Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browsers keep redircting


  • This topic is locked This topic is locked
21 replies to this topic

#1 georgefky

georgefky

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 24 June 2011 - 06:51 PM

Below are the files your procedure has said you will need. If there is something I have not done correctly just let me know and I will make sure you get exactly what you need. Thanks so much in advance for you help. George

DDS Information Below

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20
Run by Jesse at 16:47:22 on 2011-06-24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.306 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\iTimeSync\iTimeSync.exe
C:\Program Files\Genie-Soft\GBMPro8\GBMAgent.exe
C:\Program Files\Keyspan\USB Server\nhciTask.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [iTimeSync.exe] c:\program files\itimesync\iTimeSync.exe
uRun: [GBMPro8Agent] "c:\program files\genie-soft\gbmpro8\GBMAgent.exe"
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [WinVNC] "c:\program files\realvnc\winvnc\WinVNC.exe" -servicehelper
mRun: [GBMPro8Agent] "c:\program files\genie-soft\gbmpro8\GBMAgent.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Kernel and Hardware Abstraction Layer] "c:\windows\KHALMNPR.EXE"
mRun: [WebrootTrayApp] "c:\program files\webroot\security\current\framework\WRTray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\keyspa~1.lnk - c:\program files\keyspan\usb server\nhciTask.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230587238234
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 208.67.222.222 208.67.220.220 166.102.165.11
TCP: Interfaces\{1DA1B368-941D-4FE3-8C7B-36FD3D5987C6} : DhcpNameServer = 208.67.222.222 208.67.220.220 166.102.165.11
Notify: igfxcui - igfxsrvc.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 184.95.59.211 www.google.com
Hosts: 184.95.59.212 search.yahoo.com
Hosts: 184.95.59.212 www.bing.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jesse\application data\mozilla\firefox\profiles\ibl2chsp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\documents and settings\jesse\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\jesse\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\3.0.40624.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R3 NHCI;NHCI;c:\windows\system32\drivers\nhci.sys [2009-1-7 32000]
R3 NHCIENUM;NHCIENUM;c:\windows\system32\drivers\nhcienum.sys [2009-1-7 34560]
S2 gupdate1ca5ae624e929de;Google Update Service (gupdate1ca5ae624e929de);c:\program files\google\update\GoogleUpdate.exe [2009-10-29 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-10-29 133104]
.
=============== Created Last 30 ================
.
2011-06-24 11:40:28 -------- d-sha-r- C:\cmdcons
2011-06-24 11:34:14 208896 ----a-w- c:\windows\MBR.exe
2011-06-24 11:34:13 98816 ----a-w- c:\windows\sed.exe
2011-06-24 11:34:13 518144 ----a-w- c:\windows\SWREG.exe
2011-06-24 11:34:13 256512 ----a-w- c:\windows\PEV.exe
2011-06-22 17:43:46 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-06-22 17:43:45 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2011-06-22 17:43:44 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-06-22 17:43:44 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-06-22 17:43:44 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2011-06-22 17:43:44 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-06-22 17:43:44 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-06-22 17:43:44 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-06-22 17:43:44 1850328 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-06-22 17:43:44 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-06-18 16:55:56 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-07 16:35:34 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-06-07 16:35:34 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD3200AAKS-00VYA0 rev.12.01B02 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x822F96D0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x822ff9d0]; MOV EAX, [0x822ffa4c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13A7] -> \Device\Harddisk0\DR0[0x8236EA98]
3 CLASSPNP[0xF8583FD7] -> nt!IofCallDriver[0x804E13A7] -> [0x823579C8]
\Driver\atapi[0x82347F38] -> IRP_MJ_CREATE -> 0x822F96D0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x822F951B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 16:47:51.81 ===============


GMER Info Below:

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-24 17:14:27
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort2 WDC_WD3200AAKS-00VYA0 rev.12.01B02
Running: gmer.exe; Driver: C:\DOCUME~1\Jesse\LOCALS~1\Temp\uxddypoc.sys


---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\Jesse\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[608] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00D4000A
.text C:\WINDOWS\Explorer.EXE[608] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 00D5000A
.text C:\WINDOWS\Explorer.EXE[608] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 00A2000C
.text C:\WINDOWS\System32\svchost.exe[1056] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 0082000A
.text C:\WINDOWS\System32\svchost.exe[1056] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 00A8000A
.text C:\WINDOWS\System32\svchost.exe[1056] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 0081000C
.text C:\WINDOWS\System32\svchost.exe[1056] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 020C000A
.text C:\WINDOWS\System32\svchost.exe[1056] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 020D000A
.text C:\WINDOWS\System32\svchost.exe[1056] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 020E000A
.text C:\WINDOWS\System32\svchost.exe[1056] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 020B000A

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 822F951B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 822F951B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 822F951B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 822F951B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP2T0L0-e 822F951B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-3 822F951B

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\NetworkService\Cookies\system@foodnetwork[2].txt 0 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@hgtv[1].txt 545 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@scorecardresearch[1].txt 106 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@advertise[2].txt 176 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@casalemedia[2].txt 1010 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@46.161.28[2].txt 0 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[2].txt 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0PE3WLAR\index[1].html 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\X6GX5GE1\index[1].html 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\X6GX5GE1\97.c.clickpayz[1].htm 0 bytes

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:28 AM

Posted 24 June 2011 - 08:10 PM

Please post the ComboFix Log(s)

then run the following:

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 georgefky

georgefky
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 24 June 2011 - 08:57 PM

Are you asking me to run Combofix?

I did run it earlier today based on other information I found on the net before I found your site and the procedures you have posted. At that time I was not able to save the log files from that run. That is when I started to do more searching and found this site. I have done nothing else since since downloading your procedure and running the DDS and GMER scans.

Please confirm that you would like me to run combofix. I just don't want to screw something up and make it more difficult to fix this. Thanks
George

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:28 AM

Posted 24 June 2011 - 08:59 PM

No, I noticed from your log that you had run ComboFix, the Log(s) are saved automatically

depending on how many times you ran the program, you will find them at c:\ComboFix.txt or c:\Qoobox\ComboFix2.txt

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 georgefky

georgefky
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 24 June 2011 - 10:25 PM

I only ran the ComboFix program 1 time. Below is the log and the quarantined log.

ComboFix Log below:

ComboFix 11-06-23.03 - Jesse 06/24/2011 8:02.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.244 [GMT -4:00]
Running from: c:\documents and settings\Jesse\Desktop\Combo-Fix.exe
AV: Webroot AntiVirus with Spy Sweeper *Enabled/Updated* {77E10C7F-2CCA-4187-9394-BDBC267AD597}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\NetworkService\Application Data\gog.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-05-24 to 2011-06-24 )))))))))))))))))))))))))))))))
.
.
2011-06-23 07:04 . 2011-06-23 07:04 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2011-06-23 07:04 . 2011-06-23 07:04 -------- d-----w- c:\documents and settings\Default User\Application Data\Apple Computer
2011-06-23 07:02 . 2011-06-23 07:04 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Apple Computer
2011-06-23 06:58 . 2011-06-23 06:59 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-06-23 00:04 . 2011-06-23 00:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-06-22 17:43 . 2011-06-16 04:17 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-06-22 17:43 . 2011-06-16 04:17 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-06-22 17:43 . 2011-06-16 04:17 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-06-22 17:43 . 2011-06-16 04:17 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-06-22 17:43 . 2011-06-16 04:17 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-06-22 17:43 . 2011-06-16 04:17 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-06-22 17:43 . 2011-06-16 04:17 1850328 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-06-22 17:43 . 2011-06-16 04:17 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-06-22 17:43 . 2010-01-01 08:00 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-06-22 17:43 . 2010-01-01 08:00 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-06-22 12:59 . 2011-06-22 12:59 -------- d-s---w- c:\documents and settings\LocalService\UserData
2011-06-21 23:49 . 2011-06-21 23:49 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-06-18 16:59 . 2011-06-18 16:59 -------- d-----w- c:\program files\Common Files\Adobe
2011-06-18 16:55 . 2011-06-18 16:55 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-07 16:35 . 2011-06-07 16:35 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-06-07 16:35 . 2011-06-07 16:35 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-18 22:05 . 2008-11-12 21:02 182056 ------w- c:\windows\system32\drivers\ssidrv.sys
2011-04-18 22:05 . 2008-11-12 21:02 24496 ------w- c:\windows\system32\drivers\sshrmd.sys
2011-04-18 22:05 . 2011-01-04 02:11 47120 ------w- c:\windows\system32\drivers\ssfmonm.sys
2011-06-16 04:17 . 2011-06-22 17:43 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTimeSync.exe"="c:\program files\iTimeSync\iTimeSync.exe" [2008-12-30 44544]
"GBMPro8Agent"="c:\program files\Genie-Soft\GBMPro8\GBMAgent.exe" [2008-09-11 189056]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-03-11 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-03-11 114688]
"WinVNC"="c:\program files\RealVNC\WinVNC\WinVNC.exe" [2003-03-05 335872]
"GBMPro8Agent"="c:\program files\Genie-Soft\GBMPro8\GBMAgent.exe" [2008-09-11 189056]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Kernel and Hardware Abstraction Layer"="c:\windows\KHALMNPR.EXE" [2007-09-21 55824]
"WebrootTrayApp"="c:\program files\Webroot\Security\Current\Framework\WRTray.exe" [2011-05-26 1378352]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Keyspan USB Server Task.lnk - c:\program files\Keyspan\USB Server\nhciTask.exe [2009-1-7 102400]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 14:10 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R2 ssfmonm;ssfmonm;c:\windows\system32\drivers\ssfmonm.sys [1/3/2011 10:11 PM 47120]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Security\Current\Framework\WRConsumerService.exe [5/26/2011 9:02 AM 3276136]
R3 NHCI;NHCI;c:\windows\system32\drivers\nhci.sys [1/7/2009 4:09 PM 32000]
R3 NHCIENUM;NHCIENUM;c:\windows\system32\drivers\nhcienum.sys [1/7/2009 4:09 PM 34560]
S2 gupdate1ca5ae624e929de;Google Update Service (gupdate1ca5ae624e929de);c:\program files\Google\Update\GoogleUpdate.exe [10/29/2009 9:12 AM 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/29/2009 9:12 AM 133104]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-22 c:\windows\Tasks\GBM - JesseDoc&Settings01-Full.job
- c:\program files\Genie-Soft\GBMPro8\GBM8.exe [2008-12-31 10:27]
.
2011-06-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-29 13:12]
.
2011-06-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-29 13:12]
.
2011-06-24 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1202660629-1004336348-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-06-18 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1202660629-1004336348-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 208.67.222.222 208.67.220.220 166.102.165.11
FF - ProfilePath - c:\documents and settings\Jesse\Application Data\Mozilla\Firefox\Profiles\ibl2chsp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-cleanddm - c:\documents and settings\Jesse\Application Data\cleanddm.exe
AddRemove-iTimeSync - c:\program files\Common Files\InstallerA\Setup.exe \SYNC
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-24 08:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD3200AAKS-00VYA0 rev.12.01B02 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x822FD51B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(664)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2011-06-24 09:05:56
ComboFix-quarantined-files.txt 2011-06-24 13:05
.
Pre-Run: 215,154,950,144 bytes free
Post-Run: 215,994,048,512 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 264E0FF4C462028B97635C00A88EBF57



ComboFix Quarantined Log Below:


2011-06-24 13:04:55 . 2011-06-24 13:04:55 776 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-iTimeSync.reg.dat
2011-06-24 13:02:46 . 2011-06-24 13:02:46 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-cleanddm.reg.dat
2011-06-24 12:28:49 . 2011-06-24 12:28:49 5,044 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-06-24 11:47:19 . 2011-06-24 11:47:19 512 ----a-w- C:\Qoobox\Quarantine\MBR_HardDisk0.mbr
2011-06-24 11:33:41 . 2011-06-24 11:58:38 102 ----a-w- C:\Qoobox\Quarantine\catchme.log
2011-06-22 03:43:06 . 2011-06-22 03:43:06 663,040 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\gog.exe.vir


TDSSKiller Log 1 below:

2011/06/24 23:11:49.0531 3916 TDSS rootkit removing tool 2.5.5.0 Jun 16 2011 15:25:15
2011/06/24 23:11:50.0015 3916 ================================================================================
2011/06/24 23:11:50.0015 3916 SystemInfo:
2011/06/24 23:11:50.0015 3916
2011/06/24 23:11:50.0015 3916 OS Version: 5.1.2600 ServicePack: 3.0
2011/06/24 23:11:50.0015 3916 Product type: Workstation
2011/06/24 23:11:50.0015 3916 ComputerName: JESSE02
2011/06/24 23:11:50.0015 3916 UserName: Jesse
2011/06/24 23:11:50.0015 3916 Windows directory: C:\WINDOWS
2011/06/24 23:11:50.0015 3916 System windows directory: C:\WINDOWS
2011/06/24 23:11:50.0015 3916 Processor architecture: Intel x86
2011/06/24 23:11:50.0015 3916 Number of processors: 2
2011/06/24 23:11:50.0015 3916 Page size: 0x1000
2011/06/24 23:11:50.0015 3916 Boot type: Normal boot
2011/06/24 23:11:50.0015 3916 ================================================================================
2011/06/24 23:11:51.0125 3916 Initialize success
2011/06/24 23:12:11.0687 3912 Deinitialize success



TDSSKiller Log 2 below:

2011/06/24 23:12:23.0843 1640 TDSS rootkit removing tool 2.5.5.0 Jun 16 2011 15:25:15
2011/06/24 23:12:24.0187 1640 ================================================================================
2011/06/24 23:12:24.0187 1640 SystemInfo:
2011/06/24 23:12:24.0187 1640
2011/06/24 23:12:24.0187 1640 OS Version: 5.1.2600 ServicePack: 3.0
2011/06/24 23:12:24.0187 1640 Product type: Workstation
2011/06/24 23:12:24.0187 1640 ComputerName: JESSE02
2011/06/24 23:12:24.0187 1640 UserName: Jesse
2011/06/24 23:12:24.0187 1640 Windows directory: C:\WINDOWS
2011/06/24 23:12:24.0187 1640 System windows directory: C:\WINDOWS
2011/06/24 23:12:24.0187 1640 Processor architecture: Intel x86
2011/06/24 23:12:24.0187 1640 Number of processors: 2
2011/06/24 23:12:24.0187 1640 Page size: 0x1000
2011/06/24 23:12:24.0187 1640 Boot type: Normal boot
2011/06/24 23:12:24.0187 1640 ================================================================================
2011/06/24 23:12:25.0187 1640 Initialize success
2011/06/24 23:12:30.0234 2456 ================================================================================
2011/06/24 23:12:30.0234 2456 Scan started
2011/06/24 23:12:30.0234 2456 Mode: Manual;
2011/06/24 23:12:30.0234 2456 ================================================================================
2011/06/24 23:12:31.0312 2456 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/06/24 23:12:31.0359 2456 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/06/24 23:12:31.0421 2456 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
2011/06/24 23:12:31.0468 2456 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/06/24 23:12:31.0546 2456 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/06/24 23:12:31.0734 2456 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/06/24 23:12:31.0781 2456 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/06/24 23:12:31.0828 2456 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/06/24 23:12:31.0859 2456 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/06/24 23:12:31.0890 2456 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/06/24 23:12:32.0015 2456 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/06/24 23:12:32.0062 2456 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/06/24 23:12:32.0093 2456 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/06/24 23:12:32.0140 2456 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/06/24 23:12:32.0296 2456 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/06/24 23:12:32.0328 2456 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/06/24 23:12:32.0421 2456 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/06/24 23:12:32.0437 2456 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/06/24 23:12:32.0468 2456 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/06/24 23:12:32.0515 2456 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/06/24 23:12:32.0562 2456 E100B (98b46b331404a951cabad8b4877e1276) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/06/24 23:12:32.0609 2456 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/06/24 23:12:32.0625 2456 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/06/24 23:12:32.0671 2456 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/06/24 23:12:32.0687 2456 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/06/24 23:12:32.0734 2456 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/06/24 23:12:32.0765 2456 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/06/24 23:12:32.0828 2456 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/06/24 23:12:32.0859 2456 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/06/24 23:12:32.0890 2456 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/06/24 23:12:32.0937 2456 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/06/24 23:12:33.0000 2456 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/06/24 23:12:33.0078 2456 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/06/24 23:12:33.0125 2456 ialm (a79029861cb69cd3cf4eab9ebfee32dd) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/06/24 23:12:33.0187 2456 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/06/24 23:12:33.0234 2456 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/06/24 23:12:33.0265 2456 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/06/24 23:12:33.0296 2456 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/06/24 23:12:33.0343 2456 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/06/24 23:12:33.0375 2456 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/06/24 23:12:33.0406 2456 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/06/24 23:12:33.0453 2456 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/06/24 23:12:33.0468 2456 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/06/24 23:12:33.0500 2456 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/06/24 23:12:33.0562 2456 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/06/24 23:12:33.0578 2456 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/06/24 23:12:33.0640 2456 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/06/24 23:12:33.0687 2456 L8042Kbd (ac728768de636093b4d5ae6361cfadae) C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
2011/06/24 23:12:33.0734 2456 LHidFilt (75415a95c589a07d6c97baa2d4143916) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
2011/06/24 23:12:33.0765 2456 LMouFilt (fcb3f81ac07b8608f921134237823b88) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
2011/06/24 23:12:33.0812 2456 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/06/24 23:12:33.0828 2456 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/06/24 23:12:33.0859 2456 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/06/24 23:12:33.0875 2456 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/06/24 23:12:33.0937 2456 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/06/24 23:12:33.0968 2456 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/06/24 23:12:34.0078 2456 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/06/24 23:12:34.0140 2456 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/06/24 23:12:34.0171 2456 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/06/24 23:12:34.0203 2456 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/06/24 23:12:34.0234 2456 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/06/24 23:12:34.0281 2456 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/06/24 23:12:34.0312 2456 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/06/24 23:12:34.0359 2456 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/06/24 23:12:34.0375 2456 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/06/24 23:12:34.0390 2456 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/06/24 23:12:34.0406 2456 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/06/24 23:12:34.0437 2456 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/06/24 23:12:34.0453 2456 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/06/24 23:12:34.0500 2456 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/06/24 23:12:34.0578 2456 NHCI (9da0c24fddc158ca3bd68331d11d2791) C:\WINDOWS\system32\DRIVERS\nhci.sys
2011/06/24 23:12:34.0609 2456 NHCIENUM (b8242d9ef5af8075898b4be5abab7910) C:\WINDOWS\system32\DRIVERS\nhcienum.sys
2011/06/24 23:12:34.0656 2456 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/06/24 23:12:34.0687 2456 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/06/24 23:12:34.0734 2456 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/06/24 23:12:34.0781 2456 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/06/24 23:12:34.0796 2456 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/06/24 23:12:34.0828 2456 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/06/24 23:12:34.0843 2456 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/06/24 23:12:34.0875 2456 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/06/24 23:12:34.0921 2456 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/06/24 23:12:34.0968 2456 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2011/06/24 23:12:35.0000 2456 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/06/24 23:12:35.0140 2456 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/06/24 23:12:35.0156 2456 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/06/24 23:12:35.0171 2456 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/06/24 23:12:35.0218 2456 PxHelp20 (d970470f8f39470bdae94d313a1ccdce) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/06/24 23:12:35.0328 2456 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/06/24 23:12:35.0359 2456 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/06/24 23:12:35.0375 2456 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/06/24 23:12:35.0390 2456 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/06/24 23:12:35.0453 2456 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/06/24 23:12:35.0484 2456 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/06/24 23:12:35.0515 2456 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/06/24 23:12:35.0562 2456 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/06/24 23:12:35.0609 2456 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/06/24 23:12:35.0687 2456 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/06/24 23:12:35.0718 2456 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/06/24 23:12:35.0765 2456 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/06/24 23:12:35.0781 2456 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/06/24 23:12:35.0859 2456 smwdm (70b8dd8707dbf6142530c106365df67d) C:\WINDOWS\system32\drivers\smwdm.sys
2011/06/24 23:12:35.0906 2456 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/06/24 23:12:35.0953 2456 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/06/24 23:12:36.0000 2456 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/06/24 23:12:36.0031 2456 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/06/24 23:12:36.0046 2456 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/06/24 23:12:36.0140 2456 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/06/24 23:12:36.0234 2456 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/06/24 23:12:36.0265 2456 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/06/24 23:12:36.0296 2456 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/06/24 23:12:36.0328 2456 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/06/24 23:12:36.0390 2456 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/06/24 23:12:36.0437 2456 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/06/24 23:12:36.0500 2456 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/06/24 23:12:36.0531 2456 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/06/24 23:12:36.0562 2456 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/06/24 23:12:36.0578 2456 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/06/24 23:12:36.0609 2456 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/06/24 23:12:36.0656 2456 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/06/24 23:12:36.0687 2456 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/06/24 23:12:36.0718 2456 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/06/24 23:12:36.0750 2456 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/06/24 23:12:36.0781 2456 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/06/24 23:12:36.0843 2456 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/06/24 23:12:36.0875 2456 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/06/24 23:12:36.0921 2456 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/06/24 23:12:36.0968 2456 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/06/24 23:12:37.0015 2456 WimFltr (f9ad3a5e3fd7e0bdb18b8202b0fdd4e4) C:\WINDOWS\system32\DRIVERS\wimfltr.sys
2011/06/24 23:12:37.0093 2456 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/06/24 23:12:37.0125 2456 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/06/24 23:12:37.0171 2456 {6080A529-897E-4629-A488-ABA0C29B635E} (3ee36328e860fbf102b54608a055c6be) C:\WINDOWS\system32\drivers\ialmsbw.sys
2011/06/24 23:12:37.0187 2456 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (17f39a1916733ed228eb46ad67c35426) C:\WINDOWS\system32\drivers\ialmkchw.sys
2011/06/24 23:12:37.0203 2456 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0
2011/06/24 23:12:37.0218 2456 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/06/24 23:12:37.0218 2456 ================================================================================
2011/06/24 23:12:37.0218 2456 Scan finished
2011/06/24 23:12:37.0218 2456 ================================================================================
2011/06/24 23:12:37.0234 2452 Detected object count: 1
2011/06/24 23:12:37.0234 2452 Actual detected object count: 1
2011/06/24 23:13:05.0937 2452 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/06/24 23:13:05.0953 2452 \Device\Harddisk0\DR0 - ok
2011/06/24 23:13:05.0953 2452 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure




I did bring up FireFox and the problem is still there.

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:28 AM

Posted 24 June 2011 - 10:31 PM

did you give the machine a reboot after the last run of TDSSKiller?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 georgefky

georgefky
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 24 June 2011 - 10:53 PM

Yes I did

I just did it again and the problem is still there. IE and Firefox do something a little different.
On IE when you do a google search and then click on one of the results you are directed back to the google home search page.

On Firefox when you click on one of the search results you go to a blank screen but there is a very long url in the URL window that is not the one from the search result you clicked on.

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:28 AM

Posted 24 June 2011 - 11:04 PM

Hi

Please do the following:

Scan With RootKitUnHooker

  • Please Download Rootkit Unhooker and save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers and Stealth
  • Uncheck the rest. then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished and then click File > Save Report.
  • Save the report somewhere where you can find it. Click Close.
  • Copy the entire contents of the report and paste it in your next reply.

Note** you may get the following warning, just click OK and continue.

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"



NEXT

Reset your Router:

  • This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router.
  • Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
  • If you dont know the router's default password, you can look it up. HERE
  • You also need to reconfigure any security settings you had in place prior to the reset.
  • You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.

NEXT

  • Go to Start > Run > type: cmd
  • Press OK or Hit Enter.
  • At the command prompt, type or copy/paste: ipconfig /flushdns (note the space between ..g /f it needs to be there)
  • Hit Enter.
  • You will get a confirmation that the flush was successful.
  • Close the command box.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 georgefky

georgefky
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 24 June 2011 - 11:20 PM

Hello

It is not a DNS problem. The browser will find the correct site if you type in any url. The only problem is when you click on the results of a search. I have several PCs on the network and all others are fine. I have a comercal SonicWall firewall between my modem and the rest of the network. All else on the network is running great except for browser redirects from a search list on that one machine.

I will do the download of the Rootkit Unhooker and post the results from that.

Talk soon.
George

#10 georgefky

georgefky
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 24 June 2011 - 11:38 PM

I ran the Rootkit Unhooker as requested. I checked that the dns addresses in the system are correct. I use OPEN DNS on all my systems 208.67.222.222 & 208.67.220.220 I also did the flush as requested. I also rebooted the system after this scan and the problem is still there. Not sure if this was just to collect information or if you expected to see a change.

Report from RootkitUnhooker below:



RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2260992 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2260992 bytes
0x804D7000 RAW 2260992 bytes
0x804D7000 WMIxWDM 2260992 bytes
0xBF800000 Win32k 1847296 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1847296 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF83B0000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xF7AC3000 C:\WINDOWS\system32\drivers\smwdm.sys 540672 bytes (Analog Devices, Inc., SoundMAX Integrated Digital Audio )
0xEE9F9000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 503808 bytes (Microsoft Corporation, WDF Dynamic)
0xBFA34000 C:\WINDOWS\System32\ialmdd5.DLL 483328 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0xEEA74000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF79E9000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xEEBA7000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xEE217000 C:\WINDOWS\system32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)
0xEDC5E000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xBFA04000 C:\WINDOWS\System32\ialmdev5.DLL 196608 bytes (Intel Corporation, Component GHAL Driver)
0xF7A47000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF84F4000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xEE449000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF8383000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xEEAE4000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xEEB7F000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF849E000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xEEB31000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xF7B7E000 C:\WINDOWS\system32\DRIVERS\e100b325.sys 147456 bytes (Intel Corporation, Intel® PRO/100 Adapter NDIS 5.1 driver)
0xED939000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF7A9F000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF7BA2000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF7B47000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xEEB0F000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xBF9E2000 C:\WINDOWS\System32\ialmdnt5.dll 139264 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0x806FF000 ACPI_HAL 134400 bytes
0x806FF000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF8466000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF84C4000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xEF91B000 C:\WINDOWS\system32\drivers\ialmsbw.sys 114688 bytes (Intel Corporation, Intel Graphics Platform (SoftBIOS) Driver for Windows 2000® & Windows XP™)
0xF8369000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF8486000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xEE941000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7BDA000 C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 94208 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xF843D000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF7A88000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xEE5BC000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xEF937000 C:\WINDOWS\system32\drivers\ialmkchw.sys 81920 bytes (Intel Corporation, Intel Graphics Chipset (KCH) Driver for Windows 2000® & Windows XP™)
0xF7B6A000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF7BC6000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xEEC00000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF9C3000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF8454000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF84E3000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF7A77000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF8613000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF8783000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF8763000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF87A3000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF8793000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xEE6D9000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF7C21000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF8583000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF8753000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xBF9D5000 C:\WINDOWS\System32\ialmrnt5.dll 53248 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xF87B3000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF8563000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF85F3000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0xF7C81000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF85D3000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF8773000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF8553000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF85C3000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF8543000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF7C41000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF8593000 PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF7C61000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xEE01F000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xF8573000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF85E3000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF8743000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF7C71000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF7C01000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xF7C51000 C:\WINDOWS\system32\DRIVERS\nhcienum.sys 36864 bytes (Keyspan, USB Server Enumerator driver)
0xF7BF1000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF8923000 C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys 32768 bytes (Logitech, Inc., Logitech Mouse Filter Driver.)
0xF88E3000 C:\WINDOWS\system32\DRIVERS\nhci.sys 32768 bytes (Keyspan, USB Server driver)
0xF88FB000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF8903000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF889B000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF88AB000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF8913000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF891B000 C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys 28672 bytes (Logitech, Inc., Logitech HID Filter Driver.)
0xF87C3000 C:\WINDOWS\System32\Drivers\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF88B3000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF88A3000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF88D3000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF8893000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF88EB000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF88DB000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF88F3000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF87CB000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF88C3000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF88CB000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF88BB000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF892B000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF8A0B000 C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys 16384 bytes (Logitech, Inc., Logitech PS2 Keyboard Filter Driver.)
0xF8A37000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xEE8D5000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF8A0F000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF8953000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF89EB000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF7CB2000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF7CAE000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF8A17000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF7CCE000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF8A5D000 C:\WINDOWS\system32\drivers\aeaudio.sys 8192 bytes (Andrea Electronics Corporation, Andrea Audio Stub Driver)
0xF8A65000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF8A49000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF8A6B000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF8A63000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF8A47000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF8A43000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF8A67000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF8AA7000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF8A69000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF8A5F000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF8A61000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF8A45000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF8C99000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF8B51000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF8BAA000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF8B0B000 PCIIde.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:28 AM

Posted 24 June 2011 - 11:56 PM

No

It was just to collect information, but it isn't showing anything:

Please rerun TDSSKiller and post a fresh log

do the same for ComboFix, allow it to update if it requests to do so and post the resulting log.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 georgefky

georgefky
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 25 June 2011 - 07:38 AM

Hello CatByte

I reran TDSSKiller this morning and have posted the results at the end of this post.

Being a little more awake this morning I saw something else I think is a problem. In the beginning of trying to remove this problem prior to getting on the forum I did a removal of my virus software "WebRoot" because is did not seem to have any way to shut it down while I was working on this problem. It turns out that it did not completely remove itself. This morning I tried to remove it again and it did not complete the removal. There was a information page that came up with information about options. I did a "view page source" and then saved the resulting html information from the page so I could post the information to you here. It is the only way I could think of at the time to save the information on the screen. I have not downloaded the suggested cleanup program. I thought it best to post this information and make sure you are up to date first. I am wondering if this is where the virus is hiding. After that information below is the new TDSSKiller log.

I will be leaving later this morning to go out of town for 24hrs to attend a 60th wedding anniversary celebration. I will work as long as I can but I wanted to let you know so you don't think I just quit posting or something.

Please let me know what you think are the next best steps. Thanks

George







WebRoot uninstall information in html form below:



<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta content="Copyright 1997 - 2011 Webroot, Inc. All Rights Reserved" name="copyright"/>
<link href="/shared/img_structure/favicon.ico" rel="shortcut icon"/>
<title>Installation Support</title>
<link href="/css/configurator.css" rel="stylesheet" media="print,screen" type="text/css" />
<style type="text/css">
.configurator-head p {
float:none;
font:12px Arial;
padding:0 0 12px;
width:650px;
}

.configurator-head ol {
float:none;
font:12px Arial;
padding:0 0 12px;
width:650px;
}

.configurator-head ol li {
list-style-type:decimal;
padding:0 0 12px 5px;
margin: 0 0 0 25px;
}

.configurator-head ul li {
list-style-type:disc;
padding:0 0 12px 5px;
}
</style>
</head>
<body>
<script type="text/javascript" src="/js/mbox.js"></script>
<script type="text/javascript" src="/js/jquery.js"></script>


<div class="header">
<div class="inner">
<h1><a title="home" href="http://www.webroot.com"><span>webroot</span></a></h1>
</div>
</div>
<div class="clear"></div>
<div class="content configurator">
<div class="inner">
<div class="configurator-head">
<h2>Installation Support</h2>
<p style="padding-top:15px;">
Webroot strives to ensure your experience installing or uninstalling
our software is as seamless as possible, but occasionally errors do
occur. If you have received such an error, the following information
may help.
</p>
<h4 style="font-weight:bold;">Trouble Installing or Uninstalling?</h4>
<p style="padding-top:10px;">
Most install or uninstall errors can be resolved by either uninstalling
any previously installed Webroot security software or by running a couple
of specialized cleanup utilities first and then reinstalling anew. The
following are the recommended steps to follow:
<ol>
<li>
In <b>Windows XP</b> click on the Start button and open the Control
Panel, select "Add or Remove Programs", and then select the 'Webroot'
security product from the list and click 'Remove'. Restart your
computer after the uninstall is complete.<br />&nbsp;<br />

In <b>Windows Vista</b> or <b>Windows 7</b>, click on the Start
button and open the Control Panel. You will see either "Uninstall a
Program" or "Programs and Features" - double-click whichever option
you see. Select the 'Webroot' security product from the list and
click 'Uninstall'. Restart your computer after the uninstall is
complete.<br />&nbsp;<br />

<span style="display:inline;"><b><i>Note:</i></b> If
you receive an error during this step, please proceed to Step 2;
otherwise you may skip ahead to Step 5 below.</span>
</li>
<li>
<span style="color:red;font-style:italic;display:inline;">Please note:</span>
<i>It is highly recommend that you only perform Steps 3 through 6
after first creating a System Restore Point</i> described in this
step. Ensuring that the Windows built-in System Restore feature is
enabled and that regular restore points are created can be very
valuable in the event that restoring to an earlier time is
needed.<br />&nbsp;<br />
<ul>
<li>
To create a System Restore Point in <b>Windows XP</b> go to Start
&gt; All Programs &gt; Accessories &gt; System Tools &gt; System
Restore &gt; Create a restore point.
</li>
<li>
In <b>Windows Vista</b> and <b>Windows 7</b>, go to Start &gt;
right-click on Computer &gt; choose Properties &gt; Select System
protection from the left-hand panel &gt; and choose Create.
</li>
</ul>
</li>
<li>
After you have created the recommended System Restore Point, download
and Save the Webroot <b>WRUpgradeTool.exe</b> upgrade/cleanup tool to
your Desktop by
<a target="_blank" href="http://download.webroot.com/WRUpgradeTool.exe">clicking here</a>,
or by copying and pasting the following URL into your Internet browser's
address bar:<br />
http://download.webroot.com/WRUpgradeTool.exe<br />&nbsp;<br />

<span style="display:inline;"><b><i>Note:</i></b>
Running the <b>WRUpgradeTool.exe</b> utility can benefit those that
had previously installed or attempted to install Webroot's security
software, and may still have residual installed files that may be
interfering with the current installation attempt.</span>
</li>
<li>
Double-click on the Webroot Upgrade/Cleanup tool <b>WRUpgradeTool.exe</b>
to run, and follow the prompts to start the uninstall process. The cleanup
tool is finished when the last line reads "Removal procedures have been
completed." At this point you can click the <b>Close</b> button. If prompted
by a dialog box that reads "To complete the cleanup process, you must reboot
this computer. Click OK to reboot," please restart you computer now by
clicking on the <b>OK</b> button now.
</li>
<li>
To install/reinstall the Webroot security software, please insert your
Webroot product CD or follow the download and installation instructions
received through email.
</li>
<li>
If you are still encounter difficulties installing the Webroot security
software, please re-download and save the Webroot <b>WRUpgradeTool.exe</b>
upgrade/cleanup tool to your Desktop by
<a target="_blank" href="http://download.webroot.com/WRUpgradeTool.exe">clicking here</a>.
Reboot your computer into
<a target="_blank" href="http://support.webroot.com/cgi-bin/webroot.cfg/php/enduser/std_adp.php?p_faqid=57">Windows Safe Mode with Networking</a>
and follow Step 6 above. Once the <b>WRUpgradeTool.exe</b> utility has
completed you can either reboot back into Windows Normal mode or attempt
to install in Windows Safe Mode with Networking.<br />&nbsp;<br />

<span style="display:inline;"><b><i>Note:</i></b>
Installing the Webroot security software in
<a target="_blank" href="http://support.webroot.com/cgi-bin/webroot.cfg/php/enduser/std_adp.php?p_faqid=57">Windows Safe Mode with Networking</a>
can be particularly useful if your system is currently suffering
from a malware infection, or if the Windows Installer service is
not fully functional.
</li>
</ol>
</p>
<p>If the above steps do not resolve your issue, our Customer Support
staff is waiting to help you out. Please visit them online by
<a href="http://support.webroot.com/">clicking here</a>.
</p>
</div>
<div class="clear"></div>
<div stlye="height:50px;">&nbsp;</div>
</div>
</div>

<div class="copyright">
<p>Copyright 2011 Webroot Software, Inc.</p>
</div>

<!-- SiteCatalyst code version: H.21.
Copyright 1996-2011 Adobe, Inc. All Rights Reserved
More info available at http://www.omniture.com -->
<script type="text/javascript" src="/js/om_sc.js"></script>
<script type="text/javascript"><!--

s.channel="En_US : Consumer";
s.eVar11="En_US : Consumer";
s.eVar21="18";
s.prop14="En_US";
s.eVar14="En_US";
s.eVar17="INSTALL ERROR | WAV | 1 | GREATER 6";
s.pageName="En_US | CONSUMER | PROD INTERACTION | INSTALL ERROR | WAV | 1 | GREATER 6";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//--></script>
<script language="JavaScript" type="text/javascript"><!--
if(navigator.appVersion.indexOf('MSIE')>=0)document.write(unescape('%3C')+'\!-'+'-')
//--></script><noscript><a href=http://www.omniture.com title="WebAnalytics"><img
src="http://webroot.112.2o7.net/b/ss/webrootglobalprod/1/H.21--NS/0"
height="1" width="1" border="0" alt="" /></a></noscript><!--/DO NOT REMOVE/-->
<!-- End SiteCatalyst code version: H.21. -->

</body>
</html>





TDSSKiller new log information below:


2011/06/25 07:59:58.0359 4016 TDSS rootkit removing tool 2.5.5.0 Jun 16 2011 15:25:15
2011/06/25 07:59:58.0937 4016 ================================================================================
2011/06/25 07:59:58.0937 4016 SystemInfo:
2011/06/25 07:59:58.0937 4016
2011/06/25 07:59:58.0937 4016 OS Version: 5.1.2600 ServicePack: 3.0
2011/06/25 07:59:58.0937 4016 Product type: Workstation
2011/06/25 07:59:58.0937 4016 ComputerName: JESSE02
2011/06/25 07:59:58.0937 4016 UserName: Jesse
2011/06/25 07:59:58.0937 4016 Windows directory: C:\WINDOWS
2011/06/25 07:59:58.0937 4016 System windows directory: C:\WINDOWS
2011/06/25 07:59:58.0937 4016 Processor architecture: Intel x86
2011/06/25 07:59:58.0937 4016 Number of processors: 2
2011/06/25 07:59:58.0937 4016 Page size: 0x1000
2011/06/25 07:59:58.0937 4016 Boot type: Normal boot
2011/06/25 07:59:58.0937 4016 ================================================================================
2011/06/25 08:00:00.0312 4016 Initialize success
2011/06/25 08:00:25.0796 2192 ================================================================================
2011/06/25 08:00:25.0796 2192 Scan started
2011/06/25 08:00:25.0796 2192 Mode: Manual;
2011/06/25 08:00:25.0796 2192 ================================================================================
2011/06/25 08:00:26.0109 2192 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/06/25 08:00:26.0156 2192 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/06/25 08:00:26.0203 2192 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
2011/06/25 08:00:26.0250 2192 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/06/25 08:00:26.0296 2192 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/06/25 08:00:26.0500 2192 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/06/25 08:00:26.0515 2192 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/06/25 08:00:26.0562 2192 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/06/25 08:00:26.0578 2192 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/06/25 08:00:26.0625 2192 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/06/25 08:00:26.0781 2192 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/06/25 08:00:26.0828 2192 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/06/25 08:00:26.0843 2192 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/06/25 08:00:26.0890 2192 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/06/25 08:00:27.0015 2192 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/06/25 08:00:27.0078 2192 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/06/25 08:00:27.0109 2192 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/06/25 08:00:27.0140 2192 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/06/25 08:00:27.0171 2192 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/06/25 08:00:27.0218 2192 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/06/25 08:00:27.0265 2192 E100B (98b46b331404a951cabad8b4877e1276) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/06/25 08:00:27.0296 2192 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/06/25 08:00:27.0328 2192 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/06/25 08:00:27.0343 2192 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/06/25 08:00:27.0375 2192 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/06/25 08:00:27.0390 2192 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/06/25 08:00:27.0421 2192 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/06/25 08:00:27.0437 2192 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/06/25 08:00:27.0468 2192 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/06/25 08:00:27.0484 2192 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/06/25 08:00:27.0546 2192 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/06/25 08:00:27.0609 2192 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/06/25 08:00:27.0671 2192 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/06/25 08:00:27.0718 2192 ialm (a79029861cb69cd3cf4eab9ebfee32dd) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/06/25 08:00:27.0734 2192 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/06/25 08:00:27.0781 2192 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/06/25 08:00:27.0812 2192 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/06/25 08:00:27.0828 2192 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/06/25 08:00:27.0875 2192 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/06/25 08:00:27.0921 2192 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/06/25 08:00:27.0953 2192 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/06/25 08:00:27.0984 2192 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/06/25 08:00:28.0015 2192 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/06/25 08:00:28.0031 2192 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/06/25 08:00:28.0062 2192 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/06/25 08:00:28.0093 2192 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/06/25 08:00:28.0125 2192 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/06/25 08:00:28.0156 2192 L8042Kbd (ac728768de636093b4d5ae6361cfadae) C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
2011/06/25 08:00:28.0218 2192 LHidFilt (75415a95c589a07d6c97baa2d4143916) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
2011/06/25 08:00:28.0250 2192 LMouFilt (fcb3f81ac07b8608f921134237823b88) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
2011/06/25 08:00:28.0265 2192 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/06/25 08:00:28.0312 2192 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/06/25 08:00:28.0343 2192 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/06/25 08:00:28.0359 2192 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/06/25 08:00:28.0375 2192 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/06/25 08:00:28.0421 2192 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/06/25 08:00:28.0453 2192 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/06/25 08:00:28.0484 2192 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/06/25 08:00:28.0531 2192 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/06/25 08:00:28.0546 2192 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/06/25 08:00:28.0578 2192 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/06/25 08:00:28.0593 2192 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/06/25 08:00:28.0609 2192 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/06/25 08:00:28.0640 2192 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/06/25 08:00:28.0671 2192 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/06/25 08:00:28.0703 2192 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/06/25 08:00:28.0718 2192 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/06/25 08:00:28.0734 2192 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/06/25 08:00:28.0750 2192 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/06/25 08:00:28.0781 2192 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/06/25 08:00:28.0843 2192 NHCI (9da0c24fddc158ca3bd68331d11d2791) C:\WINDOWS\system32\DRIVERS\nhci.sys
2011/06/25 08:00:28.0875 2192 NHCIENUM (b8242d9ef5af8075898b4be5abab7910) C:\WINDOWS\system32\DRIVERS\nhcienum.sys
2011/06/25 08:00:28.0890 2192 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/06/25 08:00:28.0953 2192 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/06/25 08:00:28.0984 2192 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/06/25 08:00:29.0031 2192 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/06/25 08:00:29.0046 2192 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/06/25 08:00:29.0093 2192 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/06/25 08:00:29.0109 2192 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/06/25 08:00:29.0140 2192 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/06/25 08:00:29.0156 2192 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/06/25 08:00:29.0187 2192 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2011/06/25 08:00:29.0218 2192 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/06/25 08:00:29.0375 2192 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/06/25 08:00:29.0390 2192 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/06/25 08:00:29.0421 2192 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/06/25 08:00:29.0437 2192 PxHelp20 (d970470f8f39470bdae94d313a1ccdce) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/06/25 08:00:29.0531 2192 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/06/25 08:00:29.0562 2192 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/06/25 08:00:29.0578 2192 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/06/25 08:00:29.0593 2192 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/06/25 08:00:29.0625 2192 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/06/25 08:00:29.0640 2192 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/06/25 08:00:29.0671 2192 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/06/25 08:00:29.0703 2192 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/06/25 08:00:29.0718 2192 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/06/25 08:00:29.0812 2192 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/06/25 08:00:29.0843 2192 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/06/25 08:00:29.0859 2192 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/06/25 08:00:29.0875 2192 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/06/25 08:00:29.0953 2192 smwdm (70b8dd8707dbf6142530c106365df67d) C:\WINDOWS\system32\drivers\smwdm.sys
2011/06/25 08:00:30.0000 2192 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/06/25 08:00:30.0015 2192 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/06/25 08:00:30.0062 2192 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/06/25 08:00:30.0093 2192 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/06/25 08:00:30.0109 2192 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/06/25 08:00:30.0203 2192 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/06/25 08:00:30.0234 2192 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/06/25 08:00:30.0281 2192 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/06/25 08:00:30.0312 2192 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/06/25 08:00:30.0328 2192 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/06/25 08:00:30.0390 2192 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/06/25 08:00:30.0437 2192 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/06/25 08:00:30.0484 2192 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/06/25 08:00:30.0515 2192 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/06/25 08:00:30.0546 2192 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/06/25 08:00:30.0562 2192 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/06/25 08:00:30.0593 2192 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/06/25 08:00:30.0640 2192 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/06/25 08:00:30.0656 2192 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/06/25 08:00:30.0703 2192 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/06/25 08:00:30.0718 2192 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/06/25 08:00:30.0750 2192 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/06/25 08:00:30.0781 2192 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/06/25 08:00:30.0828 2192 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/06/25 08:00:30.0890 2192 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/06/25 08:00:30.0921 2192 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/06/25 08:00:30.0968 2192 WimFltr (f9ad3a5e3fd7e0bdb18b8202b0fdd4e4) C:\WINDOWS\system32\DRIVERS\wimfltr.sys
2011/06/25 08:00:31.0062 2192 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/06/25 08:00:31.0078 2192 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/06/25 08:00:31.0140 2192 {6080A529-897E-4629-A488-ABA0C29B635E} (3ee36328e860fbf102b54608a055c6be) C:\WINDOWS\system32\drivers\ialmsbw.sys
2011/06/25 08:00:31.0156 2192 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (17f39a1916733ed228eb46ad67c35426) C:\WINDOWS\system32\drivers\ialmkchw.sys
2011/06/25 08:00:31.0187 2192 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/06/25 08:00:31.0281 2192 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR2
2011/06/25 08:00:31.0390 2192 ================================================================================
2011/06/25 08:00:31.0390 2192 Scan finished
2011/06/25 08:00:31.0390 2192 ================================================================================
2011/06/25 08:00:31.0406 2596 Detected object count: 0
2011/06/25 08:00:31.0406 2596 Actual detected object count: 0
2011/06/25 08:00:48.0531 2124 Deinitialize success

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:28 AM

Posted 25 June 2011 - 10:16 AM

Hi,

Yes, please go ahead and run the Webroot removal tool.


Even though TDSSKiller reported fixing the rootkit, the symptoms are indicating there is still an issue.

Please re-run ComboFix > allow it to update and post the latest log, then we'll go from there.

We may need to fix the MBR in the Recovery Console

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 georgefky

georgefky
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 26 June 2011 - 07:58 PM

Hi CatByte

I am back in town and downloaded the Webroot removal program and ran it is save mode. It did complete as stated in the instructions.

I then ran both TDSSKiller and ComboFix as you requested. The results are posted below. After that I rebooted the system and then tested the browsers .... both FireFox and IE. Both now work great !!!!!

Is there anything else you think I need to do ? Is there any additional documentation that I should add to this thread etc. ?

George

TDSSKiller Results Below:

2011/06/26 20:16:23.0578 1580 TDSS rootkit removing tool 2.5.5.0 Jun 16 2011 15:25:15
2011/06/26 20:16:23.0593 1580 ================================================================================
2011/06/26 20:16:23.0593 1580 SystemInfo:
2011/06/26 20:16:23.0593 1580
2011/06/26 20:16:23.0593 1580 OS Version: 5.1.2600 ServicePack: 3.0
2011/06/26 20:16:23.0593 1580 Product type: Workstation
2011/06/26 20:16:23.0593 1580 ComputerName: JESSE02
2011/06/26 20:16:23.0593 1580 UserName: Administrator
2011/06/26 20:16:23.0593 1580 Windows directory: C:\WINDOWS
2011/06/26 20:16:23.0593 1580 System windows directory: C:\WINDOWS
2011/06/26 20:16:23.0593 1580 Processor architecture: Intel x86
2011/06/26 20:16:23.0593 1580 Number of processors: 2
2011/06/26 20:16:23.0593 1580 Page size: 0x1000
2011/06/26 20:16:23.0593 1580 Boot type: Safe boot
2011/06/26 20:16:23.0593 1580 ================================================================================
2011/06/26 20:16:26.0125 1580 Initialize success
2011/06/26 20:16:32.0781 1596 ================================================================================
2011/06/26 20:16:32.0781 1596 Scan started
2011/06/26 20:16:32.0781 1596 Mode: Manual;
2011/06/26 20:16:32.0781 1596 ================================================================================
2011/06/26 20:16:35.0500 1596 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/06/26 20:16:35.0812 1596 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/06/26 20:16:36.0250 1596 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
2011/06/26 20:16:36.0531 1596 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/06/26 20:16:36.0843 1596 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/06/26 20:16:38.0953 1596 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/06/26 20:16:39.0187 1596 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/06/26 20:16:39.0656 1596 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/06/26 20:16:39.0921 1596 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/06/26 20:16:40.0171 1596 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/06/26 20:16:40.0578 1596 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/06/26 20:16:41.0046 1596 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/06/26 20:16:41.0296 1596 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/06/26 20:16:41.0562 1596 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/06/26 20:16:43.0078 1596 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/06/26 20:16:43.0625 1596 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/06/26 20:16:44.0187 1596 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/06/26 20:16:44.0453 1596 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/06/26 20:16:44.0734 1596 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/06/26 20:16:45.0250 1596 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/06/26 20:16:45.0546 1596 E100B (98b46b331404a951cabad8b4877e1276) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/06/26 20:16:45.0953 1596 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/06/26 20:16:46.0250 1596 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/06/26 20:16:46.0515 1596 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/06/26 20:16:46.0750 1596 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/06/26 20:16:47.0031 1596 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/06/26 20:16:47.0296 1596 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/06/26 20:16:47.0562 1596 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/06/26 20:16:47.0843 1596 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/06/26 20:16:48.0062 1596 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/06/26 20:16:48.0406 1596 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/06/26 20:16:48.0984 1596 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/06/26 20:16:49.0781 1596 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/06/26 20:16:50.0062 1596 ialm (a79029861cb69cd3cf4eab9ebfee32dd) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/06/26 20:16:50.0328 1596 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/06/26 20:16:50.0843 1596 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/06/26 20:16:51.0093 1596 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/06/26 20:16:51.0343 1596 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/06/26 20:16:51.0640 1596 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/06/26 20:16:51.0890 1596 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/06/26 20:16:52.0187 1596 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/06/26 20:16:52.0484 1596 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/06/26 20:16:52.0750 1596 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/06/26 20:16:53.0000 1596 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/06/26 20:16:53.0265 1596 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/06/26 20:16:53.0562 1596 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/06/26 20:16:53.0875 1596 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/06/26 20:16:54.0140 1596 L8042Kbd (ac728768de636093b4d5ae6361cfadae) C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
2011/06/26 20:16:54.0687 1596 LHidFilt (75415a95c589a07d6c97baa2d4143916) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
2011/06/26 20:16:54.0984 1596 LMouFilt (fcb3f81ac07b8608f921134237823b88) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
2011/06/26 20:16:55.0250 1596 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/06/26 20:16:55.0500 1596 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/06/26 20:16:55.0765 1596 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/06/26 20:16:56.0000 1596 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/06/26 20:16:56.0234 1596 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/06/26 20:16:56.0765 1596 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/06/26 20:16:57.0218 1596 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/06/26 20:16:57.0609 1596 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/06/26 20:16:57.0875 1596 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/06/26 20:16:58.0140 1596 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/06/26 20:16:58.0390 1596 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/06/26 20:16:58.0625 1596 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/06/26 20:16:58.0890 1596 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/06/26 20:16:59.0234 1596 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/06/26 20:16:59.0562 1596 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/06/26 20:16:59.0781 1596 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/06/26 20:17:00.0031 1596 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/06/26 20:17:00.0312 1596 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/06/26 20:17:00.0562 1596 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/06/26 20:17:00.0875 1596 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/06/26 20:17:01.0265 1596 NHCI (9da0c24fddc158ca3bd68331d11d2791) C:\WINDOWS\system32\DRIVERS\nhci.sys
2011/06/26 20:17:01.0500 1596 NHCIENUM (b8242d9ef5af8075898b4be5abab7910) C:\WINDOWS\system32\DRIVERS\nhcienum.sys
2011/06/26 20:17:01.0750 1596 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/06/26 20:17:02.0203 1596 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/06/26 20:17:02.0671 1596 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/06/26 20:17:02.0921 1596 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/06/26 20:17:03.0171 1596 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/06/26 20:17:03.0453 1596 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/06/26 20:17:03.0703 1596 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/06/26 20:17:03.0953 1596 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/06/26 20:17:04.0187 1596 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/06/26 20:17:04.0656 1596 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2011/06/26 20:17:04.0921 1596 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/06/26 20:17:06.0640 1596 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/06/26 20:17:06.0937 1596 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/06/26 20:17:07.0187 1596 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/06/26 20:17:07.0437 1596 PxHelp20 (d970470f8f39470bdae94d313a1ccdce) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/06/26 20:17:08.0828 1596 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/06/26 20:17:09.0078 1596 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/06/26 20:17:09.0343 1596 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/06/26 20:17:09.0593 1596 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/06/26 20:17:09.0875 1596 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/06/26 20:17:10.0140 1596 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/06/26 20:17:10.0468 1596 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/06/26 20:17:10.0859 1596 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/06/26 20:17:11.0156 1596 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/06/26 20:17:11.0578 1596 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/06/26 20:17:11.0859 1596 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/06/26 20:17:12.0109 1596 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/06/26 20:17:12.0375 1596 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/06/26 20:17:13.0046 1596 smwdm (70b8dd8707dbf6142530c106365df67d) C:\WINDOWS\system32\drivers\smwdm.sys
2011/06/26 20:17:13.0703 1596 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/06/26 20:17:13.0968 1596 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/06/26 20:17:14.0359 1596 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/06/26 20:17:14.0750 1596 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/06/26 20:17:14.0984 1596 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/06/26 20:17:16.0187 1596 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/06/26 20:17:16.0609 1596 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/06/26 20:17:16.0968 1596 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/06/26 20:17:17.0203 1596 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/06/26 20:17:17.0437 1596 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/06/26 20:17:18.0000 1596 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/06/26 20:17:18.0593 1596 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/06/26 20:17:19.0046 1596 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/06/26 20:17:19.0328 1596 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/06/26 20:17:19.0593 1596 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/06/26 20:17:19.0843 1596 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/06/26 20:17:20.0125 1596 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/06/26 20:17:20.0390 1596 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/06/26 20:17:20.0640 1596 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/06/26 20:17:20.0906 1596 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/06/26 20:17:21.0125 1596 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/06/26 20:17:21.0359 1596 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/06/26 20:17:21.0843 1596 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/06/26 20:17:22.0250 1596 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/06/26 20:17:22.0656 1596 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/06/26 20:17:23.0140 1596 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/06/26 20:17:23.0468 1596 WimFltr (f9ad3a5e3fd7e0bdb18b8202b0fdd4e4) C:\WINDOWS\system32\DRIVERS\wimfltr.sys
2011/06/26 20:17:23.0984 1596 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/06/26 20:17:24.0265 1596 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/06/26 20:17:24.0625 1596 {6080A529-897E-4629-A488-ABA0C29B635E} (3ee36328e860fbf102b54608a055c6be) C:\WINDOWS\system32\drivers\ialmsbw.sys
2011/06/26 20:17:24.0906 1596 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (17f39a1916733ed228eb46ad67c35426) C:\WINDOWS\system32\drivers\ialmkchw.sys
2011/06/26 20:17:25.0000 1596 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/06/26 20:17:25.0281 1596 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR2
2011/06/26 20:17:25.0531 1596 ================================================================================
2011/06/26 20:17:25.0531 1596 Scan finished
2011/06/26 20:17:25.0531 1596 ================================================================================
2011/06/26 20:17:25.0578 1588 Detected object count: 0
2011/06/26 20:17:25.0578 1588 Actual detected object count: 0
2011/06/26 20:17:44.0062 1576 Deinitialize success




ComboFix Results Below:


ComboFix 11-06-26.01 - Jesse 06/26/2011 20:24:00.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.247 [GMT -4:00]
Running from: e:\malwareremoval\ComboFix\Combo-Fix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\whitesmoketoolbar\vmNTemplatex.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-05-27 to 2011-06-27 )))))))))))))))))))))))))))))))
.
.
2011-06-27 00:22 . 2011-06-27 00:22 -------- d-----w- C:\Combo-Fix
2011-06-27 00:01 . 2011-06-27 00:01 -------- d-----w- c:\documents and settings\Administrator
2011-06-25 03:46 . 2011-06-25 03:46 -------- d-----w- c:\documents and settings\Jesse\Application Data\vmntemplate
2011-06-24 20:53 . 2011-06-25 03:46 -------- d-----w- c:\documents and settings\Jesse\Application Data\whitesmoketoolbar
2011-06-24 20:53 . 2011-06-24 20:53 -------- d-----w- c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar
2011-06-24 20:53 . 2011-06-27 00:32 -------- d-----w- c:\program files\whitesmoketoolbar
2011-06-23 07:04 . 2011-06-23 07:04 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2011-06-23 07:04 . 2011-06-23 07:04 -------- d-----w- c:\documents and settings\Default User\Application Data\Apple Computer
2011-06-23 07:02 . 2011-06-23 07:04 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Apple Computer
2011-06-23 06:58 . 2011-06-23 06:59 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-06-23 00:04 . 2011-06-23 00:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-06-22 17:43 . 2011-06-16 04:17 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-06-22 17:43 . 2011-06-16 04:17 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-06-22 17:43 . 2011-06-16 04:17 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-06-22 17:43 . 2011-06-16 04:17 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-06-22 17:43 . 2011-06-16 04:17 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-06-22 17:43 . 2011-06-16 04:17 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-06-22 17:43 . 2011-06-16 04:17 1850328 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-06-22 17:43 . 2011-06-16 04:17 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-06-22 17:43 . 2010-01-01 08:00 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-06-22 17:43 . 2010-01-01 08:00 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-06-22 12:59 . 2011-06-22 12:59 -------- d-s---w- c:\documents and settings\LocalService\UserData
2011-06-21 23:49 . 2011-06-21 23:49 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-06-18 16:59 . 2011-06-18 16:59 -------- d-----w- c:\program files\Common Files\Adobe
2011-06-18 16:55 . 2011-06-18 16:55 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-07 16:35 . 2011-06-07 16:35 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-06-07 16:35 . 2011-06-07 16:35 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-16 04:17 . 2011-06-22 17:43 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-06-24_12.55.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-06-27 00:20 . 2011-06-27 00:20 16384 c:\windows\Temp\Perflib_Perfdata_758.dat
+ 2008-12-29 21:02 . 2011-06-24 15:56 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-12-29 21:02 . 2011-06-24 11:57 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-29 21:02 . 2011-06-24 15:56 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-29 21:02 . 2011-06-24 11:57 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-29 21:02 . 2011-06-24 15:56 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-29 21:02 . 2011-06-24 11:57 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-29 22:07 . 2011-06-03 21:56 47716296 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTimeSync.exe"="c:\program files\iTimeSync\iTimeSync.exe" [2008-12-30 44544]
"GBMPro8Agent"="c:\program files\Genie-Soft\GBMPro8\GBMAgent.exe" [2008-09-11 189056]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-03-11 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-03-11 114688]
"WinVNC"="c:\program files\RealVNC\WinVNC\WinVNC.exe" [2003-03-05 335872]
"GBMPro8Agent"="c:\program files\Genie-Soft\GBMPro8\GBMAgent.exe" [2008-09-11 189056]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Kernel and Hardware Abstraction Layer"="c:\windows\KHALMNPR.EXE" [2007-09-21 55824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Keyspan USB Server Task.lnk - c:\program files\Keyspan\USB Server\nhciTask.exe [2009-1-7 102400]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 14:10 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R3 NHCI;NHCI;c:\windows\system32\drivers\nhci.sys [1/7/2009 4:09 PM 32000]
R3 NHCIENUM;NHCIENUM;c:\windows\system32\drivers\nhcienum.sys [1/7/2009 4:09 PM 34560]
S2 gupdate1ca5ae624e929de;Google Update Service (gupdate1ca5ae624e929de);c:\program files\Google\Update\GoogleUpdate.exe [10/29/2009 9:12 AM 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/29/2009 9:12 AM 133104]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-26 c:\windows\Tasks\GBM - JesseC_DriveFilesBK-Full.job
- c:\program files\Genie-Soft\GBMPro8\GBM8.exe [2008-12-31 10:27]
.
2011-06-26 c:\windows\Tasks\GBM - JesseDoc&Settings01-Full.job
- c:\program files\Genie-Soft\GBMPro8\GBM8.exe [2008-12-31 10:27]
.
2011-06-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-29 13:12]
.
2011-06-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-29 13:12]
.
2011-06-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1202660629-1004336348-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
2011-06-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1202660629-1004336348-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 208.67.222.222 208.67.220.220 166.102.165.11
FF - ProfilePath - c:\documents and settings\Jesse\Application Data\Mozilla\Firefox\Profiles\ibl2chsp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-26 20:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(656)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2011-06-26 20:37:54
ComboFix-quarantined-files.txt 2011-06-27 00:37
ComboFix2.txt 2011-06-24 13:06
.
Pre-Run: 215,671,320,576 bytes free
Post-Run: 215,879,274,496 bytes free
.
- - End Of File - - 1987B94FB17695231395D3DE6D09EBDB

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:28 AM

Posted 26 June 2011 - 08:08 PM

Hi

Must have been the leftover Werbroot that was interfering with the fix as those logs look fine now, just a couple more scans to sweep for leftovers


please do the following:

Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users