Microsoft Windows.RedirectedHosts [Archive]

View Full Version : Microsoft Windows.RedirectedHosts

slohman

2011-07-01, 19:29

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by ginger at 12:18:07 on 2011-07-01
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1790.817 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\PROGRA~1\DAILYB~2\bar\1.bin\2vbarsvc.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\windows\System32\alg.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\system32\atieclxx.exe
C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files\DailyBibleGuide\bar\1.bin\2vbrmon.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\DAILYB~2\bar\1.bin\2vmedint.exe
C:\PROGRA~1\DAILYB~2\bar\1.bin\2vmedint.exe
C:\windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\sppsvc.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uURLSearchHooks: N/A: {f15ff29f-85a1-43cd-9674-e5ba40016c97} - c:\program files\dailybibleguide\bar\1.bin\2vSrcAs.dll
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Search Assistant BHO: {0631bff0-6846-48ca-982d-d62d7f376e97} - c:\program files\dailybibleguide\bar\1.bin\2vSrcAs.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Toolbar BHO: {beea7fa9-d1f4-49a2-9b1f-6fb7a2d9bc2a} - c:\progra~1\dailyb~2\bar\1.bin\2vbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: DailyBibleGuide: {2a942ab7-2073-49bc-a7e1-77e93835889a} - c:\program files\dailybibleguide\bar\1.bin\2vbar.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [MyTOSHIBA] "c:\program files\toshiba\my toshiba\MyToshiba.exe" /AUTO
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10l_ActiveX.exe -update activex
mRun: [<NO NAME>]
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
mRun: [HWSetup] "c:\program files\toshiba\utilities\HWSetup.exe" hwSetUP
mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [ToshibaServiceStation] "c:\program files\toshiba\toshiba service station\ToshibaServiceStation.exe" /hide:60
mRun: [TosSENotify] c:\program files\toshiba\toshiba hdd ssd alert\TosWaitSrv.exe
mRun: [NortonOnlineBackupReminder] "c:\program files\toshiba\toshiba online backup\activation\TobuActivation.exe" UNATTENDED
mRun: [DailyBibleGuide Browser Plugin Loader] c:\progra~1\dailyb~2\bar\1.bin\2vbrmon.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\ginger\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\users\ginger\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
uPolicies-explorer: DisallowRun = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mif5ba~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mif5ba~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{9A2C832A-3E88-42DB-8D70-FFA7F014AFC6} : DhcpNameServer = 100.100.0.101
TCP: Interfaces\{9EB1A50D-8382-40C6-A54D-ECCE6A2EF150} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{9EB1A50D-8382-40C6-A54D-ECCE6A2EF150}\35D434752425134335D2E443F51405 : DhcpNameServer = 192.168.2.1 192.168.2.1
TCP: Interfaces\{9EB1A50D-8382-40C6-A54D-ECCE6A2EF150}\7494E4745425D20534F5E4564777F627B6 : DhcpNameServer = 192.168.1.1
mASetup: {01250B8F-D947-4F8A-9408-FE8E3EE2EC92} - c:\program files\toshiba\my toshiba\MyToshiba.exe /SETUP
Hosts: 95.211.99.112 www.google.com.au
Hosts: 178.17.165.3 www.google.com.au
Hosts: 95.211.99.112 www.google.be
Hosts: 178.17.165.3 www.google.be
Hosts: 95.211.99.112 www.google.com.br
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-6-25 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-6-25 307928]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-7-14 176128]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-6-25 19544]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-6-25 53592]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-6-25 42184]
R2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\toshiba\configfree\CFIWmxSvcs.exe [2009-8-10 185712]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2009-3-10 46448]
R2 DailyBibleGuideService;DailyBibleGuide Service;c:\progra~1\dailyb~2\bar\1.bin\2vbarsvc.exe [2011-4-23 36864]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-25 366640]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-6-25 1153368]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-6-25 22712]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-7-14 167936]
R3 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2010-7-14 51512]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\toshiba\toshiba hdd ssd alert\TosSmartSrv.exe [2009-8-3 111960]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-25 39984]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-7-14 171520]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-4-16 1343400]
.
=============== Created Last 30 ================
.
2011-07-01 14:09:50 7074640 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{2338ea8a-a986-4f53-97eb-273058c9cc31}\mpengine.dll
2011-06-28 22:10:26 294912 ----a-w- c:\windows\system32\umpnpmgr.dll
2011-06-28 22:10:15 1553920 ----a-w- c:\windows\system32\tquery.dll
2011-06-28 22:10:15 1401856 ----a-w- c:\windows\system32\mssrch.dll
2011-06-28 22:10:14 666624 ----a-w- c:\windows\system32\mssvp.dll
2011-06-28 22:10:14 428032 ----a-w- c:\windows\system32\SearchIndexer.exe
2011-06-28 22:10:13 337408 ----a-w- c:\windows\system32\mssph.dll
2011-06-28 22:10:12 86528 ----a-w- c:\windows\system32\SearchFilterHost.exe
2011-06-28 22:10:12 59392 ----a-w- c:\windows\system32\msscntrs.dll
2011-06-28 22:10:12 197120 ----a-w- c:\windows\system32\mssphtb.dll
2011-06-28 22:10:12 164352 ----a-w- c:\windows\system32\SearchProtocolHost.exe
2011-06-26 02:45:13 -------- d-----w- c:\users\ginger\appdata\roaming\Malwarebytes
2011-06-26 02:45:01 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-26 02:45:00 -------- d-----w- c:\programdata\Malwarebytes
2011-06-26 02:44:55 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-26 02:44:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-25 15:04:10 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-06-25 15:04:08 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-06-25 15:03:08 40112 ----a-w- c:\windows\avastSS.scr
2011-06-25 15:03:00 -------- d-----w- c:\programdata\AVAST Software
2011-06-25 15:03:00 -------- d-----w- c:\program files\AVAST Software
2011-06-25 15:00:20 -------- d-----w- c:\program files\Defraggler
2011-06-25 14:57:21 -------- d-----w- c:\program files\CCleaner
2011-06-25 14:48:18 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-06-25 14:48:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-06-23 11:52:57 -------- d-sh--w- c:\programdata\SSBHCAS
2011-06-23 11:52:42 -------- d-sh--w- c:\programdata\d04dea
2011-06-15 01:17:52 311296 ----a-w- c:\windows\system32\drivers\srv.sys
2011-06-15 01:17:52 309760 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-15 01:17:52 114176 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-15 01:17:49 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-15 01:17:48 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-15 01:17:24 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-15 01:17:22 78336 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-06-15 01:17:21 740864 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-15 01:17:19 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2011-06-15 01:16:55 96256 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-15 01:16:55 222720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-15 01:16:55 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.
==================== Find3M ====================
.
2011-05-24 23:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-04-22 19:36:05 26496 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-04-09 06:13:06 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-04-09 06:13:06 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-04-09 05:56:38 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-04-09 02:28:29 13 --sh--r- c:\windows\system32\drivers\fbd.sys
.
============= FINISH: 12:19:19.98 ===============

jeffce

2011-07-05, 17:34

Hi and Welcome!! :) My name is Jeff. I would be more than happy to take a look at your log and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Watch Topic button to the right of your topic title and then choosing the notification method ( Recommended: Inmediate Notification)
The fixes are specific to your problem and should only be used for the issues on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

**Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise, this will be a team effort. This may cause a delay, but I will do my best to keep it as short as possible. Please bear with me, I will post back to you as soon as I can.**

IMPORTANT NOTE : Please do not delete anything unless instructed to.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.
Doing so could make your system inoperable and could require a full reinstall of your OS losing all your programs and data.

Vista and Windows 7 users:
These tools MUST be run from the executable (.exe) every time you run them
with Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

slohman

2011-07-05, 21:45

Thank you for your help. I am here awaiting instructions.

jeffce

2011-07-06, 06:19

Hi slohman,

Please download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe ) to your desktop.

Double click the aswMBR icon to run it.
Vista and Windows 7 users right click the icon and choose "Run as administrator".
Click the Scan button to start scan.
When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan-1.png (http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan.png )
Click the image to enlarge it
----------

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.

Run OTL.exe

Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

:Services

:Files
dir c:\programdata\SSBHCAS /s /c
dir c:\programdata\d04dea /s /c

:Commands
[purity]
[resethosts]

Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done
Then post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

In your next reply please post the logs created by aswMBR and OTL. :)

slohman

2011-07-06, 18:21

aswMBR version 0.9.7.705 Copyright(c) 2011 AVAST Software
Run date: 2011-07-06 09:33:39
-----------------------------
09:33:39.484 OS Version: Windows 6.1.7600
09:33:39.485 Number of processors: 1 586 0x301
09:33:39.489 ComputerName: GINGER-PC UserName: ginger
09:33:40.365 Initialize success
09:33:40.482 AVAST engine defs: 11070600
09:33:43.853 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1
09:33:43.862 Disk 0 Vendor: TOSHIBA_MK2555GSXN GC002M Size: 238475MB BusType: 11
09:33:45.892 Disk 0 MBR read successfully
09:33:45.899 Disk 0 MBR scan
09:33:45.910 Disk 0 unknown MBR code
09:33:47.986 Disk 0 scanning sectors +488396800
09:33:48.020 Disk 0 scanning C:\windows\system32\drivers
09:33:49.976 File: C:\windows\system32\drivers\ataport.sys **SUSPICIOUS**
09:34:03.812 Service scanning
09:34:04.863 Disk 0 trace - called modules:
09:34:04.915 ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS >>UNKNOWN [0x85f728a1]<<
09:34:04.928 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85642ac8]
09:34:04.944 3 CLASSPNP.SYS[885a459e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0x85646030]
09:34:06.344 AVAST engine scan C:\windows
09:48:53.289 File: C:\windows\System32\drivers\ataport.sys **SUSPICIOUS**
10:29:01.835 AVAST engine scan C:\Users\ginger
10:35:09.477 AVAST engine scan C:\ProgramData
10:38:41.590 Scan finished successfully
11:08:38.668 Disk 0 MBR has been saved successfully to "C:\Users\ginger\Documents\MBR.dat"
11:08:38.678 The log file has been saved successfully to "C:\Users\ginger\Documents\aswMBR.txt"

========== SERVICES/DRIVERS ==========
========== FILES ==========
< dir c:\programdata\SSBHCAS /s /c >
Volume in drive C is TI105866W0A
Volume Serial Number is BAAE-36FD
C:\Users\ginger\Downloads\cmd.bat deleted successfully.
C:\Users\ginger\Downloads\cmd.txt deleted successfully.
< dir c:\programdata\d04dea /s /c >
Volume in drive C is TI105866W0A
Volume Serial Number is BAAE-36FD
Directory of c:\programdata\d04dea
06/23/2011 07:53 AM <DIR> BackUp
06/23/2011 07:52 AM <DIR> Quarantine Items
06/24/2011 09:50 PM 4,286 SSS.ico
06/23/2011 07:52 AM <DIR> SSSSys
1 File(s) 4,286 bytes
Directory of c:\programdata\d04dea\BackUp
06/23/2011 07:53 AM <DIR> .
06/23/2011 07:53 AM <DIR> ..
04/17/2011 02:09 PM 1,287 OneNote 2007 Screen Clipper and Launcher.lnk
1 File(s) 1,287 bytes
Directory of c:\programdata\d04dea\Quarantine Items
06/23/2011 07:52 AM <DIR> .
06/23/2011 07:52 AM <DIR> ..
0 File(s) 0 bytes
Directory of c:\programdata\d04dea\SSSSys
06/23/2011 07:52 AM <DIR> .
06/23/2011 07:52 AM <DIR> ..
0 File(s) 0 bytes
Total Files Listed:
2 File(s) 5,573 bytes
9 Dir(s) 211,929,198,592 bytes free
C:\Users\ginger\Downloads\cmd.bat deleted successfully.
C:\Users\ginger\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.26.0 log created on 07062011_111056

jeffce

2011-07-07, 01:22

Hi slohman,

Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)

Extract it to your desktop
Double click TDSSKiller.exe
Press Start Scan

Only if Malicious objects are found then ensure Cure is selected
Then click Continue > Reboot now

Copy and paste the log in your next reply

A copy of the log will be saved automatically to the root of the drive (typically C:\)

----------

OTL

Double click on the OTL icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

In your next reply please post the logs created by OTL and TDSSKiller.

jeffce

2011-07-09, 18:15

Are you still with us? :)

oldman960

2011-07-11, 18:40

Due to inactivity, this thread will now be closed.

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.