (509383e505c973ed7534a06b3d19688d) C:\Windows\system32\drivers\tcpip.sys
2011/04/03 18:33:11.0499 2768 TCPIP6 (509383e505c973ed7534a06b3d19688d) C:\Windows\system32\DRIVERS\tcpip.sys
2011/04/03 18:33:11.0624 2768 tcpipreg (df687e3d8836bfb04fcc0615bf15a519) C:\Windows\system32\drivers\tcpipreg.sys
2011/04/03 18:33:11.0687 2768 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
2011/04/03 18:33:11.0702 2768 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys
2011/04/03 18:33:11.0811 2768 tdx (ddad5a7ab24d8b65f8d724f5c20fd806) C:\Windows\system32\DRIVERS\tdx.sys
2011/04/03 18:33:11.0905 2768 TermDD (561e7e1f06895d78de991e01dd0fb6e5) C:\Windows\system32\drivers\termdd.sys
2011/04/03 18:33:12.0077 2768 tssecsrv (ce18b2cdfc837c99e5fae9ca6cba5d30) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/04/03 18:33:12.0186 2768 TsUsbFlt (d11c783e3ef9a3c52c0ebe83cc5000e9) C:\Windows\system32\drivers\tsusbflt.sys
2011/04/03 18:33:12.0326 2768 tunnel (3566a8daafa27af944f5d705eaa64894) C:\Windows\system32\DRIVERS\tunnel.sys
2011/04/03 18:33:12.0373 2768 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\DRIVERS\uagp35.sys
2011/04/03 18:33:12.0467 2768 udfs (ff4232a1a64012baa1fd97c7b67df593) C:\Windows\system32\DRIVERS\udfs.sys
2011/04/03 18:33:12.0591 2768 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\drivers\uliagpkx.sys
2011/04/03 18:33:12.0638 2768 umbus (dc54a574663a895c8763af0fa1ff7561) C:\Windows\system32\drivers\umbus.sys
2011/04/03 18:33:12.0685 2768 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\DRIVERS\umpass.sys
2011/04/03 18:33:12.0794 2768 usbccgp (481dff26b4dca8f4cbac1f7dce1d6829) C:\Windows\system32\drivers\usbccgp.sys
2011/04/03 18:33:12.0841 2768 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\drivers\usbcir.sys
2011/04/03 18:33:12.0888 2768 usbehci (2ea4aff7be7eb4632e3aa8595b0803b5) C:\Windows\system32\DRIVERS\usbehci.sys
2011/04/03 18:33:12.0997 2768 usbhub (dc96bd9ccb8403251bcf25047573558e) C:\Windows\system32\drivers\usbhub.sys
2011/04/03 18:33:13.0044 2768 usbohci (58e546bbaf87664fc57e0f6081e4f609) C:\Windows\system32\DRIVERS\usbohci.sys
2011/04/03 18:33:13.0075 2768 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys
2011/04/03 18:33:13.0122 2768 USBSTOR (d76510cfa0fc09023077f22c2f979d86) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/04/03 18:33:13.0184 2768 usbuhci (81fb2216d3a60d1284455d511797db3d) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/04/03 18:33:13.0262 2768 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\drivers\vdrvroot.sys
2011/04/03 18:33:13.0325 2768 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/04/03 18:33:13.0356 2768 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
2011/04/03 18:33:13.0465 2768 vhdmp (2ce2df28c83aeaf30084e1b1eb253cbb) C:\Windows\system32\drivers\vhdmp.sys
2011/04/03 18:33:13.0574 2768 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\drivers\viaide.sys
2011/04/03 18:33:13.0668 2768 vmbus (86ea3e79ae350fea5331a1303054005f) C:\Windows\system32\drivers\vmbus.sys
2011/04/03 18:33:13.0746 2768 VMBusHID (7de90b48f210d29649380545db45a187) C:\Windows\system32\drivers\VMBusHID.sys
2011/04/03 18:33:13.0793 2768 volmgr (d2aafd421940f640b407aefaaebd91b0) C:\Windows\system32\drivers\volmgr.sys
2011/04/03 18:33:13.0902 2768 volmgrx (a255814907c89be58b79ef2f189b843b) C:\Windows\system32\drivers\volmgrx.sys
2011/04/03 18:33:13.0933 2768 volsnap (0d08d2f3b3ff84e433346669b5e0f639) C:\Windows\system32\drivers\volsnap.sys
2011/04/03 18:33:14.0011 2768 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\DRIVERS\vsmraid.sys
2011/04/03 18:33:14.0058 2768 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\system32\DRIVERS\vwifibus.sys
2011/04/03 18:33:14.0089 2768 vwififlt (6a3d66263414ff0d6fa754c646612f3f) C:\Windows\system32\DRIVERS\vwififlt.sys
2011/04/03 18:33:14.0151 2768 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\DRIVERS\wacompen.sys
2011/04/03 18:33:14.0261 2768 WANARP (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
2011/04/03 18:33:14.0276 2768 Wanarpv6 (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
2011/04/03 18:33:14.0479 2768 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\DRIVERS\wd.sys
2011/04/03 18:33:14.0557 2768 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
2011/04/03 18:33:14.0775 2768 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
2011/04/03 18:33:14.0807 2768 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
2011/04/03 18:33:15.0072 2768 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\drivers\wmiacpi.sys
2011/04/03 18:33:15.0181 2768 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
2011/04/03 18:33:15.0353 2768 WudfPf (d3381dc54c34d79b22cee0d65ba91b7c) C:\Windows\system32\drivers\WudfPf.sys
2011/04/03 18:33:15.0446 2768 ================================================================================
2011/04/03 18:33:15.0446 2768 Scan finished
2011/04/03 18:33:15.0446 2768 ================================================================================

Edited by StephL67, 03 April 2011 - 05:43 PM.


#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:30 PM

Posted 03 April 2011 - 06:15 PM

Could you bypass the router to see if the infection stops?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 StephL67

StephL67
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Georgia
  • Local time:08:30 AM

Posted 03 April 2011 - 07:13 PM

Do you mean connect the comcast modem directly to the laptop?

Also what would be the expected/wanted results? Is there something else I should do? Look for during the new connection or any program I should run? Will Windows automatically revert to normal??? Should I boot in safe mode or normal? Right now I cannot run things in normal mode and cannot get back to your website. I get a browser redirect and IE always acts like it is starting for the first time (this also happens in safe mode)

I did run the laptop for the three weeks I spent trying to 'cure' it in safe mode only and actually turned the wireless switch 'off' on the side of the laptop. I finally gave up and did the complete erase, at first I suspected silverlight, then adobe but after the new install of Win7 it was when I went to d/l AVG free, and that was through the wireless connection.

I will complete your instructions after work tomorrow, thanks so much! Stephanie

Edited by StephL67, 03 April 2011 - 07:21 PM.


#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:30 PM

Posted 04 April 2011 - 07:04 AM

Hi,

it is possible that the redirects are caused by settings in the router, so yes, ideally connect to the modem directly and see if the redirects stop.

Please also run a scan with ComboFix, if possible from normal mode. If impossible in safe mode:
Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 StephL67

StephL67
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Georgia
  • Local time:08:30 AM

Posted 05 April 2011 - 07:25 PM

Hello, sorry for the long wait for a response, I was not able to complete your instructions until now. Hard wiring the internet connection did seem to stop the browser redirects! Does this mean my router is infected? Does that mean all my wireless connections could be infected?

Also Emsisoft started working, I have the wireless switch off while I am connected directly to the modem, and I was able to get a data update for Emsisoft and it has blocked several things, one was a connection. It also automatically started a scan and once that has completed I will disable it and run combofix, I dont know how long it takes for all of this to run, so I may not be able to post the logs until after work tomorrow. Thanks for your patience!

Stephanie.

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:30 PM

Posted 05 April 2011 - 07:49 PM

Hi,

yes this sounds like the router was infected. This does not mean that all the PCs on your network are necessarily infected though. Just the router has.

Router Reset
  • Please read this: Malware Silently Alters Wireless Router Settings

  • Consult this link to find out what is the default username and password of your router and note down them: Route Passwords

  • Then rest your router to it's factory default settings:

    "If your machine has been infected by one of these Zlob/DNSchanger Trojans, and your router settings have been altered, I would strongly recommend that you reset the router to its default configuration. Usually, this can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds)"


  • This is the difficult part.
    First get to the routers server. To do that type http:\\192.168.1.1 in the address bar and click Enter. You get the log in window.
    Fill in the password you have already found and you will get the configuration page.
    Configure the router to allow you to connect to your ISP server. In some routers it is done by a setup wizard. But you have to fill in the log in password your ISP has initially given to you.
    You can also call your ISP if you don't have your initial password.
    Don't forget to change the routers default password and set a strong password. Note down the password and keep it somewhere for future reference.

  • Please make sure of the following settings:
    • Go to start => Control panel => Double-click Network and Sharing Center.
    • In the left window select Manage network Connection.
    • In the right window right-click Local Area connection and select Properties .
    • Internet Protocol Version 6 (IP6v) should be checked. Double-click on it: Make sure of the following settings:
    • The option Obtain an IP address automatically should be checked.
    • The option Obtain DNS server address automatically should be checked.
    • Click OK.
    • Internet Protocol Version 4 (IP4v) should be checked. Double-click on it.[list]
    • The option Obtain an IP address automatically should be checked.
    • The option Obtain DNS server address automatically should be checked.
  • Click OK twice.
  • If you should change any setting reboot the computer.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 StephL67

StephL67
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Georgia
  • Local time:08:30 AM

Posted 05 April 2011 - 08:36 PM

I cancelled the Emisoft scan in order to run the ComboFix, Also I want to mention that when the Emisoft asked for an update, (this was during the hard wired connection) After I d/l the program and went to run the program, the Windows Account Access Settings window popped up asking for permission as normal, BUT what seemed suspicious to me was the "details" of where the program file was running from, the file path was in the x86 directory but after the normal looking path there was a space (typing this from memory, sorry) and the something like R/= SPAWN???/SPAWN???? (the ? marks are what I cannot recall) the spawn portion and the strange R/= seemed like programming code. I canceled the program. It was shortly after this that Emisoft disabled and I lost my internet connection even though I was plugged directly into the router.

I had to disconnect and plug back into my power source (this is a laptop with a 6 old battery) I was able to start ComboFix while connected and it completed its run...

Here is the log, I will reset the browser first thing after work tomorrow and report back.

Many blessings on you!
Stephanie


*COMBOFIX LOG*

ComboFix 11-04-04.02 - Stephanie 04/05/2011 20:34:52.1.2 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4094.3087 [GMT -4:00]
Running from: c:\users\Stephanie\Desktop\ComboFix.exe
AV: Emsisoft Anti-Malware *Disabled/Updated* {0ADC9F7D-20C1-240F-01E2-43466EBA893A}
SP: Emsisoft Anti-Malware *Disabled/Updated* {B1BD7E99-06FB-2B81-3B52-7834153DC387}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-06 to 2011-04-06 )))))))))))))))))))))))))))))))
.
.
2011-04-06 01:09 . 2011-04-06 01:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-05 23:47 . 2011-03-15 05:17 8424784 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{67BD008E-AC19-4BE7-B0D6-5A9D61229BA2}\mpengine.dll
2011-04-03 02:33 . 2011-03-04 18:37 116568 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-04-03 02:33 . 2011-03-04 18:37 83120 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-04-03 02:33 . 2011-04-03 02:33 -------- d-----w- c:\programdata\Avira
2011-04-03 02:33 . 2011-04-03 02:33 -------- d-----w- c:\program files (x86)\Avira
2011-04-03 01:47 . 2011-04-03 01:47 -------- d-----w- c:\windows\system32\appmgmt
2011-04-02 23:49 . 2011-04-06 00:28 -------- d-----w- c:\program files (x86)\Emsisoft Anti-Malware
2011-03-27 21:33 . 2011-04-03 18:13 -------- d-----w- C:\Desktop
2011-03-27 03:01 . 2011-03-27 03:01 -------- d-----w- c:\windows\SysWow64\Macromed
2011-03-27 02:56 . 2011-03-27 02:56 -------- d--h--w- c:\program files (x86)\InstallShield Installation Information
2011-03-27 02:56 . 2007-07-27 23:45 57856 ----a-w- c:\windows\system32\drivers\rixdpx64.sys
2011-03-27 02:56 . 2007-07-27 00:33 55296 ----a-w- c:\windows\system32\drivers\rimspx64.sys
2011-03-27 02:56 . 2007-03-19 16:09 55808 ----a-w- c:\windows\system32\drivers\rimmpx64.sys
2011-03-27 02:56 . 2004-09-04 07:00 90112 ----a-w- c:\windows\system32\snymsico.dll
2011-03-27 02:56 . 2011-03-27 02:56 -------- d-----w- c:\program files (x86)\Common Files\InstallShield
2011-03-27 02:56 . 2011-03-27 02:56 -------- d-----w- C:\dell
2011-03-26 02:42 . 2011-03-26 02:42 -------- d-----w- c:\windows\system32\SPReview
2011-03-26 02:39 . 2010-11-05 01:57 48976 ----a-w- c:\windows\system32\netfxperf.dll
2011-03-26 02:39 . 2010-11-05 01:57 1942856 ----a-w- c:\windows\system32\dfshim.dll
2011-03-26 02:37 . 2010-11-20 12:21 1548288 ----a-w- c:\windows\SysWow64\tquery.dll
2011-03-26 02:36 . 2010-11-20 13:33 289664 ----a-w- c:\windows\system32\drivers\fltMgr.sys
2011-03-26 02:35 . 2010-11-20 13:33 213888 ----a-w- c:\windows\system32\drivers\rdyboost.sys
2011-03-26 02:34 . 2010-11-20 13:27 392192 ----a-w- c:\windows\system32\WMPhoto.dll
2011-03-26 02:33 . 2010-11-20 12:18 323072 ----a-w- c:\windows\SysWow64\drvstore.dll
2011-03-26 02:33 . 2010-11-20 12:18 257024 ----a-w- c:\windows\SysWow64\dpx.dll
2011-03-26 02:33 . 2010-11-20 12:21 363008 ----a-w- c:\windows\SysWow64\wbemcomn.dll
2011-03-26 02:33 . 2010-11-20 12:19 606208 ----a-w- c:\windows\SysWow64\wbem\fastprox.dll
2011-03-26 02:30 . 2010-11-20 13:27 524288 ----a-w- c:\windows\system32\wmicmiplugin.dll
2011-03-26 02:30 . 2010-11-20 13:27 529408 ----a-w- c:\windows\system32\wbemcomn.dll
2011-03-26 02:30 . 2010-11-20 13:27 1225216 ----a-w- c:\windows\system32\wbem\wbemcore.dll
2011-03-26 02:30 . 2010-11-20 13:27 933376 ----a-w- c:\windows\system32\SmiEngine.dll
2011-03-26 02:29 . 2010-11-20 13:25 199168 ----a-w- c:\windows\system32\PkgMgr.exe
2011-03-26 02:29 . 2010-11-20 13:26 422912 ----a-w- c:\windows\system32\drvstore.dll
2011-03-26 02:29 . 2010-11-20 13:26 399872 ----a-w- c:\windows\system32\dpx.dll
2011-03-26 01:51 . 2011-03-26 01:51 -------- d-----w- c:\windows\system32\EventProviders
2011-03-26 01:17 . 2011-01-17 11:09 197120 ----a-w- c:\windows\system32\d3d10_1.dll
2011-03-26 01:17 . 2011-01-17 05:47 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll
2011-03-26 01:17 . 2010-11-20 13:26 321024 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-03-26 01:17 . 2010-11-20 12:18 219136 ----a-w- c:\windows\SysWow64\d3d10_1core.dll
2011-03-26 01:17 . 2011-02-19 12:05 1139200 ----a-w- c:\windows\system32\FntCache.dll
2011-03-26 01:17 . 2011-02-19 12:04 1544192 ----a-w- c:\windows\system32\DWrite.dll
2011-03-26 01:17 . 2011-02-19 06:30 1076736 ----a-w- c:\windows\SysWow64\DWrite.dll
2011-03-26 01:17 . 2011-02-19 12:04 902656 ----a-w- c:\windows\system32\d2d1.dll
2011-03-26 01:17 . 2011-02-19 06:30 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
2011-03-26 00:23 . 2011-03-26 00:23 -------- d-----w- c:\windows\SysWow64\Wat
2011-03-26 00:23 . 2011-03-26 00:23 -------- d-----w- c:\windows\system32\Wat
2011-03-25 23:36 . 2011-03-25 23:36 -------- d-----w- c:\program files (x86)\Microsoft Silverlight
2011-03-25 22:52 . 2011-02-15 18:36 55360 ----a-w- c:\windows\system32\drivers\ssfmonm.sys
2011-03-19 20:57 . 2011-02-15 18:36 137248 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2011-03-16 03:55 . 2011-03-16 03:55 -------- d-----w- c:\windows\SysWow64\wbem\Logs
2011-03-16 03:10 . 2011-01-07 09:51 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-03-16 03:10 . 2011-01-07 06:01 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb
2011-03-16 03:08 . 2010-12-17 11:40 715776 ----a-w- c:\windows\system32\kerberos.dll
2011-03-16 03:08 . 2010-12-17 07:07 542208 ----a-w- c:\windows\SysWow64\kerberos.dll
2011-03-16 03:08 . 2011-01-07 12:14 46080 ----a-w- c:\windows\system32\atmlib.dll
2011-03-16 03:08 . 2011-01-07 09:20 366592 ----a-w- c:\windows\system32\atmfd.dll
2011-03-16 03:08 . 2011-01-07 07:45 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2011-03-16 03:08 . 2011-01-07 05:43 294400 ----a-w- c:\windows\SysWow64\atmfd.dll
2011-03-16 03:08 . 2010-09-30 10:41 100864 ----a-w- c:\windows\system32\fontsub.dll
2011-03-16 03:08 . 2010-09-30 06:47 70656 ----a-w- c:\windows\SysWow64\fontsub.dll
2011-03-16 03:08 . 2011-01-05 06:56 3129344 ----a-w- c:\windows\system32\win32k.sys
2011-03-16 03:08 . 2010-12-17 11:42 214016 ----a-w- c:\windows\system32\winsrv.dll
2011-03-14 04:43 . 2011-03-14 04:43 -------- d-----w- c:\program files (x86)\Microsoft.NET
2011-03-14 04:18 . 2011-04-05 23:32 -------- d-----w- c:\programdata\NVIDIA
2011-03-14 04:18 . 2011-03-27 03:12 -------- d-----w- c:\program files (x86)\NVIDIA Corporation
2011-03-14 04:16 . 2011-03-14 04:16 -------- d-----w- c:\programdata\NVIDIA Corporation
2011-03-14 04:14 . 2011-03-27 03:11 -------- d-----w- c:\program files\NVIDIA Corporation
2011-03-14 04:13 . 2011-03-14 04:13 -------- d-----w- C:\NVIDIA
2011-03-14 03:50 . 2011-03-14 03:50 -------- d--h--w- c:\programdata\Common Files
2011-03-14 03:48 . 2011-03-16 03:25 -------- d-----w- c:\programdata\AVG10
2011-03-14 03:48 . 2011-03-14 03:48 -------- d-----w- c:\program files (x86)\AVG
2011-03-14 03:42 . 2011-02-02 22:11 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-03-14 03:38 . 2011-04-05 23:47 -------- d-sh--w- c:\windows\Installer
2011-03-14 03:38 . 2011-03-16 04:03 -------- d-----w- c:\programdata\MFAData
2011-03-14 03:20 . 2011-03-27 21:06 -------- d-----w- c:\users\Stephanie
2011-03-14 03:20 . 2011-03-14 03:20 -------- d-----w- C:\Recovery
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-26 02:51 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2011-03-26 02:50 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2011-01-08 00:50 . 2011-01-08 00:50 795752 ----a-w- c:\windows\system32\easyUpdatusAPIU64.dll
2011-01-08 00:50 . 2011-01-08 00:50 6143080 ----a-w- c:\windows\system32\nvcpl.dll
2011-01-08 00:49 . 2011-01-08 00:49 3156072 ----a-w- c:\windows\system32\nvsvc64.dll
2011-01-08 00:49 . 2011-01-08 00:49 117864 ----a-w- c:\windows\system32\nvmctray.dll
2011-01-08 00:49 . 2011-01-08 00:49 61032 ----a-w- c:\windows\system32\nvshext.dll
2011-01-08 00:49 . 2011-01-08 00:49 313448 ----a-w- c:\windows\system32\nvhotkey.dll
2011-01-08 00:49 . 2011-01-08 00:49 2558568 ----a-w- c:\windows\system32\nvsvcr.dll
2011-01-08 00:49 . 2011-01-08 00:49 1005160 ----a-w- c:\windows\system32\nvvsvc.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]
"a-squared"="c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2guard.exe" [2011-03-10 3438992]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"= 1 (0x1)
"ForceActiveDesktopOn"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
SetupExecute REG_MULTI_SZ \0
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 WRConsumerService;Webroot Client Service;c:\program files (x86)\Webroot\Security\Current\Framework\WRConsumerService.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 a2injectiondriver;a2injectiondriver;c:\program files (x86)\Emsisoft Anti-Malware\a2dix64.sys [2010-09-05 48216]
S1 a2util;a-squared Malware-IDS utility driver;c:\program files (x86)\Emsisoft Anti-Malware\a2util64.sys [2010-05-05 14720]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files (x86)\Emsisoft Anti-Malware\a2service.exe [2011-04-03 2860800]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2011-03-04 135336]
S2 ssfmonm;ssfmonm;c:\windows\system32\DRIVERS\ssfmonm.sys [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-01-07 378984]
S3 a2acc;a2acc;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [2011-02-21 85800]
S3 bcm44amd64;Broadcom 440x 10/100 Integrated Controller XP Driver;c:\windows\system32\DRIVERS\b44amd64.sys [x]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2011-01-08 313448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
Trusted Zone: driveragent.com
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-WebrootTrayApp - c:\program files (x86)\Webroot\Security\Current\Framework\WRTray.exe
AddRemove-Webroot Software - c:\programdata\{3140EA8C-7399-4EC4-819C-16996F38FCFC}\WRInstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3667396521-1161065911-1713776631-1001\Software\Microsoft\Protected Storage System Provider\S-1-5-21-3667396521-1161065911-1713776631-1001]
@Denied: (Full) (LocalSystem)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-04-05 21:15:26
ComboFix-quarantined-files.txt 2011-04-06 01:15
.
Pre-Run: 55,905,988,608 bytes free
Post-Run: 55,832,326,144 bytes free
.
- - End Of File - - 79BC952380A11D2543713A5C7FECE872

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:30 PM

Posted 06 April 2011 - 05:51 AM

Hi,

the /R SPAWN was something you saw when you first started ComboFix or something you saw shortly before you were infected?

Have you been able to enable a-squared since?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 StephL67

StephL67
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Georgia
  • Local time:08:30 AM

Posted 14 April 2011 - 02:17 AM

My apologies for taking so long to reply I have been working some very long hours (6am-8pm and later)...

I see my post regarding the R/SPAWN was unclear and confusing, that issue was relating to the Emsisoft update, th eprogram wanted to d/l an update and it was in that popup that I saw the unknown ...code?

ComboFix d/l and ran with no issues.

I also still need to reset the router, I truly have intentions to do that every day after work but by the time I get home it is just too late and I fear I will run into issues and it will be time consuming, last time I messed with the router I had to call my son to get me back online.

I am posting this from another computer and am not sure about how a-squared is running, I will update this post tomorrow when I can access the laptop to verify. Just wanted to update you since it has been a week, I didn't want you to think I had just abandoned this.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users