PDA

View Full Version : redirects web pages, errors, slow and locks up.


kaustin
2010-10-13, 05:28
Help I have not ran any fixes except for AVG, getting worse by the day, had it for about three days. Thanks KA

DDS (Ver_10-10-10.03) - NTFSx86
Run by K A at 22:13:19.14 on Tue 10/12/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.507 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
svchost.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Kevin Austin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: PDF-XChange Viewer IE-Plugin: {c5d07eb6-bbce-4dae-acbb-d13a8d28cb1f} - c:\program files\tracker software\pdf viewer\PDFXCviewIEPlugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [EPSON Stylus CX6600 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Norton Ghost 10.0] "c:\program files\norton ghost\agent\GhostTray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
StartupFolder: c:\docume~1\kevina~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\HOTSYNC.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-11 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-10-11 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-11 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-10-11 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-10-11 297752]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-12-13 198256]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-12-13 165488]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2009-10-26 822424]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-12-13 79472]

=============== Created Last 30 ================

2010-10-12 21:39:17 -------- d-sh--w- c:\documents and settings\kevin austin\PrivacIE
2010-10-12 10:55:11 482408 ----a-w- c:\windows\ssndii.exe
2010-10-12 10:55:06 -------- d-----w- c:\program files\SamsungPrinterLiveUpdate
2010-10-12 10:55:00 -------- d-----w- c:\windows\Samsung
2010-10-12 10:54:19 26624 ----a-w- c:\windows\system32\ssp6ml3.dll
2010-10-12 10:54:14 19968 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\ssp6mpc.dll
2010-10-12 10:54:08 65536 ----a-w- c:\windows\system32\ssp6mci.dll
2010-10-12 10:54:08 151552 ----a-w- c:\windows\system32\ssp6mci.exe
2010-10-12 10:54:02 81920 ----a-w- c:\windows\system32\ssdevm.dll
2010-10-12 10:54:02 49152 ----a-w- c:\windows\system32\ssusbpn.dll
2010-10-12 10:54:01 44544 ----a-w- c:\windows\system32\msxml4a.dll
2010-10-12 10:53:59 21776 ----a-w- c:\windows\system32\msxml2a.dll
2010-10-12 10:52:21 -------- d-----w- c:\program files\Samsung
2010-10-11 22:21:52 -------- d-sh--w- c:\documents and settings\kevin austin\IETldCache
2010-10-11 22:18:28 -------- dc-h--w- c:\windows\ie8
2010-10-11 21:33:32 -------- d-----w- c:\windows\system32\scripting
2010-10-11 21:33:32 -------- d-----w- c:\windows\system32\en
2010-10-11 21:33:32 -------- d-----w- c:\windows\l2schemas
2010-10-11 21:33:31 -------- d-----w- c:\windows\system32\bits
2010-10-11 21:28:24 -------- d-----w- c:\windows\network diagnostic
2010-10-11 21:24:27 -------- d-----w- c:\windows\EHome
2010-10-11 03:11:48 423656 ----a-w- c:\windows\system32\deployJava1.dll

==================== Find3M ====================

2010-07-17 07:42:29 73728 ----a-w- c:\windows\system32\javacpl.cpl

============= FINISH: 22:14:46.10 ===============
ken545
2010-10-16, 01:18
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware execpt for the programs we may run.


Nothing bad jumping out at me but this stuff hides, lets do this, run these in order please

Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean







Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please





Download OTS.exe (http://oldtimer.geekstogo.com/OTS.exe) by OldTimer to your Desktop.
Close any open browsers.
Double-click on OTS.exe to start the program.
Leave all settings as they appear as default, except for the following:
Under Drivers, select "All".
Under Additional Scans, click on the "Extra" button.

Now click the Run Scan button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file
Use the Reply button and attach the notepad file here (Do not copy and paste in a reply, just attach it).
kaustin
2010-10-16, 18:14
I can zip the OTS file or anyother way you like to get it?
OTS.Txt:
Your file of 152.8 KB bytes exceeds the forum's limit of 48.8 KB for this filetype.

Malwarebytes did not find anything.
also I do think you for your help.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4850

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/16/2010 10:19:41 AM
mbam-log-2010-10-16 (10-19-41).txt

Scan type: Quick scan
Objects scanned: 134834
Time elapsed: 6 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)
ken545
2010-10-16, 19:41
Hi,

Go ahead and zip and attach it
kaustin
2010-10-17, 04:47
OTS file zipped and attached.
ken545
2010-10-17, 11:39
Good Morning,

Still nothing jumping out at me, you do have two Antivirus programs running and that can be causing some problems, more than one can degrade system performance and cause other issues, you have Symantec and AVG, you need to go to your control panel > Add Remove Programs and uninstall one.


If your getting redirects there could be a possible rootkit type of infection that most times dont show up on the logs, so lets check for one.



http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
Please download GMER from one of the following locations, and save it to your desktop:

Main Mirror (http://gmer.net/download.php)
This version will download a randomly named file (Recommended)
Zip Mirror (http://gmer.net/gmer.zip)
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.



Extract the contents of the zipped file to desktop (applicable only to Zip mirror) .
Double click http://billy-oneal.com/forums/gmer/gmerRandomIcon.png or http://billy-oneal.com/forums/gmer/gmerDesktopIcon.png on your desktop.
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
http://billy-oneal.com/forums/gmer/gmerNoDialog.png

http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg (http://www.geekstogo.com/misc/guide_icons/GMER_instructions.jpg)
Click the image to enlarge it

In the right panel, you will see several boxes that have been checked. Uncheck the following ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)

Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop, and attach it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
kaustin
2010-10-19, 04:38
I tried 4 times yesterday and twice today to run the GMER, computer lockup, blue screen, etc... to day I think did the full scan, clicked on save and the hour glass stays up, never brough up the save menu.
little bit of the history if this helps, was on the web and pop up liked like AVG show I have threats do you want to remove, I clicked yes and thats when it loaded the virus I think.
with norton ghost I recoved a copy from the first of the year, it looked clean at first but with in few days I had all the problems, problems booting, shuting down, blue screen, lockup, redirect web pages, errors.
I will try to run GMER a few more time and see if I can get you any thing.
Thanks
ken545
2010-10-19, 10:29
Hi,

Dont know why but GMER give some systems fits and some it goes smooth as glass.

Try it this way and if still a no go then try it again but in Safemode

Check only both "Sections" and "C:\" ; leaving all others unchecked.


To Enter Safemode

Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
kaustin
2010-10-20, 03:18
file 1 is in normal windows but did not finish.
file 2 is in safe mode and did finish.
see if this will tell you anything.
ken545
2010-10-20, 10:57
Both GMER logs look ok.

Try this other one , its more system friendly.

Please download Rooter Rootkit Detector (http://eric.71.mespages.googlepages.com/Rooter.exe) to your Desktop

Doubleclick it to start the tool.
A Notepad file containing the report will open, also found at %systemdrive% (usually C:\Rooter.txt.
Post the report for me to see.






Please run this free online virus scanner from ESET (http://www.eset.com/onlinescan/)

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic
kaustin
2010-10-20, 23:55
rooter attached
I will run the ESET scan next.
ken545
2010-10-21, 00:55
Rooter looks fine
kaustin
2010-10-21, 03:31
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=e71baf45ece6864ba33b0fc673cdc9f6
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-10-20 11:05:02
# local_time=2010-10-20 06:05:02 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777175 100 0 32234491 32234491 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=75782
# found=4
# cleaned=4
# scan_time=3540
C:\Documents and Settings\Kevin Austin\My Documents\Downloads\remove trojins\SmitfraudFix.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Kevin Austin\My Documents\Downloads\remove trojins\SmitfraudFix\Process.exe Win32/PrcView application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Kevin Austin\My Documents\Downloads\remove trojins\SmitfraudFix\restart.exe Win32/Shutdown.NAA application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Kevin Austin\My Documents\Downloads\remove trojins\SmitfraudFix\SmitfraudFix.zip multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
ken545
2010-10-21, 09:26
Hi,

Looks like you downloaded Smitfraud fix at one time and ESET removed it, didn't find anything else bad.

Did you remove one Antivirus program ?

Are you still getting redirects ?
kaustin
2010-10-21, 12:53
I find nothing about symantec on my computer it is not in the add/remove
maybe I need to down load and run symantec removal tool?
yes I am still gettign redirected, win32 errors, I would have to run the computer a little more but I do think it is better.
ken545
2010-10-21, 13:26
Yes, I would run the Symantec Removal Tool
http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN



Then run this program please

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
kaustin
2010-10-22, 02:59
symantec did not have a removal tool for system works 2001

ComboFix 10-10-21.02 - Kevin Austin 10/21/2010 19:16:45.1.2 - x86
Running from: c:\documents and settings\Kevin Austin\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-09-22 to 2010-10-22 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-23 57344]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-10-11 2048352]
"EPSON Stylus CX6600 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE" [2004-02-29 98304]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992]
"Norton Ghost 10.0"="c:\program files\Norton Ghost\Agent\GhostTray.exe" [2005-09-10 1537648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2009-08-28 614400]

c:\documents and settings\Kevin Austin\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\HOTSYNC.EXE [2002-8-9 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-10-11 113664]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-12-26 972320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-11 20:05 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\Palm\\HOTSYNC.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/11/2009 3:04 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/11/2009 3:05 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [10/11/2009 3:04 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/11/2009 3:04 PM 297752]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

AddRemove-RealFlight2 - E:\CPanel.exe



Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86EB9ACE]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7649f28
\Driver\ACPI -> ACPI.sys @ 0xf759ccb8
\Driver\atapi -> atapi.sys @ 0xf7554852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf744abb0
PacketIndicateHandler -> NDIS.sys @ 0xf7457a21
SendHandler -> NDIS.sys @ 0xf743587b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-10-21 19:31:07
ComboFix-quarantined-files.txt 2010-10-22 00:31

Pre-Run: 155,117,854,720 bytes free
Post-Run: 156,165,214,208 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 1E22EFDB8DAA3DF827921139AC6C9F44
ken545
2010-10-22, 12:40
Combofix is only showing an entry for Norton Ghost which is fine. It also did not remove anything bad. If your still being redirected, exactly what sites are you being sent to ?
kaustin
2010-10-23, 04:21
When I open internet explorer a second one opens up also, I have been closing it before anything loads, does not happen every time. When I did not close it in time I have noticed a buy antivirus site, and some other general site. This time the first IE hung up, control alt delete to close it, second time opening it a second one opened and hung up but the first one opened to the home page. I did not find that it is redirecting from the google selections like it was a while back but i have not been working in this computer much.
it hang booting up and closing down, but it has not done that the last few times.
every time working on the computer I get error:

IE hungapp

explorer.exe shmedia.dll

Generic host process for Win32 services (get this a lot)

AVG threat popup: ads.smartadx.com/www/delivery/afr.php?zoneid=249&cb=INSERT_RANDOM_NUMBER_HERE Exploit JavaScript Obfuscation {type1332}

C:\WINDOW\system32\ispF.dll Trojan horse Generic 19.MNY
kaustin
2010-10-23, 05:18
30 minutes after i was on the net a second IE poped up started to go to some morage company then it stopped onhytr8lzz02.com
then AVG alert qowomug.co.cc/?d=06abQDcx
Exploit Rouge Scanner (type)1349
ken545
2010-10-23, 11:47
Lets try a few things.

Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop. Double click to run.
*** note: Win Vista and Win 7 need to right click and choose to "run as Administrator" .. the computer will reboot itself.






Download the HostsXpert 4.3 - Hosts File Manager (http://www.funkytoad.com/download/HostsXpert.zip).

Unzip HostsXpert 4.2.0.0 - Hosts File Manager to a convenient folder such as C:\HostsXpert
Click HostsXpert.exe to Run HostsXpert - Hosts File Manager from its new home
Click "Make Hosts Writable?" in the upper left corner.
Click Restore Microsoft's Hosts file and then click OK.
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.






Open Internet Explorer and go to Tools > Internet Options > Advanced Tab > Reset Internet Explorer Settings > Reset .....takes a few seconds...then OK your way out , close IE and then reopen it and see if things are better, in the meantime I am going to look over your OTS log to make sure I didn't miss anything
kaustin
2010-10-23, 16:24
after doing the above
a second tab tried to open when i opened IE, it showed (Connecting) and did not complete
then later a popup (registry errors tab-down load registry cleaner.) screen shot attached.
ken545
2010-10-23, 17:59
Thats a rogue program, whatever you do dont install it

1.Click Start -> All Programs -> Accessories -> System Tools, and then click Internet Explorer (No Add-ons).
See if this helped




Step 1 | Download MBRCheck.exe (http://ad13.geekstogo.com/MBRCheck.exe) to your desktop.
Be sure to disable your security programs
Double click on the file to run it
A window will open on your desktop
if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
If nothing unusual is found just press Enter A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
Please post the contents of that file.
kaustin
2010-10-24, 03:28
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001d

Kernel Drivers (total 132):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806FF000 \WINDOWS\system32\hal.dll
0x86E9E000 \WINDOWS\system32\KDCOM.DLL
0xF79F9000 \WINDOWS\system32\BOOTVID.dll
0xF7596000 ACPI.sys
0xF7AE5000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7585000 pci.sys
0xF75E5000 isapnp.sys
0xF75F5000 ohci1394.sys
0xF7605000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7BAD000 PCIIde.sys
0xF7865000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
0xF7AE7000 intelide.sys
0xF7615000 MountMgr.sys
0xF7566000 ftdisk.sys
0xF786D000 PartMgr.sys
0xF7625000 VolSnap.sys
0xF754E000 atapi.sys
0xF7635000 disk.sys
0xF7645000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF752E000 fltmgr.sys
0xF751C000 sr.sys
0xF7506000 SymSnap.sys
0xF74EF000 KSecDD.sys
0xF7462000 Ntfs.sys
0xF7435000 NDIS.sys
0xF741B000 Mup.sys
0xF76E5000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF7755000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF6BF8000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF6BE4000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7975000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6BC0000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF797D000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7765000 \SystemRoot\system32\DRIVERS\IntelC53.sys
0xF6B9D000 \SystemRoot\system32\DRIVERS\ks.sys
0xF6A55000 \SystemRoot\system32\DRIVERS\IntelC51.sys
0xF69BD000 \SystemRoot\system32\DRIVERS\IntelC52.sys
0xF2333000 \SystemRoot\system32\DRIVERS\mohfilt.sys
0xF2323000 \SystemRoot\System32\Drivers\Modem.SYS
0xF0857000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xF0817000 \SystemRoot\system32\drivers\smwdm.sys
0xF07F3000 \SystemRoot\system32\drivers\portcls.sys
0xF276B000 \SystemRoot\system32\drivers\drmk.sys
0xF0740000 \SystemRoot\system32\drivers\senfilt.sys
0xF231B000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF072C000 \SystemRoot\system32\DRIVERS\parport.sys
0xF1FFB000 \SystemRoot\system32\DRIVERS\serial.sys
0xF6D75000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF1F9B000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF0CEF000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7795000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF089D000 \SystemRoot\System32\Drivers\GearAspiWDM.SYS
0xF7C1D000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7715000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF6D7D000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xED45B000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF27FB000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF27AB000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF79ED000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xEC809000 \SystemRoot\system32\DRIVERS\psched.sys
0xED814000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF3E57000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF3E4F000 \SystemRoot\system32\DRIVERS\raspti.sys
0xED12F000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF3E47000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF3E3F000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7B35000 \SystemRoot\system32\DRIVERS\swenum.sys
0xEC366000 \SystemRoot\system32\DRIVERS\update.sys
0xED3C9000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xECB0D000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xECAFD000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7B37000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xECC16000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF3E2F000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF7B39000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xECA73000 \SystemRoot\System32\Drivers\Null.SYS
0xF7B3B000 \SystemRoot\System32\Drivers\Beep.SYS
0xF233B000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF232B000 \SystemRoot\System32\drivers\vga.sys
0xF7B3D000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7B3F000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xECE39000 \SystemRoot\System32\Drivers\Msfs.SYS
0xECE31000 \SystemRoot\System32\Drivers\Npfs.SYS
0xECC02000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB2FCD000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB2F74000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB2F4E000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB2F35000 \SystemRoot\System32\Drivers\avgtdix.sys
0xECADD000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB2F0D000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB2EEB000 \SystemRoot\System32\drivers\afd.sys
0xECACD000 \SystemRoot\system32\DRIVERS\netbios.sys
0xECABD000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xECAAD000 \SystemRoot\System32\Drivers\V2IMount.SYS
0xB2EC0000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB2E50000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xECA9D000 \SystemRoot\System32\Drivers\Fips.SYS
0xECE29000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xB2DFF000 \SystemRoot\System32\Drivers\avgldx86.sys
0xECE21000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF23D6000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF1FCB000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF23CA000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF23C6000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xEC531000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB2DE7000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7B63000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF0A0D000 \SystemRoot\System32\drivers\Dxapi.sys
0xECE09000 \SystemRoot\System32\watchdog.sys
0xBF9C4000 \SystemRoot\System32\drivers\dxg.sys
0xF7CE9000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF9D6000 \SystemRoot\System32\ati2dvag.dll
0xBFA18000 \SystemRoot\System32\ati2cqag.dll
0xBFA57000 \SystemRoot\System32\atikvmag.dll
0xBFA8D000 \SystemRoot\System32\ati3duag.dll
0xBFD11000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF6D85000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB0C6A000 \SystemRoot\system32\drivers\wdmaud.sys
0xF1F8B000 \SystemRoot\system32\drivers\sysaudio.sys
0xB093F000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7AF3000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB0857000 \SystemRoot\System32\Drivers\Aspi32.SYS
0xB061D000 \SystemRoot\system32\DRIVERS\srv.sys
0xF1F7B000 \SystemRoot\system32\DRIVERS\secdrv.sys
0xB0404000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF78DD000 \??\C:\WINDOWS\system32\drivers\symlcbrd.sys
0xB016B000 \SystemRoot\System32\Drivers\HTTP.sys
0xAFD30000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 49):
0 System Idle Process
4 System
504 C:\WINDOWS\system32\smss.exe
552 csrss.exe
580 C:\WINDOWS\system32\winlogon.exe
628 C:\WINDOWS\system32\services.exe
640 C:\WINDOWS\system32\lsass.exe
816 C:\WINDOWS\system32\ati2evxx.exe
836 C:\WINDOWS\system32\svchost.exe
904 svchost.exe
976 C:\WINDOWS\system32\svchost.exe
1076 svchost.exe
1144 svchost.exe
1180 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
1316 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
1576 C:\WINDOWS\system32\spoolsv.exe
1680 C:\WINDOWS\explorer.exe
1928 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
1964 C:\Program Files\Analog Devices\Core\smax4pnp.exe
196 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATI9EA.EXE
292 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
300 C:\Program Files\Norton Ghost\Agent\GhostTray.exe
324 C:\Program Files\Common Files\Java\Java Update\jusched.exe
336 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
344 C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
108 C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
1600 C:\WINDOWS\system32\ctfmon.exe
1624 svchost.exe
1724 C:\Program Files\Palm\HOTSYNC.EXE
1772 C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
2072 C:\WINDOWS\system32\gearsec.exe
2180 C:\Program Files\Java\jre6\bin\jqs.exe
2228 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
2428 C:\Program Files\Norton Ghost\Agent\VProSvc.exe
2460 C:\Program Files\AVG\AVG8\avgrsx.exe
2468 C:\PROGRA~1\AVG\AVG8\avgnsx.exe
2632 C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
2788 C:\WINDOWS\system32\snmp.exe
2856 C:\WINDOWS\system32\svchost.exe
2964 C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
3124 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
3216 C:\PROGRA~1\AVG\AVG8\avgemc.exe
3236 C:\WINDOWS\system32\wuauclt.exe
3364 C:\Program Files\AVG\AVG8\avgcsrvx.exe
4084 alg.exe
2364 C:\PROGRA~1\Yahoo!\Messenger\Ymsgr_tray.exe
1252 C:\WINDOWS\system32\svchost.exe
2576 C:\WINDOWS\system32\wscntfy.exe
3232 C:\Documents and Settings\Kevin Austin\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: ST3250620AS, Rev: 3.AAC

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 3DD27C7EE9B2D8B2CB511843C79460E5DB3CA995


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!
ken545
2010-10-24, 03:42
1. Run MBRCheck.exe
2. Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
3. Please push the 'Y' key and then press Enter
4. When program ask you Enter your choice: enter 2 and press the Enter key
5. Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
6. Enter 0 and press the Enter key.
7. The program will show Available MBR codes:, followed by a list of operating systems. Please enter 1 for Windows XP, and then press Enter.
8. The program will prompt for confirmation. Type 'YES' and hit Enter.
9. Left click on the title bar (where program name and path is written).
10. From menu chose Edit -> Select All
11. Hit the Enter key on your keyboard to copy selected text.
12. Paste that text into Notepad, save it to your desktop as "MBRCheck results.txt"
13. Restart your PC.
14. Post the text in "MBRCheck results.txt" here, please.
kaustin
2010-10-24, 05:14
not sure if this is what you wanted, I think I followed your directions?

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001d

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 3DD27C7EE9B2D8B2CB511843C79460E5DB3CA995


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit: y

Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: 2

Enter the physical disk number to fix (0-99, -1 to cancel): 0
Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive: 1
Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: yes
Successfully wrote new MBR code!
Please reboot your computer to complete the fix.
ken545
2010-10-24, 10:39
Hi,

Just run MBRCheck like you did the first time in post 23 and post the log please, make sure you post the current one

Step 1 | Download MBRCheck.exe (http://ad13.geekstogo.com/MBRCheck.exe) to your desktop.
Be sure to disable your security programs
Double click on the file to run it
A window will open on your desktop
if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
If nothing unusual is found just press Enter A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
Please post the contents of that file.
kaustin
2010-10-24, 18:51
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001d

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 3DD27C7EE9B2D8B2CB511843C79460E5DB3CA995


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit: n


Done!
Press ENTER to exit...




MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001d

Kernel Drivers (total 126):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806FF000 \WINDOWS\system32\hal.dll
0x86E96000 \WINDOWS\system32\KDCOM.DLL
0xF79F9000 \WINDOWS\system32\BOOTVID.dll
0xF7596000 ACPI.sys
0xF7AE5000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7585000 pci.sys
0xF75E5000 isapnp.sys
0xF75F5000 ohci1394.sys
0xF7605000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7BAD000 PCIIde.sys
0xF7865000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
0xF7AE7000 intelide.sys
0xF7615000 MountMgr.sys
0xF7566000 ftdisk.sys
0xF786D000 PartMgr.sys
0xF7625000 VolSnap.sys
0xF754E000 atapi.sys
0xF7635000 disk.sys
0xF7645000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF752E000 fltmgr.sys
0xF751C000 sr.sys
0xF7506000 SymSnap.sys
0xF74EF000 KSecDD.sys
0xF7462000 Ntfs.sys
0xF7435000 NDIS.sys
0xF741B000 Mup.sys
0xF76E5000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF7745000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF6978000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF6964000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF799D000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6940000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF79A5000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF691A000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xF68DA000 \SystemRoot\system32\drivers\smwdm.sys
0xF68B6000 \SystemRoot\system32\drivers\portcls.sys
0xF7755000 \SystemRoot\system32\drivers\drmk.sys
0xF6893000 \SystemRoot\system32\drivers\ks.sys
0xF67E0000 \SystemRoot\system32\drivers\senfilt.sys
0xF79AD000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF67CC000 \SystemRoot\system32\DRIVERS\parport.sys
0xF7765000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7AC9000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF7775000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7785000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7795000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF79B5000 \SystemRoot\System32\Drivers\GearAspiWDM.SYS
0xF7BDD000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF6E30000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7ADD000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF60EB000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF6E20000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF6E10000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF79ED000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF60DA000 \SystemRoot\system32\DRIVERS\psched.sys
0xF6B85000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF4723000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF471B000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF23C4000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF4713000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF470B000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7B61000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF0B6B000 \SystemRoot\system32\DRIVERS\update.sys
0xF7AB9000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF2384000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF2374000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7B63000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF4733000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF7B49000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xAF24D000 \SystemRoot\System32\Drivers\Null.SYS
0xF7B4B000 \SystemRoot\System32\Drivers\Beep.SYS
0xF2922000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF291A000 \SystemRoot\System32\drivers\vga.sys
0xF7B4D000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7B4F000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF2912000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF290A000 \SystemRoot\System32\Drivers\Npfs.SYS
0xAF21A000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAE6CA000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAE671000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xAE658000 \SystemRoot\System32\Drivers\avgtdix.sys
0xAE632000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xAE60A000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAEFFC000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xAE5E8000 \SystemRoot\System32\drivers\afd.sys
0xAEFEC000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAEFDC000 \SystemRoot\System32\Drivers\V2IMount.SYS
0xAE5BD000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xAEFCC000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xAE54D000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xAEFBC000 \SystemRoot\System32\Drivers\Fips.SYS
0xF2902000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xAE4FC000 \SystemRoot\System32\Drivers\avgldx86.sys
0xF28FA000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF7ABD000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF47C3000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF1E22000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF1E1E000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xB26F6000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xAE4E4000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xAF26C000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF73D6000 \SystemRoot\System32\drivers\Dxapi.sys
0xAF30D000 \SystemRoot\System32\watchdog.sys
0xBF9C4000 \SystemRoot\System32\drivers\dxg.sys
0xF7BC5000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF9D6000 \SystemRoot\System32\ati2dvag.dll
0xBFA18000 \SystemRoot\System32\ati2cqag.dll
0xBFA57000 \SystemRoot\System32\atikvmag.dll
0xBFA8D000 \SystemRoot\System32\ati3duag.dll
0xBFD11000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF7A91000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xAC38F000 \SystemRoot\system32\drivers\wdmaud.sys
0xF7805000 \SystemRoot\system32\drivers\sysaudio.sys
0xAC36B000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xAC0B8000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xAE7AA000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xAC400000 \SystemRoot\System32\Drivers\Aspi32.SYS
0xABDE6000 \SystemRoot\system32\DRIVERS\srv.sys
0xAC215000 \SystemRoot\system32\DRIVERS\secdrv.sys
0xF7915000 \??\C:\WINDOWS\system32\drivers\symlcbrd.sys
0xAB498000 \SystemRoot\System32\Drivers\HTTP.sys
0xAB0AD000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 47):
0 System Idle Process
4 System
468 C:\WINDOWS\system32\smss.exe
516 csrss.exe
544 C:\WINDOWS\system32\winlogon.exe
596 C:\WINDOWS\system32\services.exe
608 C:\WINDOWS\system32\lsass.exe
780 C:\WINDOWS\system32\ati2evxx.exe
800 C:\WINDOWS\system32\svchost.exe
864 svchost.exe
936 C:\WINDOWS\system32\svchost.exe
1092 svchost.exe
1288 svchost.exe
1344 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
1436 C:\WINDOWS\explorer.exe
1444 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
1648 C:\WINDOWS\system32\spoolsv.exe
2032 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
2040 C:\Program Files\Analog Devices\Core\smax4pnp.exe
168 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATI9EA.EXE
280 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
436 C:\Program Files\Norton Ghost\Agent\GhostTray.exe
236 C:\Program Files\Common Files\Java\Java Update\jusched.exe
512 C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
924 svchost.exe
972 C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
1156 C:\WINDOWS\system32\ctfmon.exe
1272 C:\Program Files\Palm\HOTSYNC.EXE
1696 C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
948 C:\WINDOWS\system32\gearsec.exe
1944 C:\Program Files\Java\jre6\bin\jqs.exe
2060 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
2272 C:\Program Files\Norton Ghost\Agent\VProSvc.exe
2356 C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
2384 C:\Program Files\AVG\AVG8\avgrsx.exe
2608 C:\WINDOWS\system32\snmp.exe
2672 C:\WINDOWS\system32\svchost.exe
2764 C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
2976 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
3048 C:\PROGRA~1\AVG\AVG8\avgemc.exe
3176 C:\Program Files\AVG\AVG8\avgcsrvx.exe
3840 alg.exe
2128 C:\PROGRA~1\Yahoo!\Messenger\Ymsgr_tray.exe
1868 C:\WINDOWS\system32\svchost.exe
3464 C:\PROGRA~1\AVG\AVG8\avgnsx.exe
1380 C:\WINDOWS\system32\wscntfy.exe
2924 C:\Documents and Settings\Kevin Austin\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: ST3250620AS, Rev: 3.AAC

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 3DD27C7EE9B2D8B2CB511843C79460E5DB3CA995


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!
ken545
2010-10-24, 19:28
Looks like your Master Boot Record is infected and MBRCheck did not fix it, let me look into this and be back in a bit

In the meantime run this program and post the log please, it may determine our next move


Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.

Extract the file and run it.

Once completed it will create a log in your C:\ drive called TDSSKiller_* (* denotes version & date)

Please post the content of the TDSSKiller log
ken545
2010-10-24, 19:56
If you have not run TDSS killer yet, hold off on it a bit and do this first

Double click on MBRCheck.exe to run it,
type in Y and press Enter when asked if you wish to see more options
Type in 1 to "Dump the MBR of a physical disk to file" and press Enter
Type in 0 to select your disk and press Enter
Type in dump.txt as the file name and press Enter
Type in -1 to exit and press Enter.
Please attach dump.txt to your next reply for me.
kaustin
2010-10-24, 20:38
dump1.txt attached
ken545
2010-10-24, 21:07
OK, thanks, I am having a MBR expert look at this and will post instructions when they get back to me, so sit tight and dont go away
ken545
2010-10-25, 01:07
Go ahead and run TDSS Killer, looks like a rootkit has infected your MBR
kaustin
2010-10-25, 02:21
attached screen shot of what it found, do i need to cure, skip, etc...



2010/10/24 19:07:34.0062 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
2010/10/24 19:07:34.0062 ================================================================================
2010/10/24 19:07:34.0062 SystemInfo:
2010/10/24 19:07:34.0062
2010/10/24 19:07:34.0062 OS Version: 5.1.2600 ServicePack: 3.0
2010/10/24 19:07:34.0062 Product type: Workstation
2010/10/24 19:07:34.0062 ComputerName: KEVIN-HOME
2010/10/24 19:07:34.0062 UserName: Kevin Austin
2010/10/24 19:07:34.0062 Windows directory: C:\WINDOWS
2010/10/24 19:07:34.0062 System windows directory: C:\WINDOWS
2010/10/24 19:07:34.0062 Processor architecture: Intel x86
2010/10/24 19:07:34.0062 Number of processors: 2
2010/10/24 19:07:34.0062 Page size: 0x1000
2010/10/24 19:07:34.0062 Boot type: Normal boot
2010/10/24 19:07:34.0062 ================================================================================
2010/10/24 19:07:34.0265 Initialize success
2010/10/24 19:07:58.0156 ================================================================================
2010/10/24 19:07:58.0156 Scan started
2010/10/24 19:07:58.0156 Mode: Manual;
2010/10/24 19:07:58.0156 ================================================================================
2010/10/24 19:07:58.0406 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/24 19:07:58.0468 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/10/24 19:07:58.0546 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/10/24 19:07:58.0578 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/10/24 19:07:58.0781 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/10/24 19:07:59.0000 Aspi32 (ed8cee58c1e4c5893f5b2fd686a272bf) C:\WINDOWS\system32\drivers\Aspi32.sys
2010/10/24 19:07:59.0031 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/24 19:07:59.0125 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/24 19:07:59.0218 ati2mtag (a7dd7088e2c987dbcb3f4d6d56f723bd) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/10/24 19:07:59.0281 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/24 19:07:59.0343 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/24 19:07:59.0406 AvgLdx86 (bc12f2404bb6f2b6b2ff3c4c246cb752) C:\WINDOWS\System32\Drivers\avgldx86.sys
2010/10/24 19:07:59.0453 AvgMfx86 (5903d729d4f0c5bca74123c96a1b29e0) C:\WINDOWS\System32\Drivers\avgmfx86.sys
2010/10/24 19:07:59.0468 AvgTdiX (92d8e1e8502e649b60e70074eb29c380) C:\WINDOWS\System32\Drivers\avgtdix.sys
2010/10/24 19:07:59.0515 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/24 19:07:59.0734 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/24 19:07:59.0828 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/24 19:07:59.0937 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/24 19:07:59.0984 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/24 19:08:00.0281 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/24 19:08:00.0390 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/24 19:08:00.0500 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/10/24 19:08:00.0546 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/24 19:08:00.0593 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/24 19:08:00.0656 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/24 19:08:00.0718 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/10/24 19:08:00.0781 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/24 19:08:00.0843 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/10/24 19:08:00.0921 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/24 19:08:00.0968 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/10/24 19:08:01.0015 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/10/24 19:08:01.0078 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/24 19:08:01.0125 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/24 19:08:01.0187 GearAspiWDM (32a73a8952580b284a47290adb62032a) C:\WINDOWS\system32\drivers\GearAspiWDM.sys
2010/10/24 19:08:01.0250 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/24 19:08:01.0312 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/10/24 19:08:01.0421 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/24 19:08:01.0500 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/24 19:08:01.0687 IntelC51 (fcab28ffd3a8964581e16455efaf81c8) C:\WINDOWS\system32\DRIVERS\IntelC51.sys
2010/10/24 19:08:01.0734 IntelC52 (a288e7e3a6255255b9066686d860fbc5) C:\WINDOWS\system32\DRIVERS\IntelC52.sys
2010/10/24 19:08:01.0796 IntelC53 (d5e5a1abf6bdba7ca49941a044f04598) C:\WINDOWS\system32\DRIVERS\IntelC53.sys
2010/10/24 19:08:01.0828 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/10/24 19:08:01.0843 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/10/24 19:08:01.0906 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/10/24 19:08:01.0968 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/24 19:08:02.0000 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/24 19:08:02.0046 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/24 19:08:02.0078 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/24 19:08:02.0125 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/24 19:08:02.0156 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/24 19:08:02.0203 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/24 19:08:02.0218 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/10/24 19:08:02.0265 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/24 19:08:02.0281 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/24 19:08:02.0390 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/24 19:08:02.0453 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/24 19:08:02.0500 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/10/24 19:08:02.0578 mohfilt (c6a08c4f34b3048a73bbb2951150f98d) C:\WINDOWS\system32\DRIVERS\mohfilt.sys
2010/10/24 19:08:02.0609 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/24 19:08:02.0671 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/10/24 19:08:02.0703 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/24 19:08:02.0750 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/24 19:08:02.0781 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/24 19:08:02.0859 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/24 19:08:02.0937 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/24 19:08:02.0984 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/24 19:08:03.0015 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/24 19:08:03.0062 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/24 19:08:03.0093 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/24 19:08:03.0171 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/24 19:08:03.0203 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/24 19:08:03.0234 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/24 19:08:03.0265 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/24 19:08:03.0312 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/24 19:08:03.0359 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/24 19:08:03.0406 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/24 19:08:03.0484 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/10/24 19:08:03.0515 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/24 19:08:03.0562 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/24 19:08:03.0656 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/24 19:08:03.0734 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/24 19:08:03.0765 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/24 19:08:03.0812 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/10/24 19:08:03.0859 PalmUSBD (945da25e897eeb2c64861c3cada00d3a) C:\WINDOWS\system32\drivers\PalmUSBD.sys
2010/10/24 19:08:03.0906 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/10/24 19:08:03.0953 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/24 19:08:04.0031 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/24 19:08:04.0062 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/24 19:08:04.0125 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2010/10/24 19:08:04.0156 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/10/24 19:08:04.0500 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/24 19:08:04.0546 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/10/24 19:08:04.0640 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/24 19:08:04.0843 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/24 19:08:04.0875 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/24 19:08:04.0921 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/24 19:08:04.0937 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/24 19:08:05.0000 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/24 19:08:05.0046 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/24 19:08:05.0109 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/24 19:08:05.0171 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/24 19:08:05.0265 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/24 19:08:05.0343 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
2010/10/24 19:08:05.0390 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/10/24 19:08:05.0437 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/10/24 19:08:05.0484 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/10/24 19:08:05.0609 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
2010/10/24 19:08:05.0671 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2010/10/24 19:08:05.0765 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/24 19:08:05.0843 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/24 19:08:05.0906 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/24 19:08:06.0015 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/24 19:08:06.0046 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/24 19:08:06.0187 symlcbrd (5220576ee29bea7c18dff9ecabf18bbc) C:\WINDOWS\system32\drivers\symlcbrd.sys
2010/10/24 19:08:06.0218 SymSnap (fea2d66aeb341e11fad6ff2d50b8ca40) C:\WINDOWS\system32\drivers\SymSnap.sys
2010/10/24 19:08:06.0296 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/24 19:08:06.0343 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/24 19:08:06.0406 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/24 19:08:06.0453 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/24 19:08:06.0484 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/24 19:08:06.0578 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/24 19:08:06.0671 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/24 19:08:06.0718 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/24 19:08:06.0765 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/10/24 19:08:06.0781 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/24 19:08:06.0828 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/10/24 19:08:06.0875 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/10/24 19:08:06.0906 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/24 19:08:06.0953 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/10/24 19:08:07.0000 V2IMount (deea641cc5f87867759856a52cbc0999) C:\WINDOWS\system32\drivers\V2IMount.sys
2010/10/24 19:08:07.0046 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/10/24 19:08:07.0093 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/24 19:08:07.0156 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/24 19:08:07.0250 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/24 19:08:07.0390 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/10/24 19:08:07.0453 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/10/24 19:08:07.0515 \HardDisk0\MBR - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/10/24 19:08:07.0515 ================================================================================
2010/10/24 19:08:07.0515 Scan finished
2010/10/24 19:08:07.0515 ================================================================================
2010/10/24 19:08:07.0531 Detected object count: 1
2010/10/24 19:13:16.0546 Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) - User select action: Skip
2010/10/24 19:13:48.0031 Deinitialize success
ken545
2010-10-25, 07:02
All us forums work together with some forums specializing in different areas of infections so I have other people looking at this also. It looks like the TDSS Rootkit has infected your Master Boot Record and this is something we want to handle very delicately so just hang on a bit and lets see what they say
ken545
2010-10-25, 10:35
Go ahead and run TDSSKiller again and this time have it cure it. Post the log, then run MBRCheck again and post the NEW LOG
kaustin
2010-10-26, 02:22
2010/10/25 19:02:55.0031 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
2010/10/25 19:02:55.0031 ================================================================================
2010/10/25 19:02:55.0031 SystemInfo:
2010/10/25 19:02:55.0031
2010/10/25 19:02:55.0031 OS Version: 5.1.2600 ServicePack: 3.0
2010/10/25 19:02:55.0031 Product type: Workstation
2010/10/25 19:02:55.0031 ComputerName: KEVIN-HOME
2010/10/25 19:02:55.0031 UserName: Kevin Austin
2010/10/25 19:02:55.0031 Windows directory: C:\WINDOWS
2010/10/25 19:02:55.0031 System windows directory: C:\WINDOWS
2010/10/25 19:02:55.0031 Processor architecture: Intel x86
2010/10/25 19:02:55.0031 Number of processors: 2
2010/10/25 19:02:55.0031 Page size: 0x1000
2010/10/25 19:02:55.0031 Boot type: Normal boot
2010/10/25 19:02:55.0031 ================================================================================
2010/10/25 19:02:55.0562 Initialize success
2010/10/25 19:02:58.0750 ================================================================================
2010/10/25 19:02:58.0750 Scan started
2010/10/25 19:02:58.0750 Mode: Manual;
2010/10/25 19:02:58.0750 ================================================================================
2010/10/25 19:03:00.0296 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/25 19:03:00.0406 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/10/25 19:03:00.0500 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/10/25 19:03:00.0531 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/10/25 19:03:00.0843 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/10/25 19:03:01.0078 Aspi32 (ed8cee58c1e4c5893f5b2fd686a272bf) C:\WINDOWS\system32\drivers\Aspi32.sys
2010/10/25 19:03:01.0125 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/25 19:03:01.0171 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/25 19:03:01.0343 ati2mtag (a7dd7088e2c987dbcb3f4d6d56f723bd) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/10/25 19:03:01.0437 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/25 19:03:01.0531 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/25 19:03:01.0656 AvgLdx86 (bc12f2404bb6f2b6b2ff3c4c246cb752) C:\WINDOWS\System32\Drivers\avgldx86.sys
2010/10/25 19:03:01.0703 AvgMfx86 (5903d729d4f0c5bca74123c96a1b29e0) C:\WINDOWS\System32\Drivers\avgmfx86.sys
2010/10/25 19:03:01.0750 AvgTdiX (92d8e1e8502e649b60e70074eb29c380) C:\WINDOWS\System32\Drivers\avgtdix.sys
2010/10/25 19:03:01.0796 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/25 19:03:02.0000 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/25 19:03:02.0109 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/25 19:03:02.0203 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/25 19:03:02.0265 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/25 19:03:02.0515 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/25 19:03:02.0640 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/25 19:03:02.0734 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/10/25 19:03:02.0796 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/25 19:03:02.0859 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/25 19:03:02.0906 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/25 19:03:02.0953 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/10/25 19:03:03.0046 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/25 19:03:03.0093 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/10/25 19:03:03.0156 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/25 19:03:03.0187 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/10/25 19:03:03.0265 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/10/25 19:03:03.0375 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/25 19:03:03.0406 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/25 19:03:03.0453 GearAspiWDM (32a73a8952580b284a47290adb62032a) C:\WINDOWS\system32\drivers\GearAspiWDM.sys
2010/10/25 19:03:03.0515 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/25 19:03:03.0578 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/10/25 19:03:03.0734 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/25 19:03:03.0843 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/25 19:03:04.0062 IntelC51 (fcab28ffd3a8964581e16455efaf81c8) C:\WINDOWS\system32\DRIVERS\IntelC51.sys
2010/10/25 19:03:04.0312 IntelC52 (a288e7e3a6255255b9066686d860fbc5) C:\WINDOWS\system32\DRIVERS\IntelC52.sys
2010/10/25 19:03:04.0406 IntelC53 (d5e5a1abf6bdba7ca49941a044f04598) C:\WINDOWS\system32\DRIVERS\IntelC53.sys
2010/10/25 19:03:04.0453 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/10/25 19:03:04.0500 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/10/25 19:03:04.0593 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/10/25 19:03:04.0656 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/25 19:03:04.0718 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/25 19:03:04.0765 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/25 19:03:04.0828 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/25 19:03:04.0890 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/25 19:03:04.0937 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/25 19:03:05.0000 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/25 19:03:05.0046 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/10/25 19:03:05.0109 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/25 19:03:05.0125 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/25 19:03:05.0265 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/25 19:03:05.0328 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/25 19:03:05.0406 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/10/25 19:03:05.0468 mohfilt (c6a08c4f34b3048a73bbb2951150f98d) C:\WINDOWS\system32\DRIVERS\mohfilt.sys
2010/10/25 19:03:05.0515 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/25 19:03:05.0609 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/10/25 19:03:05.0656 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/25 19:03:05.0718 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/25 19:03:05.0765 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/25 19:03:05.0859 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/25 19:03:05.0937 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/25 19:03:05.0984 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/25 19:03:06.0031 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/25 19:03:06.0093 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/25 19:03:06.0187 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/25 19:03:06.0281 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/25 19:03:06.0343 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/25 19:03:06.0390 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/25 19:03:06.0406 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/25 19:03:06.0437 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/25 19:03:06.0515 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/25 19:03:06.0562 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/25 19:03:06.0656 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/10/25 19:03:06.0734 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/25 19:03:06.0781 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/25 19:03:06.0890 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/25 19:03:06.0937 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/25 19:03:06.0968 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/25 19:03:07.0046 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/10/25 19:03:07.0140 PalmUSBD (945da25e897eeb2c64861c3cada00d3a) C:\WINDOWS\system32\drivers\PalmUSBD.sys
2010/10/25 19:03:07.0234 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/10/25 19:03:07.0296 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/25 19:03:07.0375 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/25 19:03:07.0406 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/25 19:03:07.0484 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2010/10/25 19:03:07.0546 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/10/25 19:03:07.0859 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/25 19:03:07.0890 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/10/25 19:03:07.0953 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/25 19:03:08.0234 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/25 19:03:08.0281 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/25 19:03:08.0328 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/25 19:03:08.0375 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/25 19:03:08.0453 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/25 19:03:08.0500 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/25 19:03:08.0578 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/25 19:03:08.0640 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/25 19:03:08.0734 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/25 19:03:08.0828 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
2010/10/25 19:03:08.0875 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/10/25 19:03:08.0937 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/10/25 19:03:09.0015 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/10/25 19:03:09.0296 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
2010/10/25 19:03:09.0437 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2010/10/25 19:03:09.0546 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/25 19:03:09.0593 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/25 19:03:09.0687 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/25 19:03:09.0812 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/25 19:03:09.0843 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/25 19:03:09.0984 symlcbrd (5220576ee29bea7c18dff9ecabf18bbc) C:\WINDOWS\system32\drivers\symlcbrd.sys
2010/10/25 19:03:10.0031 SymSnap (fea2d66aeb341e11fad6ff2d50b8ca40) C:\WINDOWS\system32\drivers\SymSnap.sys
2010/10/25 19:03:10.0187 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/25 19:03:10.0296 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/25 19:03:10.0390 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/25 19:03:10.0437 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/25 19:03:10.0484 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/25 19:03:10.0593 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/25 19:03:10.0718 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/25 19:03:10.0796 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/25 19:03:10.0859 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/10/25 19:03:10.0921 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/25 19:03:10.0984 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/10/25 19:03:11.0078 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/10/25 19:03:11.0125 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/25 19:03:11.0171 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/10/25 19:03:11.0218 V2IMount (deea641cc5f87867759856a52cbc0999) C:\WINDOWS\system32\drivers\V2IMount.sys
2010/10/25 19:03:11.0281 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/10/25 19:03:11.0359 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/25 19:03:11.0406 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/25 19:03:11.0500 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/25 19:03:11.0640 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/10/25 19:03:11.0718 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/10/25 19:03:11.0812 \HardDisk0\MBR - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/10/25 19:03:11.0812 ================================================================================
2010/10/25 19:03:11.0812 Scan finished
2010/10/25 19:03:11.0812 ================================================================================
2010/10/25 19:03:11.0828 Detected object count: 1
2010/10/25 19:03:16.0078 \HardDisk0\MBR - will be cured after reboot
2010/10/25 19:03:16.0078 Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) - User select action: Cure
2010/10/25 19:03:22.0625 Deinitialize success




MBR**********************************

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001d

Kernel Drivers (total 125):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806FF000 \WINDOWS\system32\hal.dll
0xF7AE5000 \WINDOWS\system32\KDCOM.DLL
0xF79F5000 \WINDOWS\system32\BOOTVID.dll
0xF7596000 ACPI.sys
0xF7AE7000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7585000 pci.sys
0xF75E5000 isapnp.sys
0xF75F5000 ohci1394.sys
0xF7605000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7BAD000 PCIIde.sys
0xF7865000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
0xF7AE9000 intelide.sys
0xF7615000 MountMgr.sys
0xF7566000 ftdisk.sys
0xF786D000 PartMgr.sys
0xF7625000 VolSnap.sys
0xF754E000 atapi.sys
0xF7635000 disk.sys
0xF7645000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF752E000 fltmgr.sys
0xF751C000 sr.sys
0xF7506000 SymSnap.sys
0xF74EF000 KSecDD.sys
0xF7462000 Ntfs.sys
0xF7435000 NDIS.sys
0xF741B000 Mup.sys
0xF76D5000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF7785000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF7245000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF7231000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF78DD000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF720D000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF78E5000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF71E7000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xF71A7000 \SystemRoot\system32\drivers\smwdm.sys
0xF7183000 \SystemRoot\system32\drivers\portcls.sys
0xF7795000 \SystemRoot\system32\drivers\drmk.sys
0xF7160000 \SystemRoot\system32\drivers\ks.sys
0xF70AD000 \SystemRoot\system32\drivers\senfilt.sys
0xF78ED000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF7099000 \SystemRoot\system32\DRIVERS\parport.sys
0xF77A5000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7A99000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF77B5000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF77C5000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF77D5000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF78F5000 \SystemRoot\System32\Drivers\GearAspiWDM.SYS
0xF7BC5000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF77E5000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7AA5000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF703D000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF77F5000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7805000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF78FD000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF702C000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7815000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7905000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF790D000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7825000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7915000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF791D000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7B07000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6FCE000 \SystemRoot\system32\DRIVERS\update.sys
0xF7AB1000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7855000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7665000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7B09000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7925000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF7B0D000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7CE5000 \SystemRoot\System32\Drivers\Null.SYS
0xF7B0F000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7935000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF793D000 \SystemRoot\System32\drivers\vga.sys
0xF7B11000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7B13000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7945000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF794D000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF73E6000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xEEE8B000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xEEE32000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xEEE19000 \SystemRoot\System32\Drivers\avgtdix.sys
0xEEDF3000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xEEDCB000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF7685000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xEEDA9000 \SystemRoot\System32\drivers\afd.sys
0xF7695000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF76A5000 \SystemRoot\System32\Drivers\V2IMount.SYS
0xEED2E000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF76B5000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xEECBE000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF76C5000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7955000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xEEC6D000 \SystemRoot\System32\Drivers\avgldx86.sys
0xF795D000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF7ADD000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF76E5000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xEEEC2000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xEEEBE000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF7715000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEEB8D000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7B15000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xEEEA2000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7965000 \SystemRoot\System32\watchdog.sys
0xBF9C4000 \SystemRoot\System32\drivers\dxg.sys
0xF7D20000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF9D6000 \SystemRoot\System32\ati2dvag.dll
0xBFA18000 \SystemRoot\System32\ati2cqag.dll
0xBFA57000 \SystemRoot\System32\atikvmag.dll
0xBFA8D000 \SystemRoot\System32\ati3duag.dll
0xBFD11000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB8EEC000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB8AC3000 \SystemRoot\system32\drivers\wdmaud.sys
0xB8C10000 \SystemRoot\system32\drivers\sysaudio.sys
0xB88D8000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7B93000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB88C0000 \SystemRoot\System32\Drivers\Aspi32.SYS
0xB8606000 \SystemRoot\system32\DRIVERS\srv.sys
0xB8BE0000 \SystemRoot\system32\DRIVERS\secdrv.sys
0xB824A000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF78C5000 \??\C:\WINDOWS\system32\drivers\symlcbrd.sys
0xB7F89000 \SystemRoot\System32\Drivers\HTTP.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 47):
0 System Idle Process
4 System
468 C:\WINDOWS\system32\smss.exe
516 csrss.exe
544 C:\WINDOWS\system32\winlogon.exe
592 C:\WINDOWS\system32\services.exe
604 C:\WINDOWS\system32\lsass.exe
764 C:\WINDOWS\system32\ati2evxx.exe
784 C:\WINDOWS\system32\svchost.exe
848 svchost.exe
920 C:\WINDOWS\system32\svchost.exe
984 svchost.exe
1064 svchost.exe
1108 C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
1140 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
1424 C:\WINDOWS\system32\spoolsv.exe
1600 C:\WINDOWS\explorer.exe
312 svchost.exe
244 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
552 C:\Program Files\Analog Devices\Core\smax4pnp.exe
652 C:\PROGRA~1\AVG\AVG8\avgtray.exe
896 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATI9EA.EXE
912 C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
960 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
1076 C:\Program Files\Norton Ghost\Agent\GhostTray.exe
1200 C:\WINDOWS\system32\gearsec.exe
1376 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1272 C:\Program Files\Java\jre6\bin\jqs.exe
1580 C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
1644 C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
1752 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
1476 C:\WINDOWS\system32\ctfmon.exe
1156 C:\Program Files\Norton Ghost\Agent\VProSvc.exe
2064 C:\Program Files\AVG\AVG8\avgrsx.exe
2072 C:\Program Files\Palm\HOTSYNC.EXE
2092 C:\PROGRA~1\AVG\AVG8\avgnsx.exe
2256 C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
2680 C:\WINDOWS\system32\snmp.exe
2776 C:\WINDOWS\system32\svchost.exe
2820 C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
3016 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
3076 C:\PROGRA~1\AVG\AVG8\avgemc.exe
3152 C:\Program Files\AVG\AVG8\avgcsrvx.exe
3832 alg.exe
196 C:\PROGRA~1\Yahoo!\Messenger\Ymsgr_tray.exe
1740 C:\WINDOWS\system32\svchost.exe
1828 C:\Documents and Settings\Kevin Austin\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: ST3250620AS, Rev: 3.AAC

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!
ken545
2010-10-26, 02:29
Looks like that may have done it. How is your system running now, any redirects ?
kaustin
2010-10-26, 05:11
well... give me another night or two, but so far thing are working well.
so what was the problem or where? have you seen it before?
if you dont have time to answer thats fine as I may not unstand any way.
I will get back with you in a couple of days and let you know how things are doing.
Thanks
ken545
2010-10-26, 10:26
Hi,

Years ago when I first got into this , back in the days when windows 95 first came out, kids and people with to much time on there hands wrote viruses, they at the time really did not do to much damage, more or an annoyance , but thats all changed now, Cybercriminals write this garbage, I mean gangs of criminals that are trying to steal anything they can from you , like your passwords, banking account numbers, credit card numbers, the greater majority of this scum come from off shore so its hard for the US to prosecute them. When they find away of infecting something on your system, they keep abreast of what we do, and once they learn that we can clean it they move on to something else. I don't know what you did ( opened an attachment , visited a bad website, downloaded something you should not have ) and you got infected. I had a poster similar to yours about a month ago and the fix we went through did not work , we had to rebuild his MBR though the Recovery Console, the TDSS rootkit blocked that from happening, the only recourse we had was to have the user use his Windows CD to perform the fix and he did not have one, he never posted back so dont know what he ever did , my point is that you just have to be real careful , make sure your Antivirus program is up todate and run a scan on a regular basis. We dont solicit any software programs but Malwarebytes that you downloaded and ran, the paid version has a block feature that will block you from entering bad or questionable sites, its a very inexpensive program, around $20 or so for lifetime, not a yearly fee. I have this program and keep it updated on my three systems, but this is up to you, the free version you have will still work, you can check for updates and run scans to remove bad stuff.

What happened to you is somehow you got infected with the TDSS Rootkit and that in turn infected your MBR ( Master Boot Record ) these are the files responsible for booting up your computer so every time you started your computer the infection would kick in.


You never know what these infections are capable of, I would suggest you change all your passwords for sites you frequent.

Post back in a few days and let me know how its going
kaustin
2010-10-27, 04:33
every thing is working well so far, I really thank you for all of your help.
God Bless
Kevin
ken545
2010-10-27, 10:05
Your very welcome Kevin :)


TFC Temp File Cleaner <-- Yours to keep, run it now and then to clean out the clutter.

Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can damage your system


Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.


http://i526.photobucket.com/albums/cc345/MPKwings/CF-Uninstall.png


When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.





Now to remove most of the tools that we have used in fixing your machine:
Make sure you have an Internet Connection.
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) to your desktop and run it
A list of tool components used in the cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.






How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)





Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

WinPatrol (www.winpatrol.com/download.html) Keep this fine program activated to block a lot of threats

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.



Safe Surfn
Ken
kaustin
2010-10-29, 02:11
when I tried to uninstall (with spaces) it just ran Combofix and asked to update (answered NO) then it ran and finished Combofix program no place to select 2, and did not uninstall?
ken545
2010-10-29, 10:27
Thats fine, happens sometimes, just run OTC and it will remove it all