Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Search redirect, ie, firefox and safari

Started by Chemwapuwa , May 11 2010 01:48 PM

  • Please log in to reply

#31
Chemwapuwa
Posted 16 May 2010 - 10:03 PM

Chemwapuwa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
this is all the log said

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
  • 0

Advertisements

#32
RKinner
Posted 16 May 2010 - 10:21 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
That looks good. What does TDSSKiller say now?

Are you still getting redirected?

Ron
  • 0

#33
Chemwapuwa
Posted 16 May 2010 - 10:36 PM

Chemwapuwa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
00:29:16:781 2512 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
00:29:16:781 2512 ================================================================================
00:29:16:781 2512 SystemInfo:

00:29:16:781 2512 OS Version: 5.1.2600 ServicePack: 3.0
00:29:16:781 2512 Product type: Workstation
00:29:16:781 2512 ComputerName: CHEMWAPU-3E99BA
00:29:16:781 2512 UserName: chemwapuwa
00:29:16:781 2512 Windows directory: C:\WINDOWS
00:29:16:781 2512 Processor architecture: Intel x86
00:29:16:781 2512 Number of processors: 2
00:29:16:781 2512 Page size: 0x1000
00:29:16:781 2512 Boot type: Normal boot
00:29:16:781 2512 ================================================================================
00:29:16:812 2512 UnloadDriverW: NtUnloadDriver error 2
00:29:16:812 2512 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
00:29:16:828 2512 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
00:29:16:828 2512 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
00:29:16:828 2512 wfopen_ex: Trying to KLMD file open
00:29:16:828 2512 wfopen_ex: File opened ok (Flags 2)
00:29:16:828 2512 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
00:29:16:828 2512 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
00:29:16:828 2512 wfopen_ex: Trying to KLMD file open
00:29:16:828 2512 wfopen_ex: File opened ok (Flags 2)
00:29:16:828 2512 Initialize success
00:29:16:828 2512
00:29:16:828 2512 Scanning Services ...
00:29:16:906 2512 Raw services enum returned 339 services
00:29:16:906 2512
00:29:16:906 2512 Scanning Kernel memory ...
00:29:16:906 2512 Devices to scan: 2
00:29:16:906 2512
00:29:16:906 2512 Driver Name: Disk
00:29:16:906 2512 IRP_MJ_CREATE : BA10EBB0
00:29:16:906 2512 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
00:29:16:906 2512 IRP_MJ_CLOSE : BA10EBB0
00:29:16:906 2512 IRP_MJ_READ : BA108D1F
00:29:16:906 2512 IRP_MJ_WRITE : BA108D1F
00:29:16:906 2512 IRP_MJ_QUERY_INFORMATION : 804F4562
00:29:16:906 2512 IRP_MJ_SET_INFORMATION : 804F4562
00:29:16:906 2512 IRP_MJ_QUERY_EA : 804F4562
00:29:16:906 2512 IRP_MJ_SET_EA : 804F4562
00:29:16:906 2512 IRP_MJ_FLUSH_BUFFERS : BA1092E2
00:29:16:906 2512 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
00:29:16:906 2512 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
00:29:16:906 2512 IRP_MJ_DIRECTORY_CONTROL : 804F4562
00:29:16:906 2512 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
00:29:16:906 2512 IRP_MJ_DEVICE_CONTROL : BA1093BB
00:29:16:906 2512 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
00:29:16:906 2512 IRP_MJ_SHUTDOWN : BA1092E2
00:29:16:906 2512 IRP_MJ_LOCK_CONTROL : 804F4562
00:29:16:906 2512 IRP_MJ_CLEANUP : 804F4562
00:29:16:906 2512 IRP_MJ_CREATE_MAILSLOT : 804F4562
00:29:16:906 2512 IRP_MJ_QUERY_SECURITY : 804F4562
00:29:16:906 2512 IRP_MJ_SET_SECURITY : 804F4562
00:29:16:906 2512 IRP_MJ_POWER : BA10AC82
00:29:16:906 2512 IRP_MJ_SYSTEM_CONTROL : BA10F99E
00:29:16:906 2512 IRP_MJ_DEVICE_CHANGE : 804F4562
00:29:16:906 2512 IRP_MJ_QUERY_QUOTA : 804F4562
00:29:16:906 2512 IRP_MJ_SET_QUOTA : 804F4562
00:29:16:937 2512 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
00:29:16:937 2512
00:29:16:937 2512 Driver Name: iaStor
00:29:16:937 2512 IRP_MJ_CREATE : 89D06EE4
00:29:16:937 2512 IRP_MJ_CREATE_NAMED_PIPE : 89D06EE4
00:29:16:937 2512 IRP_MJ_CLOSE : 89D06EE4
00:29:16:937 2512 IRP_MJ_READ : 89D06EE4
00:29:16:937 2512 IRP_MJ_WRITE : 89D06EE4
00:29:16:937 2512 IRP_MJ_QUERY_INFORMATION : 89D06EE4
00:29:16:937 2512 IRP_MJ_SET_INFORMATION : 89D06EE4
00:29:16:937 2512 IRP_MJ_QUERY_EA : 89D06EE4
00:29:16:937 2512 IRP_MJ_SET_EA : 89D06EE4
00:29:16:937 2512 IRP_MJ_FLUSH_BUFFERS : 89D06EE4
00:29:16:937 2512 IRP_MJ_QUERY_VOLUME_INFORMATION : 89D06EE4
00:29:16:937 2512 IRP_MJ_SET_VOLUME_INFORMATION : 89D06EE4
00:29:16:937 2512 IRP_MJ_DIRECTORY_CONTROL : 89D06EE4
00:29:16:937 2512 IRP_MJ_FILE_SYSTEM_CONTROL : 89D06EE4
00:29:16:937 2512 IRP_MJ_DEVICE_CONTROL : 89D06EE4
00:29:16:937 2512 IRP_MJ_INTERNAL_DEVICE_CONTROL : 89D06EE4
00:29:16:937 2512 IRP_MJ_SHUTDOWN : 89D06EE4
00:29:16:937 2512 IRP_MJ_LOCK_CONTROL : 89D06EE4
00:29:16:937 2512 IRP_MJ_CLEANUP : 89D06EE4
00:29:16:937 2512 IRP_MJ_CREATE_MAILSLOT : 89D06EE4
00:29:16:937 2512 IRP_MJ_QUERY_SECURITY : 89D06EE4
00:29:16:937 2512 IRP_MJ_SET_SECURITY : 89D06EE4
00:29:16:937 2512 IRP_MJ_POWER : 89D06EE4
00:29:16:937 2512 IRP_MJ_SYSTEM_CONTROL : 89D06EE4
00:29:16:937 2512 IRP_MJ_DEVICE_CHANGE : 89D06EE4
00:29:16:937 2512 IRP_MJ_QUERY_QUOTA : 89D06EE4
00:29:16:937 2512 IRP_MJ_SET_QUOTA : 89D06EE4
00:29:16:937 2512 Driver "iaStor" infected by TDSS rootkit!
00:29:16:953 2512 C:\WINDOWS\system32\drivers\iaStor.sys - Verdict: 1
00:29:16:953 2512 File "C:\WINDOWS\system32\drivers\iaStor.sys" infected by TDSS rootkit ... 00:29:16:953 2512 Processing driver file: C:\WINDOWS\system32\drivers\iaStor.sys
00:29:16:953 2512 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
00:29:17:000 2512 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\OemDir\*) error 3
00:29:17:234 2512 !fdfb7
00:29:17:234 2512 vfvi6
00:29:17:406 2512 dsvbh1
00:29:17:406 2512 Backup copy2 found, using it..
00:29:17:406 2512 will be cured on next reboot
00:29:17:421 2512 Reboot required for cure complete..
00:29:17:421 2512 Cure on reboot scheduled successfully
00:29:17:421 2512
00:29:17:421 2512 Completed
00:29:17:421 2512
00:29:17:421 2512 Results:
00:29:17:421 2512 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
00:29:17:421 2512 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
00:29:17:421 2512 File objects infected / cured / cured on reboot: 1 / 0 / 1
00:29:17:421 2512
00:29:17:421 2512 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
00:29:17:421 2512 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
00:29:17:421 2512 UnloadDriverW: NtUnloadDriver error 1
00:29:17:421 2512 KLMD(ARK) unloaded successfully
  • 0

#34
RKinner
Posted 16 May 2010 - 10:40 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
I think we have a new TDSS variation. Going to post on the internal website and see if one of the gurus can help us.

Ron
  • 0

#35
Chemwapuwa
Posted 16 May 2010 - 10:49 PM

Chemwapuwa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
ya im still being redirected, but it was less at first but i noticed it increased in a very short time.

Thanks so musch ron

I have had enough for today its almost 1am here have a great night and thanks again
  • 0

#36
RKinner
Posted 16 May 2010 - 11:10 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
Guru says to:

Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************


TDL::
c:\windows\system32\drivers\acpiec.sys


******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.
Drag it over to george and let it start as before.

Post the new log.

Also just got word that TDSSKiller has just been updated to handle this new critter so we need to delete the old TDSSKiller file and download a new one.

http://support.kaspe...s?qid=208280684

Ron

Edited by RKinner, 17 May 2010 - 08:46 AM.

  • 0

#37
Chemwapuwa
Posted 17 May 2010 - 10:05 AM

Chemwapuwa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
ComboFix 10-05-16.02 - chemwapuwa 05/17/2010 11:21:26.7.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1671 [GMT -4:00]
Running from: c:\documents and settings\chemwapuwa\Desktop\george.exe
Command switches used :: c:\documents and settings\chemwapuwa\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\acpiec.sys was found and disinfected
Restored copy from - Kitty had a snack :)
--
Infected copy of c:\windows\system32\drivers\acpiec.sys was found and disinfected
Restored copy from - Kitty had a snack :)
Infected copy of c:\windows\system32\DRIVERS\ACPIEC.sys was found and disinfected
Restored copy from - Kitty ate it :)
Infected copy of c:\windows\system32\drivers\acpiec.sys was found and disinfected
Restored copy from - Kitty had a snack :)
--
Infected copy of c:\windows\system32\drivers\acpiec.sys was found and disinfected
Restored copy from - Kitty had a snack :)
.
((((((((((((((((((((((((( Files Created from 2010-04-17 to 2010-05-17 )))))))))))))))))))))))))))))))
.

2010-05-17 01:39 . 2010-05-17 01:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-17 00:19 . 2010-05-17 00:18 312344 ----a-w- C:\iaStor.sys
2010-05-17 00:19 . 2010-05-17 00:18 11648 ----a-w- C:\acpiec.sys
2010-05-16 21:43 . 2010-05-16 21:43 -------- d-----w- C:\_OTL
2010-05-16 08:33 . 2010-05-16 08:33 -------- d-----w- c:\documents and settings\chemwapuwa\Local Settings\Application Data\Yahoo!
2010-05-16 06:55 . 2010-05-16 08:11 -------- d-----w- c:\windows\BDOSCAN8
2010-05-16 04:01 . 2010-05-16 04:01 -------- d-----w- c:\program files\ESET
2010-05-16 02:58 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-16 02:58 . 2010-05-16 02:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-16 02:58 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-15 23:47 . 2010-05-16 02:20 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-15 06:00 . 2010-05-15 06:00 -------- d-----w- c:\program files\Common Files\Java
2010-05-15 05:59 . 2010-05-15 05:59 503808 ----a-w- c:\documents and settings\chemwapuwa\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-11c81698-n\msvcp71.dll
2010-05-15 05:59 . 2010-05-15 05:59 499712 ----a-w- c:\documents and settings\chemwapuwa\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-11c81698-n\jmc.dll
2010-05-15 05:59 . 2010-05-15 05:59 348160 ----a-w- c:\documents and settings\chemwapuwa\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-11c81698-n\msvcr71.dll
2010-05-15 05:59 . 2010-05-15 05:59 61440 ----a-w- c:\documents and settings\chemwapuwa\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-79fceed8-n\decora-sse.dll
2010-05-15 05:59 . 2010-05-15 05:59 12800 ----a-w- c:\documents and settings\chemwapuwa\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-79fceed8-n\decora-d3d.dll
2010-05-15 05:59 . 2010-05-15 05:59 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-11 01:27 . 2010-05-11 01:27 -------- d-----w- c:\documents and settings\chemwapuwa\Local Settings\Application Data\Threat Expert
2010-05-11 01:18 . 2010-05-11 02:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-11 00:19 . 2010-05-11 00:19 -------- d-----w- c:\documents and settings\chemwapuwa\Application Data\Malwarebytes
2010-05-11 00:19 . 2010-05-11 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-09 20:09 . 2010-05-09 20:09 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-29 23:03 . 2010-04-29 23:03 0 ----a-w- c:\windows\nsreg.dat
2010-04-29 23:00 . 2010-04-29 23:00 -------- d-----w- c:\documents and settings\chemwapuwa\Local Settings\Application Data\Mozilla
2010-04-29 22:59 . 2010-04-29 23:00 -------- d-----w- c:\program files\SeaMonkey
2010-04-29 22:56 . 2010-04-29 22:56 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-04-29 21:57 . 2010-04-29 21:57 -------- d-----w- C:\i3dthemes
2010-04-29 21:48 . 2010-04-29 21:48 -------- d-----w- c:\program files\Starfield
2010-04-29 21:27 . 2010-04-29 21:27 -------- d-----w- c:\program files\LTMOD
2010-04-29 21:25 . 2010-04-29 21:25 -------- d-----w- C:\FrontPage Tools
2010-04-29 21:25 . 2010-04-29 21:25 720896 ----a-w- c:\windows\iun6002.exe
2010-04-29 21:25 . 2010-04-29 21:25 -------- d-----w- c:\program files\NetPlugin Tags
2010-04-29 21:24 . 2010-04-29 21:27 -------- d-----w- c:\program files\DPA Software
2010-04-29 21:24 . 2003-03-27 17:16 49152 ----a-w- c:\windows\system32\DPAMenu.dll
2010-04-29 21:24 . 2003-03-26 22:21 73728 ----a-w- c:\windows\system32\DPARTL.dll
2010-04-29 21:05 . 2010-05-05 02:41 -------- d-----w- C:\FPTemplates
2010-04-24 22:47 . 2010-04-24 22:47 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-04-24 22:46 . 2010-04-24 22:48 -------- d-----w- c:\program files\Canon
2010-04-23 16:59 . 2010-04-23 16:59 57312 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-22 03:49 . 2010-04-22 03:49 -------- d-----w- c:\program files\iPod
2010-04-22 03:49 . 2010-04-22 03:49 -------- d-----w- c:\program files\iTunes
2010-04-22 03:49 . 2010-04-22 03:49 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-22 03:47 . 2010-04-22 03:47 -------- d-----w- c:\program files\QuickTime
2010-04-22 03:45 . 2010-04-22 03:45 -------- d-----w- c:\program files\Bonjour
2010-04-22 03:42 . 2010-04-22 03:42 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-19 00:59 . 2010-04-19 01:00 -------- d-----w- c:\documents and settings\chemwapuwa\Local Settings\Application Data\HuluDesktop

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-17 15:27 . 2009-11-15 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2010-05-17 15:27 . 2009-11-15 19:41 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-05-17 04:30 . 2009-03-09 05:04 312344 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-05-17 00:18 . 2006-02-28 12:00 11648 ----a-w- c:\windows\system32\drivers\ACPIEC.sys
2010-05-11 03:08 . 2010-03-29 01:27 -------- d-----w- c:\program files\Google
2010-05-11 01:38 . 2010-03-29 01:27 -------- d-----w- c:\documents and settings\chemwapuwa\Application Data\Skype
2010-04-28 16:10 . 2009-12-09 15:44 -------- d-----w- c:\documents and settings\chemwapuwa\Application Data\Temp
2010-04-24 00:13 . 2009-11-18 07:29 -------- d-----w- c:\documents and settings\chemwapuwa\Application Data\Apple Computer
2010-04-22 03:49 . 2009-11-24 02:16 -------- d-----w- c:\program files\Common Files\Apple
2010-04-17 15:10 . 2009-11-15 19:39 -------- d-----w- c:\program files\Kodak
2010-04-17 15:06 . 2010-04-17 15:06 -------- d-----w- c:\program files\MSXML 6.0
2010-04-17 15:03 . 2009-10-15 23:28 72480 ----a-w- c:\documents and settings\chemwapuwa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-17 14:17 . 2010-04-17 14:17 -------- d-----w- c:\program files\MSECache
2010-03-29 01:28 . 2010-03-29 01:28 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-03-29 01:28 . 2010-03-29 01:28 -------- d-----w- c:\documents and settings\chemwapuwa\Application Data\skypePM
2010-03-29 01:27 . 2010-03-29 01:26 -------- d-----r- c:\program files\Skype
2010-03-29 01:26 . 2010-03-29 01:26 -------- d-----w- c:\program files\Common Files\Skype
2010-03-29 01:26 . 2010-03-29 01:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-03-29 01:23 . 2010-03-29 01:23 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01009.Wdf
2010-03-29 01:23 . 2010-03-29 01:23 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-03-29 01:22 . 2010-03-29 01:22 851176 ----a-w- c:\windows\system32\WinUSBCoInstaller2.dll
2010-03-29 01:22 . 2010-03-29 01:22 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2010-03-29 01:22 . 2010-03-29 01:22 74752 ----a-w- c:\windows\system32\CLEyeDevices.dll
2010-03-29 01:22 . 2010-03-29 01:22 -------- d-----w- c:\program files\Code Laboratories
2010-03-26 01:23 . 2010-03-26 01:23 -------- d-----w- c:\documents and settings\chemwapuwa\Application Data\Alawar
2010-03-26 01:21 . 2010-03-26 01:21 -------- d-----w- c:\program files\WildGames
2010-03-25 22:24 . 2009-12-09 15:21 -------- d-----w- c:\program files\Common Files\Livescribe
2010-03-25 22:24 . 2010-03-25 22:24 -------- d-----w- c:\program files\Livescribe
2010-03-25 22:11 . 2009-12-09 15:18 -------- d-----w- c:\documents and settings\chemwapuwa\Application Data\Downloaded Installations
2010-03-22 17:26 . 2009-10-15 23:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-22 17:26 . 2010-03-22 17:26 -------- d-----w- c:\program files\ALK Technologies
2010-03-10 06:15 . 2006-02-28 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2006-02-28 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-20 04:38 . 2010-02-20 04:38 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
.

((((((((((((((((((((((((((((( SnapShot_2010-05-16_03.51.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-17 15:27 . 2010-05-17 15:27 16384 c:\windows\temp\Perflib_Perfdata_740.dat
+ 2006-02-28 12:00 . 2010-05-17 00:18 11648 c:\windows\system32\dllcache\acpiec.sys
+ 2009-01-05 19:44 . 2009-01-05 19:44 53248 c:\windows\bdoscandel.exe
+ 2010-05-16 06:57 . 2010-05-16 06:57 86016 c:\windows\BDOSCAN8\librtvr.dll
+ 2010-05-16 06:57 . 2010-05-16 06:57 27136 c:\windows\BDOSCAN8\avxt.dll
+ 2010-05-16 06:57 . 2010-05-16 06:57 10240 c:\windows\BDOSCAN8\avxs.dll
+ 2010-05-16 06:57 . 2010-05-16 06:57 45056 c:\windows\BDOSCAN8\avxdisk.dll
+ 2009-01-05 19:44 . 2009-01-05 19:44 741376 c:\windows\Downloaded Program Files\ipsupd.dll
+ 2009-01-05 19:44 . 2010-05-16 06:57 142848 c:\windows\BDOSCAN8\libfn.dll
+ 2009-01-05 19:44 . 2009-01-05 19:44 741376 c:\windows\BDOSCAN8\ipsupd.dll
+ 2009-01-05 19:44 . 2010-05-16 07:03 107800 c:\windows\BDOSCAN8\bdcore.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 07:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2009-10-10 18:32 203264 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Conime]
2008-04-14 00:12 27648 ----a-w- c:\windows\system32\conime.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EKIJ5000StatusMonitor]
2010-02-08 16:09 1634304 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-15 18:46 159744 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-15 18:46 135168 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2007-11-01 19:47 1101824 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
2007-11-01 19:51 995328 ----a-w- c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 05:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
2007-09-06 19:53 169264 ----a-w- c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-15 18:46 131072 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-08-22 18:33 303104 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-03-09 14:02 26100520 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2006-09-28 00:26 573440 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wben]
2009-09-24 18:51 338456 ----a-w- c:\program files\Starfield\Desktop Notifier\wben.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery

R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [2/11/2010 3:36 PM 300400]
R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\Common Files\Livescribe\PenComm\PenCommService.exe [2/18/2010 1:23 PM 265728]
S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [12/9/2009 11:21 AM 20096]
.
Contents of the 'Scheduled Tasks' folder

2010-05-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-05-17 c:\windows\Tasks\User_Feed_Synchronization-{6D05B59C-29A6-4B50-929C-E9CB78A9A916}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.netflix.com/WiHome
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
DPF: Web-Based Email Tools - hxxp://email01.secureserver.net/Download.CAB
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
FF - ProfilePath - c:\documents and settings\chemwapuwa\Application Data\Mozilla\Firefox\Profiles\88716p9b.default\
FF - plugin: c:\documents and settings\chemwapuwa\Local Settings\Application Data\HuluDesktop\instances\0.9.13.1\nphdplg.dll
FF - plugin: c:\documents and settings\chemwapuwa\Local Settings\Application Data\Yahoo!\BrowserPlus\2.7.1\Plugins\npybrowserplus_2.7.1.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\netprovcredman.dll

- - - - - - - > 'explorer.exe'(2948)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
.
**************************************************************************
.
Completion time: 2010-05-17 11:31:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-17 15:31
ComboFix2.txt 2010-05-16 03:54
ComboFix3.txt 2010-05-11 08:02
ComboFix4.txt 2010-05-11 02:25
ComboFix5.txt 2010-05-17 15:15

Pre-Run: 287,371,550,720 bytes free
Post-Run: 287,471,128,576 bytes free

- - End Of File - - B99D68750512F07C53138D513B96D6FD



12:00:56:765 0820 TDSS rootkit removing tool 2.3.0.0 May 12 2010 18:11:17
12:00:56:765 0820 ================================================================================
12:00:56:765 0820 SystemInfo:

12:00:56:765 0820 OS Version: 5.1.2600 ServicePack: 3.0
12:00:56:765 0820 Product type: Workstation
12:00:56:765 0820 ComputerName: CHEMWAPU-3E99BA
12:00:56:765 0820 UserName: chemwapuwa
12:00:56:765 0820 Windows directory: C:\WINDOWS
12:00:56:765 0820 Processor architecture: Intel x86
12:00:56:765 0820 Number of processors: 2
12:00:56:765 0820 Page size: 0x1000
12:00:56:781 0820 Boot type: Normal boot
12:00:56:781 0820 ================================================================================
12:00:56:781 0820 UnloadDriverW: NtUnloadDriver error 2
12:00:56:781 0820 ForceUnloadDriverW: UnloadDriverW(klmd23) error 2
12:00:56:796 0820 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
12:00:56:796 0820 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:00:56:796 0820 wfopen_ex: Trying to KLMD file open
12:00:56:796 0820 wfopen_ex: File opened ok (Flags 2)
12:00:56:796 0820 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
12:00:56:796 0820 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:00:56:796 0820 wfopen_ex: Trying to KLMD file open
12:00:56:796 0820 wfopen_ex: File opened ok (Flags 2)
12:00:56:796 0820 KLAVA engine initialized
12:00:56:906 0820 Initialize success
12:00:56:906 0820
12:00:56:906 0820 Scanning Services ...
12:00:56:984 0820 Raw services enum returned 339 services
12:00:57:000 0820
12:00:57:000 0820 Scanning Drivers ...
12:00:57:140 0820 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
12:00:57:171 0820 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
12:00:57:218 0820 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
12:00:57:265 0820 AegisP (023867b6606fbabcdd52e089c4a507da) C:\WINDOWS\system32\DRIVERS\AegisP.sys
12:00:57:328 0820 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
12:00:57:406 0820 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
12:00:57:468 0820 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
12:00:57:515 0820 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
12:00:57:562 0820 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
12:00:57:593 0820 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
12:00:57:609 0820 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
12:00:57:828 0820 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
12:00:57:875 0820 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
12:00:57:906 0820 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
12:00:57:968 0820 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
12:00:58:015 0820 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
12:00:58:062 0820 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
12:00:58:109 0820 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
12:00:58:140 0820 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
12:00:58:203 0820 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
12:00:58:218 0820 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
12:00:58:265 0820 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
12:00:58:281 0820 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
12:00:58:312 0820 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
12:00:58:328 0820 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
12:00:58:375 0820 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
12:00:58:375 0820 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
12:00:58:437 0820 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
12:00:58:484 0820 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
12:00:58:531 0820 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
12:00:58:578 0820 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
12:00:58:578 0820 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
12:00:58:625 0820 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
12:00:58:671 0820 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
12:00:58:703 0820 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
12:00:58:718 0820 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
12:00:58:734 0820 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
12:00:58:765 0820 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
12:00:58:843 0820 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
12:00:59:031 0820 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
12:00:59:265 0820 iaStor (db0cc620b27a928d968c1a1e9cd9cb87) C:\WINDOWS\system32\drivers\iaStor.sys
12:00:59:296 0820 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
12:00:59:359 0820 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
12:00:59:375 0820 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
12:00:59:406 0820 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
12:00:59:421 0820 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
12:00:59:453 0820 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
12:00:59:515 0820 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
12:00:59:531 0820 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
12:00:59:562 0820 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
12:00:59:578 0820 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
12:00:59:625 0820 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
12:00:59:671 0820 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
12:00:59:718 0820 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
12:00:59:734 0820 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
12:00:59:765 0820 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
12:00:59:812 0820 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
12:00:59:828 0820 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
12:00:59:843 0820 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
12:00:59:921 0820 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
12:00:59:968 0820 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
12:01:00:015 0820 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
12:01:00:046 0820 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
12:01:00:062 0820 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
12:01:00:093 0820 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
12:01:00:093 0820 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
12:01:00:140 0820 MXOPSWD (216ac775320f64de28cfeb7c179c4ff9) C:\WINDOWS\system32\DRIVERS\mxopswd.sys
12:01:00:156 0820 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
12:01:00:156 0820 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
12:01:00:187 0820 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
12:01:00:187 0820 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
12:01:00:203 0820 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
12:01:00:250 0820 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
12:01:00:281 0820 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
12:01:00:359 0820 NETw4x32 (9eb7001200bc53dad5bc531f0e58970e) C:\WINDOWS\system32\DRIVERS\NETw4x32.sys
12:01:00:437 0820 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
12:01:00:453 0820 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
12:01:00:468 0820 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
12:01:00:531 0820 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
12:01:00:546 0820 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
12:01:00:562 0820 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
12:01:00:593 0820 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
12:01:00:625 0820 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
12:01:00:640 0820 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
12:01:00:671 0820 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
12:01:00:703 0820 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
12:01:00:734 0820 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
12:01:00:765 0820 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
12:01:00:828 0820 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
12:01:00:843 0820 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
12:01:00:859 0820 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
12:01:00:906 0820 PulseUsb (071ae03df7d37fbbf9766703265ad871) C:\WINDOWS\system32\DRIVERS\PulseUsb.sys
12:01:00:968 0820 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
12:01:00:984 0820 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
12:01:01:000 0820 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
12:01:01:000 0820 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
12:01:01:078 0820 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
12:01:01:109 0820 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
12:01:01:125 0820 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
12:01:01:171 0820 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
12:01:01:203 0820 RimUsb (f17713d108aca124a139fde877eef68a) C:\WINDOWS\system32\Drivers\RimUsb.sys
12:01:01:218 0820 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
12:01:01:250 0820 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
12:01:01:296 0820 s24trans (c26a053e4db47f6cdd8653c83aaf22ee) C:\WINDOWS\system32\DRIVERS\s24trans.sys
12:01:01:328 0820 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
12:01:01:359 0820 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
12:01:01:375 0820 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
12:01:01:453 0820 smserial (78da3038965de2b3834303dfb0578326) C:\WINDOWS\system32\DRIVERS\smserial.sys
12:01:01:515 0820 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
12:01:01:578 0820 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
12:01:01:625 0820 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
12:01:01:687 0820 STHDA (cc314b6e5c2c73b849b57d3decd45bea) C:\WINDOWS\system32\drivers\sthda.sys
12:01:01:718 0820 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
12:01:01:734 0820 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
12:01:01:796 0820 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
12:01:01:890 0820 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
12:01:01:921 0820 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
12:01:01:937 0820 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
12:01:01:968 0820 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
12:01:02:000 0820 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
12:01:02:062 0820 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
12:01:02:109 0820 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
12:01:02:140 0820 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
12:01:02:171 0820 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
12:01:02:187 0820 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
12:01:02:218 0820 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
12:01:02:234 0820 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
12:01:02:250 0820 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
12:01:02:296 0820 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
12:01:02:359 0820 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
12:01:02:390 0820 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
12:01:02:406 0820 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
12:01:02:437 0820 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
12:01:02:500 0820 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
12:01:02:546 0820 WinUSB (30fc6e5448d0cbaaa95280eeef7fedae) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
12:01:02:578 0820 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
12:01:02:671 0820 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
12:01:02:843 0820 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
12:01:02:875 0820 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
12:01:02:921 0820 yukonwxp (4322c32ced8c4772e039616dcbf01d3f) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
12:01:02:937 0820
12:01:02:937 0820 Completed
12:01:02:937 0820
12:01:02:937 0820 Results:
12:01:02:937 0820 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
12:01:02:937 0820 File objects infected / cured / cured on reboot: 0 / 0 / 0
12:01:02:937 0820
12:01:02:937 0820 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
12:01:02:937 0820 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
12:01:02:937 0820 KLMD(ARK) unloaded successfully
  • 0

#38
Chemwapuwa
Posted 17 May 2010 - 10:12 AM

Chemwapuwa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hi Ron

The last thing we did seems to have worked, no redirection, can you recommend free virus protection software, is avg good. I have tried the pay one and macafree and norton didnt seem worth the money, everyones comp who had it was infected.


Thank you so much for your help

Chem

Edited by Chemwapuwa, 17 May 2010 - 10:13 AM.

  • 0

#39
RKinner
Posted 17 May 2010 - 10:40 AM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
Hooray!

I use the free Avast! on my home computer along with the free Comodo Firewall. The free Avira may be slightly better from what people tell me but I'm used to Avast and it seems to work well for me. It was recently updated to version 5 from 4.8 and they seem to have addressed a lot of the concerns that people had.

http://www.avast.com...avast-home.html

Comodo is a bit trickier. You get it:
http://www.personalf...all.comodo.com/

Decline any free offers and make sure you only have the firewall checked. (Top option of three if I remember correctly). They will try and talk you into some other stuff but just be firm. There is an option for a virus scan but I would decline it. They are prone to false positives. They will ask you if you are sure your system is clean. Tell them yes.

Comodo will annoy you to death at first since any time something wants to go out it will have to ask permission. You can tell it to remember your answer then it won't ask you again for that software. The first things you will see are avast related and they start with "ash" so make sure you let them go. You will also need to let svchost.exe and your browser go out.

I also use the free WinPatrol 2010 from http://www.winpatrol.com/download.html

It's a small program that will sit in your systray and warn you if something tries to make changes to your system.

And Autorun Eater v2.4.
http://oldmcdonald.w...orun-eater-v24/
Another small program which will stay resident and prevent an infected USB drive from infecting your PC.

If you use Firefox then get the AdBlock Plus Add-on.


We need to clean up System Restore. Follow Jim's procedure here:
http://forum.aumha.o...581099691bf108f

You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\george.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

To hide hidden files again:

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat. Adobe is fond of foisting GetPlus on you. You can let them install it and then afterwards, go into Control Panel, Add/Remove Software and remove it. It probably doesn't hurt to leave it but I don't see the need for it and it has caused problems in the past.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

Ron
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP