Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

infected svchost.exe - browser redirect?

Started by soonerskies , Sep 29 2011 09:30 PM

  • This topic is locked This topic is locked

#1
soonerskies
Posted 29 September 2011 - 09:30 PM

soonerskies

    Member

  • Member
  • PipPip
  • 74 posts
Hello. I have a Samsung netbook running XP I use primarily while traveling. In early August timeframe, I picked up some form of virus/malware, I believe associated with downloading a freeware text editor. ??? As I recall, the noticeable problem was Explorer being redirected to apparently random sites. I ran Malwarebytes (I believe in Safe Mode) and it detected some problems (see logfile below). I became busy with other things and had to set the machine aside for a while, until recently when I realized I needed it and it was still infected.

I ran Malwarebytes on it again today, and it found no problems. However, I still have random browser redirects + system becomes very lethargic. I noticed svchost.exe was consuming >50% cpu + had swelled to >200-300k in size. This was the case in safe mode with internet connection. I had run malwarebytes from this so I could update the database. When I come up in safe mode w/no internet, svchost.exe doesn't exhibit this behavior.

I ran OTL. However, when I clicked on OTL.exe it came back with "This app failed to start because framedyn.dll was not found. " When I click "ok" ... OTL came up and I was able to run it. ??? The log file is included below.

Note: This is my second post of the day. This post is about my Samsung netbook. My previous post was for my dad's machine. These problems are totally unrelated.

Thank you so much for your help!

==========================================================

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7397

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/7/2011 1:08:10 AM
mbam-log-2011-08-07 (01-08-10).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 300833
Time elapsed: 2 hour(s), 33 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\dlidpdl.dll (Trojan.Hiloti) -> Delete on reboot.
c:\WINDOWS\etotevih.dll (IPH.Trojan.Hiloti.B) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mpahejelapelepix (Trojan.Hiloti) -> Value: Mpahejelapelepix -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Okaxugawop (IPH.Trojan.Hiloti.B) -> Value: Okaxugawop -> Delete on reboot.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\dlidpdl.dll (Trojan.Hiloti) -> Delete on reboot.
c:\WINDOWS\etotevih.dll (IPH.Trojan.Hiloti.B) -> Delete on reboot.
c:\documents and settings\all users\application data\rpsvrmteabnpqn.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\documents and settings\Michael\application data\Adobe\plugs\mmc31782921.txt (Rogue.FakeHDD) -> Quarantined and deleted successfully.
c:\documents and settings\Michael\local settings\Temp\2F.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Michael\application data\Adobe\shed\thr1.chm (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\Michael\application data\Adobe\plugs\mmc102.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\Michael\application data\Adobe\plugs\mmc31838187.txt (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

=============================================================

OTL logfile created on: 9/29/2011 9:30:24 PM - Run 1
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Documents and Settings\Michael\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.34 Mb Total Physical Memory | 411.21 Mb Available Physical Memory | 40.54% Memory free
2.39 Gb Paging File | 1.94 Gb Available in Paging File | 81.34% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.04 Gb Total Space | 38.78 Gb Free Space | 54.58% Space Free | Partition Type: NTFS
Drive D: | 72.00 Gb Total Space | 43.50 Gb Free Space | 60.42% Space Free | Partition Type: NTFS
Drive E: | 3.73 Gb Total Space | 3.56 Gb Free Space | 95.42% Space Free | Partition Type: FAT32

Computer Name: NETBOOK | User Name: Michael | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/09/28 13:48:46 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Michael\Desktop\OTL.exe
PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2009/02/14 06:04:38 | 000,756,040 | ---- | M] () -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSPTLS.DLL


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/07/07 23:43:27 | 000,269,480 | ---- | M] (Avira GmbH) [Auto | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/05/01 23:59:37 | 000,136,360 | ---- | M] (Avira GmbH) [Auto | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2010/08/23 20:21:40 | 000,013,672 | ---- | M] (Intuit Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2009/12/17 17:36:24 | 000,067,360 | ---- | M] (NOS Microsystems Ltd.) [Disabled | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2009/09/08 18:25:52 | 000,096,334 | ---- | M] (Canon Inc.) [Auto | Stopped] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2009/07/07 15:48:44 | 000,647,216 | ---- | M] (Cisco Systems, Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe -- (nmservice)
SRV - [2009/04/21 03:09:00 | 000,282,624 | ---- | M] (Marvell) [Auto | Stopped] -- C:\WINDOWS\system32\yk51x86.dll -- (yksvc)
SRV - [2008/05/23 19:58:34 | 000,594,600 | ---- | M] ( ) [Auto | Stopped] -- C:\WINDOWS\System32\lxducoms.exe -- (lxdu_device)
SRV - [2008/05/23 19:58:22 | 000,098,984 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxduserv.exe -- (lxduCATSCustConnectService)
SRV - [2008/05/13 10:44:00 | 000,077,480 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe -- (Samsung Update Plus)
SRV - [2007/01/04 20:48:50 | 000,112,152 | ---- | M] (InterVideo) [Auto | Stopped] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)


========== Driver Services (SafeList) ==========

DRV - [2011/07/07 23:43:35 | 000,138,192 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/07/07 23:43:35 | 000,066,616 | ---- | M] (Avira GmbH) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/07/07 15:48:44 | 000,026,672 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\purendis.sys -- (purendis)
DRV - [2009/07/07 15:48:44 | 000,025,392 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\pnarp.sys -- (pnarp)
DRV - [2009/05/11 12:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/05/11 10:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/04/21 03:09:00 | 000,297,344 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2009/03/19 07:19:54 | 000,991,136 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2008/10/30 15:19:14 | 000,047,272 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2008/10/08 01:35:10 | 001,334,432 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\athw.sys -- (AR5416)
DRV - [2008/09/23 15:23:58 | 000,238,464 | ---- | M] (Vimicro Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\VMC326.sys -- (VMC326)
DRV - [2008/08/26 18:35:00 | 004,753,920 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/01/14 21:01:02 | 000,030,208 | ---- | M] (Samsung Electronics,.LTD) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SamsungEDS.SYS -- (DNSeFilter)
DRV - [2007/11/06 14:22:00 | 000,036,224 | ---- | M] (ArcSoft Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\ArcCD.sys -- (ArcCD)
DRV - [2007/04/25 09:55:02 | 000,134,912 | ---- | M] (ArcSoft Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\ArcUdfs.sys -- (ArcUdfs)
DRV - [2007/04/17 21:09:28 | 000,011,032 | ---- | M] (InterVideo) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\regi.sys -- (regi)
DRV - [2006/11/10 16:05:00 | 000,018,688 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2006/08/01 17:57:24 | 000,019,840 | ---- | M] (Samsung) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SUE_PD.sys -- (SUEPD)
DRV - [2005/10/26 23:18:05 | 000,004,300 | ---- | M] () [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\MEMIO.SYS -- (DOSMEMIO)
DRV - [2004/12/23 05:47:10 | 000,027,392 | R--- | M] (Ulead Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ULCDRHlp.sys -- (ULCDRHlp)
DRV - [2002/10/01 10:22:32 | 000,009,856 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co...=SMSN&bmod=SMSN
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co...N&bmod=SMSN
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@canon.com/MycameraPlugin: C:\Program Files\Canon\ZoomBrowser EX\Program\NPCIG.dll (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{51BA87E2-BC8E-4E19-B1D9-B58F3688A697}: C:\Documents and Settings\Michael\Local Settings\Application Data\{51BA87E2-BC8E-4E19-B1D9-B58F3688A697}\ [2011/08/06 18:07:42 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2008/04/14 07:00:00 | 000,000,734 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Lexmark Printable Web) - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE File not found
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [ArcSoft MediaImpression Monitor] C:\Program Files\Kodak\MediaImpression\ArcMonitor.exe (ArcSoft, Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [BatteryManager] C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe ()
O4 - HKLM..\Run: [DMHotKey] C:\Program Files\Samsung\Easy Display Manager\DMLoader.exe (SAMSUNG Electronics)
O4 - HKLM..\Run: [EDS] C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe (Samsung Electronics,.LTD)
O4 - HKLM..\Run: [Lexmark 5600-6600 Series Fax Server] C:\Program Files\Lexmark 5600-6600 Series\fm3032.exe ()
O4 - HKLM..\Run: [lxduamon] C:\Program Files\Lexmark 5600-6600 Series\lxduamon.exe ()
O4 - HKLM..\Run: [lxdumon.exe] C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe ()
O4 - HKLM..\Run: [MagicKeyboard] C:\Program Files\Samsung\MagicKBD\PreMKbd.exe ()
O4 - HKLM..\Run: [nmctxth] C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe (Cisco Systems, Inc.)
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE File not found
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe (BillP Studios)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O4 - Startup: C:\Documents and Settings\Michael\Start Menu\Programs\Startup\RCA Detective.lnk = C:\Documents and Settings\Michael\My Documents\RCA Detective\RCADetective.exe (Audiovox Electronics Corp.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 10 00 00 00 [binary data]
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html File not found
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (get_atlcom Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0681386A-CB5E-4381-96FC-839D3D36DB98}: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp4.dll (Cisco Systems, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll File not found
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll File not found
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - File not found
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - File not found
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - File not found
O20 - Winlogon\Notify\crypt32chain: DllName - (crypt32.dll) - File not found
O20 - Winlogon\Notify\cryptnet: DllName - (cryptnet.dll) - File not found
O20 - Winlogon\Notify\cscdll: DllName - (cscdll.dll) - File not found
O20 - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - File not found
O20 - Winlogon\Notify\ScCertProp: DllName - (wlnotify.dll) - File not found
O20 - Winlogon\Notify\Schedule: DllName - (wlnotify.dll) - File not found
O20 - Winlogon\Notify\sclgntfy: DllName - (sclgntfy.dll) - File not found
O20 - Winlogon\Notify\SensLogn: DllName - (WlNotify.dll) - File not found
O20 - Winlogon\Notify\termsrv: DllName - (wlnotify.dll) - File not found
O20 - Winlogon\Notify\wlballoon: DllName - (wlnotify.dll) - File not found
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\SamsungWallpaper.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\SamsungWallpaper.bmp
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - shell32.dll File not found
O29 - HKLM SecurityProviders - (msapsspc.dll) - File not found
O29 - HKLM SecurityProviders - (schannel.dll) - File not found
O29 - HKLM SecurityProviders - (digest.dll) - File not found
O29 - HKLM SecurityProviders - (msnsspc.dll) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/18 17:53:41 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{21de7c4c-f633-11de-a148-0024540b8a58}\Shell - "" = AutoRun
O33 - MountPoints2\{21de7c4c-f633-11de-a148-0024540b8a58}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{21de7c4c-f633-11de-a148-0024540b8a58}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\{638e947a-3d5d-11e0-a1a4-b5d9bbbe29a8}\Shell - "" = AutoRun
O33 - MountPoints2\{638e947a-3d5d-11e0-a1a4-b5d9bbbe29a8}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{638e947a-3d5d-11e0-a1a4-b5d9bbbe29a8}\Shell\AutoRun\command - "" = F:\MI.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/09/29 21:29:53 | 000,582,656 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Michael\Desktop\OTL.scr
[2011/09/29 21:29:49 | 000,582,656 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Michael\Desktop\OTL.com
[2011/09/29 21:28:14 | 000,582,656 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Michael\Desktop\OTL.exe
[2009/12/27 15:25:24 | 000,438,272 | ---- | C] ( ) -- C:\WINDOWS\System32\LXDUhcp.dll
[2009/12/27 15:25:23 | 000,851,968 | ---- | C] ( ) -- C:\WINDOWS\System32\lxduusb1.dll
[2009/12/27 15:25:23 | 000,364,544 | ---- | C] ( ) -- C:\WINDOWS\System32\lxduinpa.dll
[2009/12/27 15:25:23 | 000,339,968 | ---- | C] ( ) -- C:\WINDOWS\System32\lxduiesc.dll
[2009/12/27 15:25:22 | 001,069,056 | ---- | C] ( ) -- C:\WINDOWS\System32\lxduserv.dll
[2009/12/27 15:25:22 | 000,651,264 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdupmui.dll
[2009/12/27 15:25:22 | 000,577,536 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdulmpm.dll
[2009/12/27 15:25:21 | 000,328,360 | ---- | C] ( ) -- C:\WINDOWS\System32\lxduih.exe
[2009/12/27 15:25:20 | 000,679,936 | ---- | C] ( ) -- C:\WINDOWS\System32\lxduhbn3.dll
[2009/12/27 15:25:19 | 000,594,600 | ---- | C] ( ) -- C:\WINDOWS\System32\lxducoms.exe
[2009/12/27 15:25:19 | 000,376,832 | ---- | C] ( ) -- C:\WINDOWS\System32\lxducomm.dll
[2009/12/27 15:25:18 | 000,765,952 | ---- | C] ( ) -- C:\WINDOWS\System32\lxducomc.dll
[2009/12/27 15:25:18 | 000,369,320 | ---- | C] ( ) -- C:\WINDOWS\System32\lxducfg.exe
[29 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/09/29 21:09:07 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/09/29 20:58:21 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/09/29 20:56:29 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/09/28 13:57:40 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Michael\Desktop\OTL.com
[2011/09/28 13:57:08 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Michael\Desktop\OTL.scr
[2011/09/28 13:48:46 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Michael\Desktop\OTL.exe
[2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[29 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/08/06 18:07:43 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Uvagamolim.dat
[2011/08/06 18:07:43 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Gtezofiruj.bin
[2011/08/06 09:48:09 | 000,000,046 | ---- | C] () -- C:\WINDOWS\cedt.INI
[2010/10/05 01:24:55 | 001,308,360 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/02/10 01:43:22 | 000,690,969 | ---- | C] () -- C:\WINDOWS\unins000.exe
[2010/02/10 01:43:22 | 000,561,152 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2010/02/10 01:43:22 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2010/02/10 01:43:22 | 000,000,882 | ---- | C] () -- C:\WINDOWS\unins000.dat
[2010/02/06 21:54:28 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/01/27 00:45:43 | 008,892,928 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\atscie.msi
[2010/01/11 20:57:39 | 000,031,232 | ---- | C] () -- C:\Documents and Settings\Michael\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/31 13:44:31 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/12/29 22:30:08 | 000,001,520 | ---- | C] () -- C:\WINDOWS\System32\Family_KBD.ini
[2009/12/29 22:01:40 | 000,000,074 | ---- | C] () -- C:\WINDOWS\MPLAYER.INI
[2009/12/29 17:46:26 | 000,000,165 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2009/12/29 01:06:18 | 000,000,246 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2009/12/28 23:28:25 | 000,027,136 | ---- | C] () -- C:\WINDOWS\System32\QTUninst.dll
[2009/12/27 15:36:06 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxduvs.dll
[2009/12/27 15:36:01 | 000,360,448 | ---- | C] () -- C:\WINDOWS\System32\lxducoin.dll
[2009/12/27 15:35:10 | 001,036,288 | ---- | C] () -- C:\WINDOWS\System32\lxdudrs.dll
[2009/12/27 15:35:10 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\lxducaps.dll
[2009/12/27 15:35:10 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\lxducnv4.dll
[2009/12/27 15:34:38 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\LXDUPMON.DLL
[2009/12/27 15:34:38 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXDUFXPU.DLL
[2009/12/27 15:34:18 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\lxduoem.dll
[2009/12/27 15:26:54 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\lxdurwrd.ini
[2009/12/27 15:25:25 | 000,389,120 | ---- | C] () -- C:\WINDOWS\System32\LXDUinst.dll
[2009/12/27 15:25:20 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\lxdugrd.dll
[2009/12/26 17:22:04 | 000,001,520 | ---- | C] () -- C:\WINDOWS\System32\Michael_KBD.ini
[2009/12/26 03:13:07 | 000,001,520 | ---- | C] () -- C:\WINDOWS\System32\Belinda_KBD.ini
[2009/09/08 12:59:20 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/06/18 18:12:03 | 000,307,200 | ---- | C] () -- C:\WINDOWS\SetDisplayResolution.exe
[2009/06/18 18:05:29 | 000,000,002 | ---- | C] () -- C:\WINDOWS\HotFixList.ini
[2009/06/18 18:05:24 | 000,001,522 | ---- | C] () -- C:\WINDOWS\System32\MagicKBD.INI
[2009/06/18 18:05:24 | 000,001,520 | ---- | C] () -- C:\WINDOWS\System32\Owner_KBD.ini
[2009/06/18 18:05:22 | 000,003,425 | ---- | C] () -- C:\WINDOWS\System32\KBDR.INI
[2009/06/18 18:05:22 | 000,002,741 | ---- | C] () -- C:\WINDOWS\System32\KBDD.INI
[2009/06/18 18:05:22 | 000,002,699 | ---- | C] () -- C:\WINDOWS\System32\KBDO.INI
[2009/06/18 18:05:22 | 000,002,699 | ---- | C] () -- C:\WINDOWS\System32\KBDC.INI
[2009/06/18 18:05:22 | 000,002,606 | ---- | C] () -- C:\WINDOWS\System32\KBDB.INI
[2009/06/18 18:05:22 | 000,002,236 | ---- | C] () -- C:\WINDOWS\System32\KBDQ.INI
[2009/06/18 18:05:22 | 000,001,956 | ---- | C] () -- C:\WINDOWS\System32\KBDE.INI
[2009/06/18 18:05:22 | 000,001,885 | ---- | C] () -- C:\WINDOWS\System32\KBDP.INI
[2009/06/18 18:05:22 | 000,001,857 | ---- | C] () -- C:\WINDOWS\System32\KBDUU.INI
[2009/06/18 18:05:22 | 000,001,835 | ---- | C] () -- C:\WINDOWS\System32\KBDG.INI
[2009/06/18 18:05:22 | 000,001,835 | ---- | C] () -- C:\WINDOWS\System32\KBDA.INI
[2009/06/18 18:05:22 | 000,001,834 | ---- | C] () -- C:\WINDOWS\System32\KBDU.INI
[2009/06/18 18:05:22 | 000,001,819 | ---- | C] () -- C:\WINDOWS\System32\KBDN.INI
[2009/06/18 18:05:22 | 000,001,699 | ---- | C] () -- C:\WINDOWS\System32\KBDT.INI
[2009/06/18 18:05:22 | 000,001,697 | ---- | C] () -- C:\WINDOWS\System32\KBDV.INI
[2009/06/18 18:05:22 | 000,001,522 | ---- | C] () -- C:\WINDOWS\System32\KBDS.INI
[2009/06/18 18:05:22 | 000,001,476 | ---- | C] () -- C:\WINDOWS\System32\KBDF.INI
[2009/06/18 18:03:16 | 000,000,135 | R--- | C] () -- C:\WINDOWS\System32\lngEng.ini
[2009/06/18 18:03:16 | 000,000,117 | ---- | C] () -- C:\WINDOWS\System32\lngKor.ini
[2009/06/18 18:00:02 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2009/06/18 17:57:36 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\drivers\Marker.exe
[2009/06/18 17:57:35 | 000,004,300 | ---- | C] () -- C:\WINDOWS\System32\MEMIO.SYS
[2009/06/18 17:55:51 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/06/18 17:51:24 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/06/18 10:45:50 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/06/18 10:44:44 | 000,190,592 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/03/23 18:40:06 | 002,854,976 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2008/06/18 17:34:35 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2008/06/18 17:34:01 | 000,433,244 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/06/18 17:34:01 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/06/18 17:34:01 | 000,068,034 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/06/18 17:34:01 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/06/18 17:34:01 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/06/18 17:34:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/06/18 17:34:00 | 000,004,486 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/06/18 17:34:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2008/06/18 17:33:59 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/06/18 17:33:59 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/06/18 17:33:55 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/06/18 17:33:55 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2007/02/26 18:49:12 | 006,139,774 | ---- | C] () -- C:\WINDOWS\imagine digital freedom.dat
[2001/11/14 14:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== LOP Check ==========

[2009/12/27 15:34:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\5600-6600 Series
[2010/02/14 17:45:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InterVideo
[2009/12/26 19:44:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Partner
[2009/12/27 01:10:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2009/06/18 18:00:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WLAN
[2009/12/27 15:48:50 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Michael\Application Data\5600-6600 Series
[2009/12/29 17:33:57 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Michael\Application Data\Inspiration Software
[2009/12/28 23:18:53 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Michael\Application Data\InterVideo
[2009/12/28 09:49:50 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Michael\Application Data\Lexmark Productivity Studio
[2009/12/29 22:01:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\MyFamily.com
[2009/12/26 18:19:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michael\Application Data\WinPatrol

========== Purity Check ==========



< End of report >
  • 0

Advertisements

#2
maliprog
Posted 05 October 2011 - 02:32 AM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hello soonerskies and welcome to G2G! :)

My nick is maliprog and I'll will be your technical support on this issue. Before we start please read my notes carefully:

NOTE:
  • Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
  • Absence of symptoms does not always mean the computer is clean
  • Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
  • Please DO NOT run any scans or fix on your own without my direction.
  • Please read all of my response through at least once before attempting to follow the procedures described.
  • If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
  • You must reply within 3 days or your topic will be closed

Step 1

Please close all running programs and Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    [2011/08/06 18:07:43 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Uvagamolim.dat
    [2011/08/06 18:07:43 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Gtezofiruj.bin

    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles

Step 2

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Step 3

Please read carefully and follow these steps.

Download TDSSKiller.zip from Kaspersky and save it to your Desktop.
  • Extract the zip file to its own folder.
  • Double click TDSSKiller.exe to run the program (Run as Administrator for Vista/Windows 7).
  • Click Start scan to start scanning.
  • If infection is detected, the default setting for "action" should be Cure
    • (If suspicious file is detected please click on it and change it to Skip).
  • Click Continue button
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

Step 4

Please don't forget to include these items in your reply:

  • OTL fix log
  • Combofix log
  • TDSSKiller log
It would be helpful if you could post each log in separate post
  • 0

#3
soonerskies
Posted 05 October 2011 - 09:41 PM

soonerskies

    Member

  • Topic Starter
  • Member
  • PipPip
  • 74 posts
Hi maliprog! Thank you so much for your help!!!

I ran OTL (in Safe Mode w/no network) and below is the log.

========== OTL ==========
C:\WINDOWS\Uvagamolim.dat moved successfully.
C:\WINDOWS\Gtezofiruj.bin moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
C:\Documents and Settings\Michael\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Michael\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.29.1 log created on 10052011_215151


Ok ... now, I'm upset with myself, as I failed to follow instructions properly. :)

I also ran combofix in Safe Mode ... when it finished, I must not have been thinking straight and was looking for a folder named c:\combofix rather than a file named c:\combofix.txt. Arg! I can't say if it was there at that point or not, as I was looking for a folder. Also, in safe mode, I didn't think my antivirus would be running, (avira) however, a popup box claimed it was when I tried to run combofix. I had read the instructions earlier ... but didn't read all the way through again as I was running combofix. I decided to reboot my pc and allow it to come up normally and then be certain to disable antivirus. I did this and then ran combofix again ... only after that did I see (and recall) the instructions saying not to rerun combofix! Anyway ... even with the second running of combofix, I still didn't find a log file. ???

Since I screwed up Step 2 of rerunning combofix ... I decided not to do Step 3 until I heard from you on how to proceed.

So sorry for screwing up!!! ... soonerskies
  • 0

#4
maliprog
Posted 05 October 2011 - 11:57 PM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi soonerskies,

You need to read instructions all the way through.

Can you restart your system one more time and see if you get C:\Combofix.txt log.

If you don't find it after restart run Combofix again from Normal mode. Please read instruction again. Get back to me with results (hopefully Combofix log)
  • 0

#5
soonerskies
Posted 06 October 2011 - 10:49 AM

soonerskies

    Member

  • Topic Starter
  • Member
  • PipPip
  • 74 posts
Thank you maliprog ... and yes, I understand.

I restarted my system in normal mode and have looked for c:\Combofix.txt and was not able to find it. Further I used 'windows search' for combofix.txt and it didn't find it anywhere on my system. So I shall run combofix again.

Step-by-step ...
My machine has been brought up in "normal mode" ... and I am following the instructions for Step 2 provided earlier....
- I have ComboFix.exe saved to my desktop.
- I have disabled my antivirus (avira) and firewall (windows). Both show as being disabled. I checked Windows Task Manager and saw Teatimer (Spybot) was running ... I killed that task. Is all of this ok?
- I ran combofix again. It appeared to run as before, opening a window as shown in the instructions above.
- When it completed ... I look at c:\ .... and I still don't find a file named combofix.txt :)
- I do see a "Combofix" folder. When I hover the cursor over this file, it says: "Shows the disk drives and hardware connected to this computer". The creation date/time is when I last ran combofix
- Checking properties: the version of combofix I downloaded from "Link 1" and used is shown to be: 11.10.5.2
(which looks a lot like the date I downloaded it)

Am I doing something wrong ... or have I done something wrong that's causing combofix to not create a log file?
Should I try downloading a fresh version of combofix from another site and try again?
I won't do anything until I hear from you. Thank you for your patience. I very much appreciate your help!
  • 0

#6
maliprog
Posted 06 October 2011 - 12:11 PM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
OK. Leave Combofix for now. Do Step 3. Run TDSSKiller and post log here for me.
  • 0

#7
soonerskies
Posted 06 October 2011 - 02:15 PM

soonerskies

    Member

  • Topic Starter
  • Member
  • PipPip
  • 74 posts
OK ... here's the TDSSKiller log.

15:02:52.0750 3744 TDSS rootkit removing tool 2.6.5.0 Oct 5 2011 20:52:46
15:02:52.0859 3744 ============================================================
15:02:52.0859 3744 Current date / time: 2011/10/06 15:02:52.0859
15:02:52.0859 3744 SystemInfo:
15:02:52.0859 3744
15:02:52.0859 3744 OS Version: 5.1.2600 ServicePack: 3.0
15:02:52.0859 3744 Product type: Workstation
15:02:52.0859 3744 ComputerName: NETBOOK
15:02:52.0859 3744 UserName: M
15:02:52.0859 3744 Windows directory: C:\WINDOWS
15:02:52.0859 3744 System windows directory: C:\WINDOWS
15:02:52.0859 3744 Processor architecture: Intel x86
15:02:52.0859 3744 Number of processors: 2
15:02:52.0859 3744 Page size: 0x1000
15:02:52.0859 3744 Boot type: Normal boot
15:02:52.0859 3744 ============================================================
15:02:54.0406 3744 Initialize success
15:03:01.0640 2116 ============================================================
15:03:01.0640 2116 Scan started
15:03:01.0640 2116 Mode: Manual;
15:03:01.0640 2116 ============================================================
15:03:02.0093 2116 Abiosdsk - ok
15:03:02.0125 2116 abp480n5 - ok
15:03:02.0171 2116 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
15:03:02.0187 2116 ACPI - ok
15:03:02.0218 2116 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
15:03:02.0218 2116 ACPIEC - ok
15:03:02.0234 2116 adpu160m - ok
15:03:02.0296 2116 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
15:03:02.0312 2116 aec - ok
15:03:02.0343 2116 Afc (fe3ea6e9afc1a78e6edca121e006afb7) C:\WINDOWS\system32\drivers\Afc.sys
15:03:02.0343 2116 Afc - ok
15:03:02.0453 2116 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
15:03:02.0468 2116 AFD - ok
15:03:02.0484 2116 Aha154x - ok
15:03:02.0531 2116 aic78u2 - ok
15:03:02.0562 2116 aic78xx - ok
15:03:02.0609 2116 AliIde - ok
15:03:02.0703 2116 amsint - ok
15:03:02.0828 2116 AR5416 (6eacc829e76b1efdface633619a3db31) C:\WINDOWS\system32\DRIVERS\athw.sys
15:03:02.0875 2116 AR5416 - ok
15:03:02.0921 2116 ArcCD (a82f1a1b09593c73efd02a59dc94920c) C:\WINDOWS\system32\drivers\ArcCD.sys
15:03:02.0937 2116 ArcCD - ok
15:03:02.0968 2116 ArcRec (1af9061b61741a912368ab4dc309d25e) C:\WINDOWS\system32\drivers\ArcRec.sys
15:03:02.0968 2116 ArcRec - ok
15:03:03.0046 2116 ArcUdfs (3ee9e41102a2c6b8f7dbad5d44abda05) C:\WINDOWS\system32\drivers\ArcUdfs.sys
15:03:03.0046 2116 ArcUdfs - ok
15:03:03.0093 2116 asc - ok
15:03:03.0109 2116 asc3350p - ok
15:03:03.0140 2116 asc3550 - ok
15:03:03.0203 2116 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
15:03:03.0203 2116 AsyncMac - ok
15:03:03.0250 2116 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
15:03:03.0250 2116 atapi - ok
15:03:03.0312 2116 Atdisk - ok
15:03:03.0359 2116 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
15:03:03.0375 2116 Atmarpc - ok
15:03:03.0437 2116 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
15:03:03.0453 2116 audstub - ok
15:03:03.0546 2116 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
15:03:03.0546 2116 avgio - ok
15:03:03.0625 2116 avgntflt (1e4114685de1ffa9675e09c6a1fb3f4b) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
15:03:03.0640 2116 avgntflt - ok
15:03:03.0703 2116 avipbb (0f78d3dae6dedd99ae54c9491c62adf2) C:\WINDOWS\system32\DRIVERS\avipbb.sys
15:03:03.0703 2116 avipbb - ok
15:03:03.0734 2116 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
15:03:03.0734 2116 Beep - ok
15:03:03.0828 2116 BTKRNL (49fd2960c0c5fe06dedf9560ad4c9547) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
15:03:03.0875 2116 BTKRNL - ok
15:03:03.0921 2116 BTWUSB (6b622612fe21b59faee2ca4385959778) C:\WINDOWS\system32\Drivers\btwusb.sys
15:03:03.0921 2116 BTWUSB - ok
15:03:03.0968 2116 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
15:03:03.0968 2116 cbidf2k - ok
15:03:04.0046 2116 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
15:03:04.0046 2116 CCDECODE - ok
15:03:04.0062 2116 cd20xrnt - ok
15:03:04.0093 2116 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
15:03:04.0093 2116 Cdaudio - ok
15:03:04.0125 2116 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
15:03:04.0125 2116 Cdfs - ok
15:03:04.0140 2116 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
15:03:04.0156 2116 Cdrom - ok
15:03:04.0171 2116 Changer - ok
15:03:04.0234 2116 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
15:03:04.0234 2116 CmBatt - ok
15:03:04.0281 2116 CmdIde - ok
15:03:04.0343 2116 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
15:03:04.0343 2116 Compbatt - ok
15:03:04.0421 2116 Cpqarray - ok
15:03:04.0453 2116 dac2w2k - ok
15:03:04.0468 2116 dac960nt - ok
15:03:04.0500 2116 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
15:03:04.0500 2116 Disk - ok
15:03:04.0578 2116 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
15:03:04.0609 2116 dmboot - ok
15:03:04.0687 2116 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
15:03:04.0687 2116 dmio - ok
15:03:04.0750 2116 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
15:03:04.0750 2116 dmload - ok
15:03:04.0828 2116 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
15:03:04.0828 2116 DMusic - ok
15:03:04.0890 2116 DNSeFilter (128ae3aedde1e3ae772c88320628fe7c) C:\WINDOWS\system32\drivers\SamsungEDS.sys
15:03:04.0890 2116 DNSeFilter - ok
15:03:04.0953 2116 DOSMEMIO (8a4cb9438571814b128b6dc30d698064) C:\WINDOWS\system32\MEMIO.SYS
15:03:04.0968 2116 DOSMEMIO - ok
15:03:05.0015 2116 dpti2o - ok
15:03:05.0046 2116 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
15:03:05.0046 2116 drmkaud - ok
15:03:05.0156 2116 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
15:03:05.0156 2116 Fastfat - ok
15:03:05.0218 2116 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
15:03:05.0218 2116 Fdc - ok
15:03:05.0281 2116 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
15:03:05.0281 2116 Fips - ok
15:03:05.0343 2116 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
15:03:05.0343 2116 Flpydisk - ok
15:03:05.0375 2116 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
15:03:05.0390 2116 FltMgr - ok
15:03:05.0421 2116 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
15:03:05.0421 2116 Fs_Rec - ok
15:03:05.0468 2116 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
15:03:05.0468 2116 Ftdisk - ok
15:03:05.0500 2116 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
15:03:05.0515 2116 Gpc - ok
15:03:05.0562 2116 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
15:03:05.0562 2116 HDAudBus - ok
15:03:05.0656 2116 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
15:03:05.0656 2116 HidUsb - ok
15:03:05.0703 2116 hpn - ok
15:03:05.0765 2116 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
15:03:05.0765 2116 HTTP - ok
15:03:05.0812 2116 i2omgmt - ok
15:03:05.0828 2116 i2omp - ok
15:03:05.0875 2116 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
15:03:05.0875 2116 i8042prt - ok
15:03:06.0156 2116 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
15:03:06.0390 2116 ialm - ok
15:03:06.0484 2116 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
15:03:06.0484 2116 Imapi - ok
15:03:06.0515 2116 ini910u - ok
15:03:06.0750 2116 IntcAzAudAddService (32915772ccd5bc2bf9762195c002a949) C:\WINDOWS\system32\drivers\RtkHDAud.sys
15:03:06.0875 2116 IntcAzAudAddService - ok
15:03:07.0031 2116 IntelIde - ok
15:03:07.0218 2116 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
15:03:07.0218 2116 intelppm - ok
15:03:07.0250 2116 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
15:03:07.0250 2116 Ip6Fw - ok
15:03:07.0296 2116 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
15:03:07.0296 2116 IpFilterDriver - ok
15:03:07.0312 2116 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
15:03:07.0312 2116 IpInIp - ok
15:03:07.0359 2116 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
15:03:07.0375 2116 IpNat - ok
15:03:07.0437 2116 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
15:03:07.0437 2116 IPSec - ok
15:03:07.0484 2116 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
15:03:07.0484 2116 IRENUM - ok
15:03:07.0562 2116 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
15:03:07.0562 2116 isapnp - ok
15:03:07.0625 2116 Iviaspi (4ac11b2250106774f694df2db4ffed61) C:\WINDOWS\system32\drivers\Iviaspi.sys
15:03:07.0625 2116 Iviaspi - ok
15:03:07.0671 2116 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
15:03:07.0671 2116 Kbdclass - ok
15:03:07.0718 2116 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
15:03:07.0734 2116 kmixer - ok
15:03:07.0781 2116 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
15:03:07.0796 2116 KSecDD - ok
15:03:07.0890 2116 lbrtfdc - ok
15:03:07.0968 2116 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
15:03:07.0968 2116 mnmdd - ok
15:03:08.0015 2116 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
15:03:08.0015 2116 Modem - ok
15:03:08.0046 2116 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
15:03:08.0046 2116 Mouclass - ok
15:03:08.0093 2116 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
15:03:08.0093 2116 mouhid - ok
15:03:08.0156 2116 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
15:03:08.0156 2116 MountMgr - ok
15:03:08.0218 2116 mraid35x - ok
15:03:08.0265 2116 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
15:03:08.0281 2116 MRxDAV - ok
15:03:08.0328 2116 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
15:03:08.0359 2116 MRxSmb - ok
15:03:08.0390 2116 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
15:03:08.0406 2116 Msfs - ok
15:03:08.0453 2116 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
15:03:08.0453 2116 MSKSSRV - ok
15:03:08.0500 2116 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
15:03:08.0500 2116 MSPCLOCK - ok
15:03:08.0609 2116 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
15:03:08.0609 2116 MSPQM - ok
15:03:08.0656 2116 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
15:03:08.0671 2116 mssmbios - ok
15:03:08.0703 2116 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
15:03:08.0703 2116 MSTEE - ok
15:03:08.0750 2116 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
15:03:08.0750 2116 Mup - ok
15:03:08.0859 2116 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
15:03:08.0859 2116 NABTSFEC - ok
15:03:08.0921 2116 NDIS (8716356e49a665bdc7b114725b60a456) C:\WINDOWS\system32\drivers\NDIS.sys
15:03:08.0937 2116 NDIS - ok
15:03:08.0968 2116 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
15:03:08.0968 2116 NdisIP - ok
15:03:09.0000 2116 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
15:03:09.0000 2116 NdisTapi - ok
15:03:09.0078 2116 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
15:03:09.0078 2116 Ndisuio - ok
15:03:09.0093 2116 NdisWan (5526cfebb619f7f763bd6a2e1b618078) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
15:03:09.0109 2116 NdisWan - ok
15:03:09.0156 2116 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
15:03:09.0171 2116 NDProxy - ok
15:03:09.0234 2116 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
15:03:09.0234 2116 NetBIOS - ok
15:03:09.0281 2116 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
15:03:09.0281 2116 NetBT - ok
15:03:09.0390 2116 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
15:03:09.0390 2116 Npfs - ok
15:03:09.0453 2116 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
15:03:09.0484 2116 Ntfs - ok
15:03:09.0562 2116 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
15:03:09.0578 2116 NuidFltr - ok
15:03:09.0625 2116 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
15:03:09.0625 2116 Null - ok
15:03:09.0703 2116 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
15:03:09.0703 2116 NwlnkFlt - ok
15:03:09.0750 2116 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
15:03:09.0750 2116 NwlnkFwd - ok
15:03:09.0796 2116 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
15:03:09.0796 2116 Parport - ok
15:03:09.0859 2116 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
15:03:09.0859 2116 PartMgr - ok
15:03:09.0921 2116 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
15:03:09.0921 2116 ParVdm - ok
15:03:10.0000 2116 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
15:03:10.0015 2116 PCI - ok
15:03:10.0031 2116 PCIDump - ok
15:03:10.0046 2116 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
15:03:10.0046 2116 PCIIde - ok
15:03:10.0093 2116 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
15:03:10.0093 2116 Pcmcia - ok
15:03:10.0109 2116 PDCOMP - ok
15:03:10.0125 2116 PDFRAME - ok
15:03:10.0140 2116 PDRELI - ok
15:03:10.0171 2116 PDRFRAME - ok
15:03:10.0187 2116 perc2 - ok
15:03:10.0203 2116 perc2hib - ok
15:03:10.0265 2116 pfc (ed2e7f396b4098608c95bc3806bdf6fc) C:\WINDOWS\system32\drivers\pfc.sys
15:03:10.0265 2116 pfc - ok
15:03:10.0343 2116 pnarp (36fcac4fa28b462ca867742dea59b0d0) C:\WINDOWS\system32\DRIVERS\pnarp.sys
15:03:10.0343 2116 pnarp - ok
15:03:10.0390 2116 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
15:03:10.0390 2116 PptpMiniport - ok
15:03:10.0421 2116 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
15:03:10.0421 2116 PSched - ok
15:03:10.0453 2116 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
15:03:10.0468 2116 Ptilink - ok
15:03:10.0484 2116 purendis (d8ac00388262b1a4878a7ee12f31d376) C:\WINDOWS\system32\DRIVERS\purendis.sys
15:03:10.0484 2116 purendis - ok
15:03:10.0515 2116 ql1080 - ok
15:03:10.0531 2116 Ql10wnt - ok
15:03:10.0546 2116 ql12160 - ok
15:03:10.0562 2116 ql1240 - ok
15:03:10.0593 2116 ql1280 - ok
15:03:10.0640 2116 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
15:03:10.0640 2116 RasAcd - ok
15:03:10.0687 2116 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
15:03:10.0703 2116 Rasl2tp - ok
15:03:10.0718 2116 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
15:03:10.0734 2116 RasPppoe - ok
15:03:10.0750 2116 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
15:03:10.0750 2116 Raspti - ok
15:03:10.0796 2116 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
15:03:10.0796 2116 Rdbss - ok
15:03:10.0843 2116 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
15:03:10.0859 2116 RDPCDD - ok
15:03:10.0921 2116 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
15:03:10.0921 2116 RDPWD - ok
15:03:10.0984 2116 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
15:03:11.0000 2116 redbook - ok
15:03:11.0078 2116 regi (001b4278407f4303efc902a2b16f2453) C:\WINDOWS\system32\drivers\regi.sys
15:03:11.0078 2116 regi - ok
15:03:11.0171 2116 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
15:03:11.0171 2116 Secdrv - ok
15:03:11.0234 2116 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
15:03:11.0234 2116 Serial - ok
15:03:11.0281 2116 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
15:03:11.0281 2116 Sfloppy - ok
15:03:11.0328 2116 Simbad - ok
15:03:11.0359 2116 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
15:03:11.0375 2116 SLIP - ok
15:03:11.0406 2116 Sparrow - ok
15:03:11.0453 2116 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
15:03:11.0453 2116 splitter - ok
15:03:11.0515 2116 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
15:03:11.0531 2116 sr - ok
15:03:11.0593 2116 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
15:03:11.0609 2116 Srv - ok
15:03:11.0671 2116 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
15:03:11.0671 2116 ssmdrv - ok
15:03:11.0734 2116 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
15:03:11.0734 2116 streamip - ok
15:03:11.0796 2116 SUEPD (c0137b5947ae3d3fc1c17ba6fdfb3dad) C:\WINDOWS\system32\DRIVERS\SUE_PD.sys
15:03:11.0796 2116 SUEPD - ok
15:03:11.0875 2116 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
15:03:11.0875 2116 swenum - ok
15:03:11.0921 2116 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
15:03:11.0921 2116 swmidi - ok
15:03:11.0953 2116 symc810 - ok
15:03:11.0968 2116 symc8xx - ok
15:03:11.0984 2116 sym_hi - ok
15:03:12.0000 2116 sym_u3 - ok
15:03:12.0062 2116 SynTP (ea447f6db6115e8a32352f9faffa824d) C:\WINDOWS\system32\DRIVERS\SynTP.sys
15:03:12.0062 2116 SynTP - ok
15:03:12.0125 2116 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
15:03:12.0125 2116 sysaudio - ok
15:03:12.0203 2116 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
15:03:12.0218 2116 Tcpip - ok
15:03:12.0312 2116 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
15:03:12.0312 2116 TDPIPE - ok
15:03:12.0359 2116 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
15:03:12.0359 2116 TDTCP - ok
15:03:12.0406 2116 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
15:03:12.0406 2116 TermDD - ok
15:03:12.0484 2116 TosIde - ok
15:03:12.0562 2116 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
15:03:12.0562 2116 Udfs - ok
15:03:12.0640 2116 ULCDRHlp (a4e07da3ae2078bd96e84d4baa07b71d) C:\WINDOWS\system32\Drivers\ULCDRHlp.sys
15:03:12.0640 2116 ULCDRHlp - ok
15:03:12.0656 2116 ultra - ok
15:03:12.0734 2116 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
15:03:12.0750 2116 Update - ok
15:03:12.0828 2116 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
15:03:12.0828 2116 usbccgp - ok
15:03:12.0906 2116 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
15:03:12.0906 2116 usbehci - ok
15:03:12.0953 2116 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
15:03:12.0953 2116 usbhub - ok
15:03:13.0000 2116 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
15:03:13.0000 2116 usbprint - ok
15:03:13.0062 2116 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
15:03:13.0062 2116 usbscan - ok
15:03:13.0093 2116 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
15:03:13.0093 2116 USBSTOR - ok
15:03:13.0125 2116 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
15:03:13.0125 2116 usbuhci - ok
15:03:13.0187 2116 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
15:03:13.0187 2116 usbvideo - ok
15:03:13.0218 2116 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
15:03:13.0218 2116 VgaSave - ok
15:03:13.0265 2116 ViaIde - ok
15:03:13.0328 2116 VMC326 (4f101e48d060e318752fbc458a4b49f0) C:\WINDOWS\system32\Drivers\VMC326.sys
15:03:13.0343 2116 VMC326 - ok
15:03:13.0562 2116 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
15:03:13.0562 2116 VolSnap - ok
15:03:13.0671 2116 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
15:03:13.0671 2116 Wanarp - ok
15:03:13.0765 2116 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
15:03:13.0781 2116 Wdf01000 - ok
15:03:13.0843 2116 WDICA - ok
15:03:13.0921 2116 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
15:03:13.0921 2116 wdmaud - ok
15:03:14.0031 2116 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
15:03:14.0031 2116 WSTCODEC - ok
15:03:14.0125 2116 yukonwxp (7578410b1512fad9c485b134561e8b78) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
15:03:14.0140 2116 yukonwxp - ok
15:03:14.0187 2116 MBR (0x1B8) (6f3c014dfe829b23d6d08b7da9d82812) \Device\Harddisk0\DR0
15:03:14.0187 2116 \Device\Harddisk0\DR0 ( Rootkit.Win32.TDSS.tdl4 ) - infected
15:03:14.0187 2116 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
15:03:14.0218 2116 Boot (0x1200) (3420fecbf4da9088ef1fa648e3bcfded) \Device\Harddisk0\DR0\Partition0
15:03:14.0218 2116 \Device\Harddisk0\DR0\Partition0 - ok
15:03:14.0250 2116 Boot (0x1200) (84a44755ae30129d9cedbebf2ab29598) \Device\Harddisk0\DR0\Partition1
15:03:14.0250 2116 \Device\Harddisk0\DR0\Partition1 - ok
15:03:14.0250 2116 ============================================================
15:03:14.0250 2116 Scan finished
15:03:14.0250 2116 ============================================================
15:03:14.0281 4008 Detected object count: 1
15:03:14.0281 4008 Actual detected object count: 1
15:04:09.0281 4008 \Device\Harddisk0\DR0 ( Rootkit.Win32.TDSS.tdl4 ) - will be cured on reboot
15:04:09.0281 4008 \Device\Harddisk0\DR0 - ok
15:04:09.0281 4008 \Device\Harddisk0\DR0 ( Rootkit.Win32.TDSS.tdl4 ) - User select action: Cure
15:04:18.0828 3516 Deinitialize success
  • 0

#8
maliprog
Posted 06 October 2011 - 11:07 PM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi soonerskies,

Now we know the reason for redirection :). Test your system for redirection after this step.


Download aswMBR.exe ( 511KB ) to your desktop.

  • Double click the aswMBR.exe to run it
  • Click the "Scan" button to start scan
  • On completion of the scan click save log, save it to your desktop and post in your next reply

  • 0

#9
soonerskies
Posted 06 October 2011 - 11:33 PM

soonerskies

    Member

  • Topic Starter
  • Member
  • PipPip
  • 74 posts
Yay! Thank you maliprog!! Below is the log file. When I ran aswMBR ... it asked if wanted to download Avast virus definitions to use in the scan. Since the instructions didn't mention that, I chose not to. Do you want me to rerun aswMBR again and use the Avast definitions ... or are we good with this run? :)

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-10-07 00:26:48
-----------------------------
00:26:48.671 OS Version: Windows 5.1.2600 Service Pack 3
00:26:48.671 Number of processors: 2 586 0x1C02
00:26:48.671 ComputerName: JAIN-NETBOOK UserName: Michael
00:26:49.078 Initialize success
00:28:08.187 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
00:28:08.187 Disk 0 Vendor: FUJITSU_MHZ2160BH_G2 008B000B Size: 152627MB BusType: 3
00:28:10.203 Disk 0 MBR read successfully
00:28:10.203 Disk 0 MBR scan
00:28:10.203 Disk 0 unknown MBR code
00:28:10.203 Disk 0 scanning sectors +312578048
00:28:10.296 Disk 0 scanning C:\WINDOWS\system32\drivers
00:28:19.156 Service scanning
00:28:20.359 Modules scanning
00:28:26.359 Disk 0 trace - called modules:
00:28:26.375 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
00:28:26.390 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86fe7308]
00:28:26.390 3 CLASSPNP.SYS[f788bfd7] -> nt!IofCallDriver -> \Device\00000067[0x86f0e510]
00:28:26.390 5 ACPI.sys[f7802620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86f0d940]
00:28:26.390 Scan finished successfully
00:29:21.578 Disk 0 MBR has been saved successfully to "E:\Computer Malware Cleanup etc\aswMBR\MBR.dat"
00:29:22.125 The log file has been saved successfully to "E:\Computer Malware Cleanup etc\aswMBR\aswMBR.txt"
  • 0

#10
maliprog
Posted 06 October 2011 - 11:37 PM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
We are good with this scan :). Please use/test your system for a while and I'll prepare some cleanup for you in mean time.
  • 0

#11
soonerskies
Posted 06 October 2011 - 11:41 PM

soonerskies

    Member

  • Topic Starter
  • Member
  • PipPip
  • 74 posts
I surfed around for a bit ... didn't have any redirection problems ... system didn't become sluggish, etc! Looking good!!! :)
  • 0

#12
maliprog
Posted 06 October 2011 - 11:43 PM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Good work! Your logs and system are clean now. I'm glad we fix up your computer. We need to clean up your PC from programs we used.

Step 1

Please start OTL one more time and click CleanUp button. OTL will restart your system at the end. Remove all other application we used to clean your PC.

General recommendations

Here are some recommendations you should follow to minimize infection risk in the future:

1. Enable Windows Update
  • Click Start, click Run, type sysdm.cpl, and then press ENTER.
  • Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them option.
  • Click OK button

2. Delete Temp files

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

3. Make Backups of Important Files

Please read this article Home Computer Data Backup.


4. Regularly update your software

To eliminate design flaws and security vulnerabilities, all software needs to be updated to the latest version or the vendor’s patch installed.

You should download Update Checker from here. The program will automaticly check for newer version of software installed on your system.
  • 0

#13
soonerskies
Posted 07 October 2011 - 10:59 AM

soonerskies

    Member

  • Topic Starter
  • Member
  • PipPip
  • 74 posts
Great work maliprog!!! Thank you so much! I'll keep checking the behavior of the system over the next several days. Hopefully this took care of it. Thanks again!!! Well done! :)
  • 0

#14
maliprog
Posted 07 October 2011 - 12:51 PM

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP