Please help: browser redirect

**ringlancer** · 2011-03-30, 03:09

Hello folks. I am having problems with a browser redirect. I am unable to remove it. It seems to target websearch functions. At first it only rendered google useless but then bing stopped working too. For the most part, I can type a url directly in and be fine. Sometimes if I click on a link it won't follow through, but that isn't as often as the search engine redirect.

I'm running spybot s&d. I removed some stuff the other day, Virtualmonde? I think?

I am also running superantispyware.

I am running Norton Security suite.

I followed the first step and saved a backup using erunt.

Next post is DDS log

I went to post dds log, and I get an error message that it is too long. What do I do?

here is the zipped attach file

try again

zipped and attached dds file

**shelf life** · 2011-03-31, 22:48

hi,

As a precaution you shouldnt be using your computer. It shouldnt have any connectivity. If your not sure how to do this then I would power if off. We will get a download to start with. You can read the guide on another machine then download combofix to the infected machine and apply the same directions as in the guide. Post the combofix log in your reply.

Guide to using Combofix

**ringlancer** · 2011-04-01, 03:02

when trying to run combofix, I get an error that reads

error - win32 only

incompatible os. combofix only works for workstations with windows 2000 and xp.

but I am running windows xp.....

**shelf life** · 2011-04-01, 03:21

It runs on XP. Delete the combofix icon from your desktop and re-download it. If you get the same error you can try to run it in safe mode. To reach safe mode you would tap the f8 key during a computer restart, chose the first option from the list: safe mode, log into your normal account, once at the safe mode desktop run combofix.

You can also download another app to run before you try combofix again, run tdsskiller during a normal boot up, not in safe mode

Please download TDSS Killer.exe and save it to your desktop

Double click to launch the utility. Vista and Windows 7 right click as "run as admin.." After it initializes click the start scan button.

Once the scan completes you can click the continue button.

"The utility will automatically select an action (Cure or Delete) for known malcious objects. A suspicious object will be skipped by default."

"After clicking Next, the utility applies selected actions and outputs the result."

"A reboot might require after disinfection."

A report will be found in your Root drive Local Disk (C) as TDSSKiller.2.4.12.0_02.01.2011_17.32.21_log.txt (name, version, date, time, log.txt)

Please post the log report

**ringlancer** · 2011-04-01, 06:57

2011/04/01 00:54:21.0648 7080 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/01 00:54:21.0773 7080 ================================================================================
2011/04/01 00:54:21.0773 7080 SystemInfo:
2011/04/01 00:54:21.0773 7080
2011/04/01 00:54:21.0773 7080 OS Version: 5.1.2600 ServicePack: 3.0
2011/04/01 00:54:21.0773 7080 Product type: Workstation
2011/04/01 00:54:21.0773 7080 ComputerName: DELL270
2011/04/01 00:54:21.0788 7080 UserName: Bear
2011/04/01 00:54:21.0788 7080 Windows directory: C:\WINDOWS
2011/04/01 00:54:21.0788 7080 System windows directory: C:\WINDOWS
2011/04/01 00:54:21.0788 7080 Processor architecture: Intel x86
2011/04/01 00:54:21.0788 7080 Number of processors: 1
2011/04/01 00:54:21.0788 7080 Page size: 0x1000
2011/04/01 00:54:21.0788 7080 Boot type: Normal boot
2011/04/01 00:54:21.0788 7080 ================================================================================
2011/04/01 00:54:22.0226 7080 Initialize success
2011/04/01 00:54:28.0038 3096 ================================================================================
2011/04/01 00:54:28.0038 3096 Scan started
2011/04/01 00:54:28.0038 3096 Mode: Manual;
2011/04/01 00:54:28.0038 3096 ================================================================================
2011/04/01 00:54:29.0413 3096 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/04/01 00:54:29.0507 3096 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/04/01 00:54:29.0835 3096 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
2011/04/01 00:54:30.0023 3096 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/04/01 00:54:30.0210 3096 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/04/01 00:54:30.0335 3096 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/04/01 00:54:31.0382 3096 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/04/01 00:54:31.0569 3096 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/01 00:54:31.0804 3096 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/04/01 00:54:31.0976 3096 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/04/01 00:54:32.0116 3096 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/04/01 00:54:32.0319 3096 BHDrvx86 (76154fa6a742c613b44bb636b1a7c057) C:\WINDOWS\System32\Drivers\N360\0308000.029\BHDrvx86.sys
2011/04/01 00:54:32.0507 3096 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/04/01 00:54:32.0851 3096 ccHP (8973ff34b83572d867b5b928905ad5ac) C:\WINDOWS\System32\Drivers\N360\0308000.029\ccHPx86.sys
2011/04/01 00:54:33.0163 3096 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/04/01 00:54:33.0366 3096 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/04/01 00:54:33.0491 3096 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/04/01 00:54:34.0054 3096 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/04/01 00:54:34.0194 3096 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/04/01 00:54:34.0413 3096 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/04/01 00:54:34.0476 3096 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/04/01 00:54:34.0585 3096 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/04/01 00:54:34.0913 3096 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/04/01 00:54:35.0023 3096 E1000 (a97b4360acc61d9d3cae50cd155ef02c) C:\WINDOWS\system32\DRIVERS\e1000325.sys
2011/04/01 00:54:35.0241 3096 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/04/01 00:54:35.0382 3096 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/04/01 00:54:35.0538 3096 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/04/01 00:54:35.0710 3096 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/04/01 00:54:35.0819 3096 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/04/01 00:54:35.0944 3096 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/04/01 00:54:36.0116 3096 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/04/01 00:54:36.0241 3096 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/04/01 00:54:36.0351 3096 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/04/01 00:54:36.0507 3096 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/04/01 00:54:36.0710 3096 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/04/01 00:54:36.0898 3096 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/04/01 00:54:37.0148 3096 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/04/01 00:54:37.0257 3096 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/04/01 00:54:37.0382 3096 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/04/01 00:54:37.0523 3096 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/04/01 00:54:38.0101 3096 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
2011/04/01 00:54:38.0523 3096 ialm (1406d6ef4436aee970efe13193123965) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/04/01 00:54:38.0788 3096 IDSxpx86 (50fa4c70534cf3b5c17ec83debe07afd) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20110330.001\IDSxpx86.sys
2011/04/01 00:54:38.0976 3096 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/04/01 00:54:39.0304 3096 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/04/01 00:54:39.0444 3096 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/04/01 00:54:39.0616 3096 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/04/01 00:54:39.0788 3096 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/04/01 00:54:40.0007 3096 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/04/01 00:54:40.0116 3096 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/04/01 00:54:40.0288 3096 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/04/01 00:54:40.0398 3096 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/04/01 00:54:40.0523 3096 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/01 00:54:40.0710 3096 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/04/01 00:54:40.0898 3096 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/04/01 00:54:41.0101 3096 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/04/01 00:54:41.0257 3096 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/04/01 00:54:41.0523 3096 LHidFilt (24e0ddb99aeccf86bb37702611761459) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
2011/04/01 00:54:41.0710 3096 LMouFilt (d58b330d318361a66a9fe60d7c9b4951) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
2011/04/01 00:54:41.0882 3096 mfeavfk (bafdd5e28baea99d7f4772af2f5ec7ee) C:\WINDOWS\system32\drivers\mfeavfk.sys
2011/04/01 00:54:41.0991 3096 mfebopk (1d003e3056a43d881597d6763e83b943) C:\WINDOWS\system32\drivers\mfebopk.sys
2011/04/01 00:54:42.0116 3096 mfehidk (3f138a1c8a0659f329f242d1e389b2cf) C:\WINDOWS\system32\drivers\mfehidk.sys
2011/04/01 00:54:42.0257 3096 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys
2011/04/01 00:54:42.0366 3096 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys
2011/04/01 00:54:42.0476 3096 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/04/01 00:54:42.0585 3096 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/04/01 00:54:42.0726 3096 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/04/01 00:54:42.0866 3096 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/04/01 00:54:42.0976 3096 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/04/01 00:54:43.0210 3096 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/04/01 00:54:43.0382 3096 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/04/01 00:54:43.0507 3096 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/04/01 00:54:43.0663 3096 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/04/01 00:54:43.0804 3096 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/04/01 00:54:43.0944 3096 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/04/01 00:54:44.0085 3096 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/04/01 00:54:44.0273 3096 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/04/01 00:54:44.0460 3096 NAVENG (c34e2a884ccca8b5567d0c2752527073) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20110331.021\NAVENG.SYS
2011/04/01 00:54:44.0773 3096 NAVEX15 (b3916eeec738dd4178f4fd6a44a32e36) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20110331.021\NAVEX15.SYS
2011/04/01 00:54:44.0944 3096 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/04/01 00:54:45.0069 3096 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/04/01 00:54:45.0257 3096 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/04/01 00:54:45.0382 3096 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/04/01 00:54:45.0569 3096 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/04/01 00:54:45.0726 3096 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/04/01 00:54:45.0851 3096 NetBT (f2728ebc8dfdf7506ae6856054a4d9ac) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/04/01 00:54:45.0851 3096 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\netbt.sys. Real md5: f2728ebc8dfdf7506ae6856054a4d9ac, Fake md5: 74b2b2f5bea5e9a3dc021d685551bd3d
2011/04/01 00:54:45.0866 3096 NetBT - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/04/01 00:54:45.0991 3096 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/04/01 00:54:46.0132 3096 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/04/01 00:54:46.0288 3096 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/04/01 00:54:46.0538 3096 nv (ba1b732c1a70cfea0c1b64f2850bf44f) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/04/01 00:54:46.0819 3096 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/04/01 00:54:46.0960 3096 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/04/01 00:54:47.0101 3096 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
2011/04/01 00:54:47.0194 3096 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/04/01 00:54:47.0304 3096 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/04/01 00:54:47.0413 3096 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/04/01 00:54:47.0523 3096 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/04/01 00:54:47.0726 3096 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/04/01 00:54:47.0866 3096 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/04/01 00:54:48.0601 3096 PfModNT (c8a2d6ff660ac601b7bb9a9b16a5c25e) C:\WINDOWS\system32\drivers\PfModNT.sys
2011/04/01 00:54:49.0210 3096 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/04/01 00:54:49.0398 3096 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/04/01 00:54:49.0491 3096 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/04/01 00:54:49.0991 3096 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/01 00:54:50.0148 3096 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/04/01 00:54:50.0288 3096 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/04/01 00:54:50.0413 3096 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/04/01 00:54:50.0632 3096 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/04/01 00:54:50.0726 3096 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/01 00:54:50.0882 3096 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/04/01 00:54:51.0054 3096 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/04/01 00:54:51.0194 3096 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/04/01 00:54:51.0335 3096 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) E:\SASDIFSV.SYS
2011/04/01 00:54:51.0554 3096 SASKUTIL (61db0d0756a99506207fd724e3692b25) E:\SASKUTIL.SYS
2011/04/01 00:54:51.0835 3096 SAUSBHW (6bb83f7f50aeaf7bfe56eab09a93a922) C:\WINDOWS\system32\Drivers\sausb.sys
2011/04/01 00:54:52.0038 3096 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/04/01 00:54:52.0179 3096 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/04/01 00:54:52.0335 3096 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/04/01 00:54:52.0460 3096 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/04/01 00:54:52.0788 3096 smwdm (31fd0707c7dbe715234f2823b27214fe) C:\WINDOWS\system32\drivers\smwdm.sys
2011/04/01 00:54:53.0132 3096 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/04/01 00:54:53.0288 3096 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/04/01 00:54:53.0476 3096 SRTSP (e81f6caeab9ad5732e94c07c97866aa2) C:\WINDOWS\System32\Drivers\N360\0308000.029\SRTSP.SYS
2011/04/01 00:54:53.0804 3096 SRTSPX (e28de499d942b08058bffac69d4122b6) C:\WINDOWS\system32\drivers\N360\0308000.029\SRTSPX.SYS
2011/04/01 00:54:54.0023 3096 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/04/01 00:54:54.0210 3096 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/04/01 00:54:54.0429 3096 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/04/01 00:54:54.0882 3096 SymEFA (d0885f6e24259a6c65e68d6ad749910a) C:\WINDOWS\system32\drivers\N360\0308000.029\SYMEFA.SYS
2011/04/01 00:54:55.0163 3096 SymEvent (a54ff04bd6e75dc4d8cb6f3e352635e0) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2011/04/01 00:54:55.0444 3096 SYMFW (1e825026436c4eac3e1a11d1e9c33f2c) C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMFW.SYS
2011/04/01 00:54:55.0757 3096 SYMIDS (7a20b7d774ef0f16cf81b898bfeca772) C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMIDS.SYS
2011/04/01 00:54:56.0069 3096 SymIM (c6db9f873b09c63f5cb1de10c08bf6f9) C:\WINDOWS\system32\DRIVERS\SymIM.sys
2011/04/01 00:54:56.0116 3096 SymIMMP (c6db9f873b09c63f5cb1de10c08bf6f9) C:\WINDOWS\system32\DRIVERS\SymIM.sys
2011/04/01 00:54:56.0335 3096 SYMNDIS (5ab7d00ea6b7a6fcd5067c632ec6f039) C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMNDIS.SYS
2011/04/01 00:54:56.0538 3096 SYMTDI (e4fa8bbb96e314e9508865de1a767538) C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMTDI.SYS
2011/04/01 00:54:57.0116 3096 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/04/01 00:54:57.0288 3096 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/04/01 00:54:57.0444 3096 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/04/01 00:54:57.0554 3096 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/04/01 00:54:57.0663 3096 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/04/01 00:54:58.0023 3096 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/04/01 00:54:58.0335 3096 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/04/01 00:54:58.0523 3096 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/04/01 00:54:58.0679 3096 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/04/01 00:54:59.0241 3096 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/04/01 00:54:59.0351 3096 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/04/01 00:54:59.0523 3096 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/04/01 00:54:59.0679 3096 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/04/01 00:54:59.0913 3096 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/04/01 00:55:00.0085 3096 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/04/01 00:55:00.0366 3096 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/04/01 00:55:00.0507 3096 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/04/01 00:55:00.0679 3096 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/04/01 00:55:00.0991 3096 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/04/01 00:55:01.0210 3096 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/04/01 00:55:01.0335 3096 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/04/01 00:55:01.0460 3096 {6080A529-897E-4629-A488-ABA0C29B635E} (fd1f4e9cf06c71c8d73a24acf18d8296) C:\WINDOWS\system32\drivers\ialmsbw.sys
2011/04/01 00:55:01.0569 3096 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (d4d7331d33d1fa73e588e5ce0d90a4c1) C:\WINDOWS\system32\drivers\ialmkchw.sys
2011/04/01 00:55:01.0960 3096 ================================================================================
2011/04/01 00:55:01.0960 3096 Scan finished
2011/04/01 00:55:01.0960 3096 ================================================================================
2011/04/01 00:55:01.0976 1524 Detected object count: 1
2011/04/01 00:55:52.0788 1524 NetBT (f2728ebc8dfdf7506ae6856054a4d9ac) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/04/01 00:55:52.0788 1524 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\netbt.sys. Real md5: f2728ebc8dfdf7506ae6856054a4d9ac, Fake md5: 74b2b2f5bea5e9a3dc021d685551bd3d
2011/04/01 00:55:54.0944 1524 Backup copy found, using it..
2011/04/01 00:55:55.0194 1524 C:\WINDOWS\system32\DRIVERS\netbt.sys - will be cured after reboot
2011/04/01 00:55:55.0194 1524 Rootkit.Win32.TDSS.tdl3(NetBT) - User select action: Cure
2011/04/01 00:56:11.0319 7228 Deinitialize success

**ringlancer** · 2011-04-01, 07:27

ComboFix 11-03-31.02 - Bear 04/01/2011 1:16.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3839.3248 [GMT -4:00]
Running from: c:\documents and settings\Bear\Desktop\ComboFix.exe
AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Bear\Application Data\Adobe\plugs
c:\documents and settings\Bear\Application Data\Adobe\shed
c:\documents and settings\Bear\Local Settings\Application Data\{7484FC13-A8B0-4BF6-843A-5FE4A312350D}
c:\documents and settings\Bear\Local Settings\Application Data\{7484FC13-A8B0-4BF6-843A-5FE4A312350D}\chrome.manifest
c:\documents and settings\Bear\Local Settings\Application Data\{7484FC13-A8B0-4BF6-843A-5FE4A312350D}\chrome\content\_cfg.js
c:\documents and settings\Bear\Local Settings\Application Data\{7484FC13-A8B0-4BF6-843A-5FE4A312350D}\chrome\content\overlay.xul
c:\documents and settings\Bear\Local Settings\Application Data\{7484FC13-A8B0-4BF6-843A-5FE4A312350D}\install.rdf
c:\documents and settings\Bunny\Local Settings\Application Data\{8EA551ED-AAE7-4214-A477-270652475D9A}
c:\documents and settings\Bunny\Local Settings\Application Data\{8EA551ED-AAE7-4214-A477-270652475D9A}\chrome.manifest
c:\documents and settings\Bunny\Local Settings\Application Data\{8EA551ED-AAE7-4214-A477-270652475D9A}\chrome\content\_cfg.js
c:\documents and settings\Bunny\Local Settings\Application Data\{8EA551ED-AAE7-4214-A477-270652475D9A}\chrome\content\overlay.xul
c:\documents and settings\Bunny\Local Settings\Application Data\{8EA551ED-AAE7-4214-A477-270652475D9A}\install.rdf
E:\Uninstall.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-01 to 2011-04-01 )))))))))))))))))))))))))))))))
.
.
2011-03-31 00:29 . 2011-03-31 16:29 -------- d-----w- c:\program files\SDistTest
2011-03-30 00:55 . 2011-03-30 00:55 -------- d-----w- c:\program files\ERUNT
2011-03-26 22:56 . 2011-03-26 22:56 -------- d-----w- c:\program files\Common Files\Stardock
2011-03-26 22:55 . 2011-03-26 22:55 -------- d-----w- c:\program files\Stardock Games
2011-03-26 22:30 . 2011-03-26 22:32 -------- d-----w- c:\documents and settings\Bear\Application Data\Stardock
2011-03-26 22:29 . 2011-03-26 22:30 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{0D7C3114-2F34-430F-A142-545BE493A7E9}
2011-03-26 22:28 . 2011-03-26 22:28 -------- d-----w- c:\documents and settings\Bear\Local Settings\Application Data\PackageAware
2011-03-26 22:25 . 2011-03-26 22:25 -------- d-----w- c:\documents and settings\Bear\Local Settings\Application Data\Stardock
2011-03-25 15:31 . 2011-03-25 15:31 -------- d-----w- c:\documents and settings\Bear\Application Data\webex
2011-03-24 15:13 . 2011-03-24 15:13 -------- d-----w- c:\windows\Downloaded Installations
2011-03-23 22:08 . 2011-03-23 22:08 -------- d-----w- c:\documents and settings\Bear\Application Data\SUPERAntiSpyware.com
2011-03-23 22:08 . 2011-03-23 22:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-03-23 15:13 . 2011-03-23 15:13 -------- d-----w- c:\documents and settings\Bear\Local Settings\Application Data\Symantec
2011-03-22 12:22 . 2011-03-23 04:23 0 ----a-w- c:\windows\Alupineteriwedok.bin
2011-03-20 23:58 . 2010-02-09 01:59 56200 ----a-w- c:\windows\system32\offreg.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-01 05:00 . 2004-08-04 12:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-03-11 05:54 . 2010-04-12 15:09 87688 ----a-w- c:\windows\system32\IncContxMenu.dll
2011-03-11 05:53 . 2010-04-12 15:09 11776 ----a-w- c:\windows\system32\smrgdf.exe
2011-03-11 05:53 . 2010-04-12 15:09 29696 ----a-w- c:\windows\system32\iolobtdfg.exe
2011-03-11 05:36 . 2010-04-12 15:09 2234552 ----a-w- c:\windows\system32\Incinerator.dll
2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2009-05-21 13:26 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2009-05-21 13:26 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"SpybotSD TeaTimer"="e:\spybot - search & destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="E:\SUPERAntiSpyware.exe" [2011-03-16 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-04-07 114688]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-04-13 417792]
.
c:\documents and settings\Bear\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Impulse Now.lnk - e:\stardock\Impulse\Now\ImpulseNow.exe [2011-3-21 476464]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-9-8 805392]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "E:\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- E:\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 06:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpnsvr.exe"=
"c:\\WINDOWS\\SYSTEM32\\dxdiag.exe"=
"e:\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19036:TCP"= 19036:TCP:BitComet 19036 TCP
"19036:UDP"= 19036:UDP:BitComet 19036 UDP
"58734:TCP"= 58734:TCP:Pando P2P TCP Listening Port
"58734:UDP"= 58734:UDP:Pando P2P UDP Listening Port
.
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [2/24/2010 11:21 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [2/24/2010 11:21 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [2/24/2010 11:21 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20110330.001\IDSXpx86.sys [3/31/2011 1:40 AM 341944]
R1 SASDIFSV;SASDIFSV;E:\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;E:\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [4/12/2010 11:09 AM 724152]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [4/12/2010 11:09 AM 724152]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe [2/24/2010 11:21 PM 117640]
R2 SDisTestService;SpybotSnD Distributed Testing;c:\program files\SDistTest\SDistTestSvc.exe [3/30/2011 8:29 PM 907680]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/21/2011 8:55 PM 102448]
R3 SAUSBHW;%SAUSBHW.SvcDesc%;c:\windows\system32\drivers\SAUSB.SYS [9/16/2009 11:29 AM 171600]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - KLMDB
*Deregistered* - klmdb
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-01 c:\windows\Tasks\ArcGIS Indexing (DELL270_Bear).job
- c:\program files\ArcGIS\Desktop10.0\bin\DesktopIndexingService.exe [2010-05-19 18:33]
.
2011-04-01 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
2011-04-01 c:\windows\Tasks\User_Feed_Synchronization-{38EB9964-2679-46E6-86C3-8DBEC74145FF}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
2011-04-01 c:\windows\Tasks\User_Feed_Synchronization-{6024F565-C638-441B-AD02-6C963EF82601}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} - hxxp://utilities.pcpitstop.com/Nirvana/controls/DiskMD3Ctrl.dll
DPF: {A553720A-BFED-4EA4-A71F-7EFCA690A1F7} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcpitstopAntiVirus.dll
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Hkikezonus - c:\windows\secinvc.dll
SafeBoot-klmdb.sys
SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA} - e:\\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-01 01:22
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\docume~1\Bear\LOCALS~1\Temp\Perflib_Perfdata_edc.dat 16384 bytes
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(948)
E:\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2011-04-01 01:25:17
ComboFix-quarantined-files.txt 2011-04-01 05:25
.
Pre-Run: 6,952,194,048 bytes free
Post-Run: 7,128,571,904 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - EECC10929DB559D43E065883FA5A1FFD

**shelf life** · 2011-04-01, 12:10

ok looking good. I will get a better look at the logs later, for now you can get another download which you can keep and use:

Please download the free version of Malwarebytes to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

Post the log in your reply.

**ringlancer** · 2011-04-01, 12:56

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6234

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/1/2011 6:54:37 AM
mbam-log-2011-04-01 (06-54-37).txt

Scan type: Quick scan
Objects scanned: 189880
Time elapsed: 6 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

**shelf life** · 2011-04-01, 23:33

looks good. you can do a online scan:

http://www.eset.com/onlinescan/

Use Internet Explorer

check "YES" to accept terms

click start button

allow the ActiveX component to install

click the start button. the Scanner will update.

check both "Remove found threats" and "Scan archives" Leave the defaults checked under Advanced settings

click scan. When it completes click "List found threats"

click "Export to text file.." and save it to your desktop. Post the saved log.

Click "back" and "finish"

Thread: Please help: browser redirect

Thread Tools

Display

combofix log

Posting Permissions