Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Unable to remove redirect Virus.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unable to remove redirect Virus.

Unread postby freewaydrew » October 13th, 2010, 7:01 pm

Hi, I have a problem with my web browser redirecting searches when I click on them. It doesn’t happen all the time but when it does it’s usually to another search results page. I have now installed ad aware live protection that stops some of the more malicious redirects but the main problem remains.
The virus also tries to stop my spyware/virus protection from working.
I have tried uninstalling IE8 and reinstalling but this has no effect. I also tried Firefox and Chrome but they all have the same issue. I have listed my attempts for removal below.

Spybot wouldn’t open so I went to the hide protected file and opened it from the randomly named file of the same size as the spybot.exe file. I updated it and ran a scan which was clean.

AVG free also found nothing.

Malware bytes also wouldn’t run so I had to rename the .exe file but it also found nothing.

I installed ad aware and that did find and remove a couple of things but has had little or no effect on the original problem.

I then tried ComboFix. I realise this was a risk but I’m getting desperate now. That found and removed a few things but again had no effect, so I uninstalled it.

(I can reply with any of the log files on request)

I am now on the verge of wiping my system clean and starting from scratch.

This forum is my last port of call before I do this.

I have posted the requested logs below.

Please help!

Thanks.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:49:20, on 13/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} (PhotoboxPhotowaysUploader5 Control) - http://assets.photobox.com/assets/aurig ... 1203144706
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se6770.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Application Updater - Spigot, Inc. - C:\Program Files\Application Updater\ApplicationUpdater.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 7650 bytes

Unistall List:

µTorrent
Acrobat.com
Acrobat.com
Activation (Nero 9)
Ad-Aware
Ad-Aware
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.4
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVG 9.0
BBC iPlayer Desktop
BBC iPlayer Desktop
Blu-ray Disc Authoring Plug-in
Bonjour
Dell Driver Reset Tool
EPSON Easy Photo Print
EPSON Printer Software
EPSON Scan
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
Intel(R) 537EP V9x DFV PCI Modem
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Software v9.2.4.11
Intel(R) PROSafe for Wired Connections
Intel(R) PROSafe for Wired Connections
Internet Explorer Default Page
ISO Image Burner 1.1
iTunes
Java(TM) 6 Update 17
K-Lite Mega Codec Pack 5.2.0
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works 7.0
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
NatWest Business Software
Nero 9
Nero BackItUp 4
Nero MediaHome 4
Nero Move it
neroxml
PC Connectivity Solution
PeerGuardian 2.0
PLiska Image Resizer
QuickTime
RccamargNvr
Search Settings v1.2.3
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB975558)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2183461)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Spell Checker For OE 2.1
Spotify
Spybot - Search & Destroy
TomTom HOME 2.7.3.1894
TomTom HOME Visual Studio Merge Modules
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2362765)
Update for Windows XP (KB2141007)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973815)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VNC Mirror Driver 1.8.0
VNC Personal Edition P4.5.1
VNC Printer Driver 1.6.0
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
WinRAR archiver
freewaydrew
Active Member
 
Posts: 7
Joined: October 13th, 2010, 4:16 am
Advertisement
Register to Remove

Re: Unable to remove redirect Virus.

Unread postby askey127 » October 14th, 2010, 6:56 pm

Hi freewaydrew,
If you still need help and are not receiving it elsewhere, please proceed as follows:
-----------------------------------------------
Please Note Our Policy on the Use of P2P (Person to Person / Peer to Peer) file sharing programs
It is posted here: http://malwareremoval.com/forum/viewtopic.php?p=491394#p491394
As a condition of receiving our help, I have included the P2P program utorrent in the removal instructions below, so we are not wasting our time.
If you have used this, you can be fairly confident this is a principal reason your computer is infected

It's really important, if you value your PC at all, to stay away from P2P file sharing programs, like utorrent, Bittorrent, Azureus, Limewire, Vuze, Shareaza, Bitlord.
Criminals have "planted" thousands upon thousands of infections in the "free" shared files. Some of the recent infections can turn your machine into a doorstop.
-----------------------------------------------------------
Remove Programs Using Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :
µTorrent
Ad-Aware
Java(TM) 6 Update 17
PeerGuardian 2.0
Search Settings v1.2.3

Take extra care in answering questions posed by any Uninstaller.
-----------------------------------------------------------
REBOOT (RESTART) Your Machine
--------------------------------------------
Download and Install the latest version of Java Runtime Environment from here : http://java.sun.com/javase/downloads/index.jsp, and install it to your computer.
In the first section on the page, labeled JDK 6 Update 22 (JDK or JRE), click on the button labeled Download JRE. Do NOT choose the button labeled "Download JDK".
Select the Platform Windows and check the box to agree to the license.
Choose the Windows Offline installation version and click on the link.
Download it, choose Save, and save it to your desktop.
Then doubleclick it on your desktop, (or right click and choose "Run as administrator") and it will install the newest version of Java for you to use.
You can then remove the Installer from your desktop.
------------------------------------------------------------
TDSSKiller - Rootkit Removal Tool
Please download the TDSSKiller.exe by Kaspersky... save it to your Desktop. <-Important!!!
  1. Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista - W7 users: Right-click and select "Run As Administrator".
    If TDSSKiller does not run... rename it. Right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. ektfhtw.com).
    If you don't see file extensions, please see: How to change the file extension.
  2. Click the Start Scan button. Do not use the computer during the scan!
  3. If the scan completes with nothing found, click Close to exit.
  4. If malicious objects are found, they will show in the "Scan results - Select action for found objects" and offer 3 options.
    • Ensure Cure (default) is selected... then click Continue > Reboot now to finish the cleaning process.
  5. A log file named TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt will be created and saved to the root directory. (usually Local Disk C:).
  6. Copy and paste the contents of that file in your next reply.
If, for some reason,you can't locate the text file to paste into your reply, just tell me, but DO NOT run the program a second time.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Unable to remove redirect Virus.

Unread postby freewaydrew » October 15th, 2010, 7:09 pm

Ok,

Done all as requested, I won’t be using P2P in future. I must admit I was a bit naive in that area but I’ve not used it for a while anyway.
Please find attached requested log file.

Thanks askey127.



2010/10/15 23:48:23.0843 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
2010/10/15 23:48:23.0843 ================================================================================
2010/10/15 23:48:23.0843 SystemInfo:
2010/10/15 23:48:23.0843
2010/10/15 23:48:23.0843 OS Version: 5.1.2600 ServicePack: 3.0
2010/10/15 23:48:23.0843 Product type: Workstation
2010/10/15 23:48:23.0843 ComputerName: D8RKHR1J
2010/10/15 23:48:23.0843 UserName: Drew
2010/10/15 23:48:23.0843 Windows directory: C:\WINDOWS
2010/10/15 23:48:23.0843 System windows directory: C:\WINDOWS
2010/10/15 23:48:23.0843 Processor architecture: Intel x86
2010/10/15 23:48:23.0843 Number of processors: 2
2010/10/15 23:48:23.0843 Page size: 0x1000
2010/10/15 23:48:23.0843 Boot type: Normal boot
2010/10/15 23:48:23.0843 ================================================================================
2010/10/15 23:48:24.0078 Initialize success
2010/10/15 23:48:41.0515 ================================================================================
2010/10/15 23:48:41.0515 Scan started
2010/10/15 23:48:41.0515 Mode: Manual;
2010/10/15 23:48:41.0515 ================================================================================
2010/10/15 23:48:42.0125 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2010/10/15 23:48:42.0171 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/15 23:48:42.0218 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/10/15 23:48:42.0250 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2010/10/15 23:48:42.0281 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/10/15 23:48:42.0328 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/10/15 23:48:42.0375 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/10/15 23:48:42.0390 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2010/10/15 23:48:42.0437 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2010/10/15 23:48:42.0468 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2010/10/15 23:48:42.0500 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2010/10/15 23:48:42.0531 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2010/10/15 23:48:42.0562 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2010/10/15 23:48:42.0593 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2010/10/15 23:48:42.0625 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2010/10/15 23:48:42.0656 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2010/10/15 23:48:42.0687 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2010/10/15 23:48:42.0718 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2010/10/15 23:48:42.0765 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/15 23:48:42.0812 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/15 23:48:42.0859 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/15 23:48:42.0921 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/15 23:48:42.0968 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\system32\Drivers\avgldx86.sys
2010/10/15 23:48:43.0000 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\system32\Drivers\avgmfx86.sys
2010/10/15 23:48:43.0046 AvgTdiX (22e3b793c3e61720f03d3a22351af410) C:\WINDOWS\system32\Drivers\avgtdix.sys
2010/10/15 23:48:43.0093 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/15 23:48:43.0406 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2010/10/15 23:48:43.0421 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/15 23:48:43.0453 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2010/10/15 23:48:43.0484 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/15 23:48:43.0531 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/15 23:48:43.0546 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/15 23:48:43.0625 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2010/10/15 23:48:43.0656 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2010/10/15 23:48:43.0703 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2010/10/15 23:48:43.0718 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2010/10/15 23:48:43.0781 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/15 23:48:43.0828 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/15 23:48:43.0859 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
2010/10/15 23:48:43.0890 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/15 23:48:43.0937 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/15 23:48:43.0968 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2010/10/15 23:48:44.0000 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/15 23:48:44.0078 E100B (95974e66d3de4951d29e28e8bc0b644c) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/10/15 23:48:44.0156 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/15 23:48:44.0218 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/10/15 23:48:44.0265 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/15 23:48:44.0296 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/10/15 23:48:44.0328 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/10/15 23:48:44.0406 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/15 23:48:44.0468 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/15 23:48:44.0500 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/10/15 23:48:44.0531 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/15 23:48:44.0578 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/10/15 23:48:44.0609 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/10/15 23:48:44.0656 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2010/10/15 23:48:44.0703 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/15 23:48:44.0750 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/10/15 23:48:44.0781 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2010/10/15 23:48:44.0812 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/10/15 23:48:44.0875 ialm (0294a30b302ca71a2c26e582dda93486) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2010/10/15 23:48:44.0937 Imapi (5bde850571f88121ea17ae4cc9a9fde4) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/15 23:48:44.0937 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\imapi.sys. Real md5: 5bde850571f88121ea17ae4cc9a9fde4, Fake md5: fdf5c0f9999b56ab8fd5f808155058e2
2010/10/15 23:48:44.0937 Imapi - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/10/15 23:48:44.0984 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2010/10/15 23:48:45.0046 IntelC51 (7509c548400f4c9e0211e3f6e66abbe6) C:\WINDOWS\system32\DRIVERS\IntelC51.sys
2010/10/15 23:48:45.0093 IntelC52 (9584ffdd41d37f2c239681d0dac2513e) C:\WINDOWS\system32\DRIVERS\IntelC52.sys
2010/10/15 23:48:45.0125 IntelC53 (cf0b937710cec6ef39416edecd803cbb) C:\WINDOWS\system32\DRIVERS\IntelC53.sys
2010/10/15 23:48:45.0156 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/10/15 23:48:45.0203 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/10/15 23:48:45.0250 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/10/15 23:48:45.0281 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/15 23:48:45.0328 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/15 23:48:45.0375 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/15 23:48:45.0421 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/15 23:48:45.0453 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/15 23:48:45.0484 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/15 23:48:45.0531 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/15 23:48:45.0546 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/10/15 23:48:45.0609 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/15 23:48:45.0640 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/15 23:48:45.0953 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/15 23:48:45.0984 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/15 23:48:46.0015 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/10/15 23:48:46.0031 mohfilt (59b8b11ff70728eec60e72131c58b716) C:\WINDOWS\system32\DRIVERS\mohfilt.sys
2010/10/15 23:48:46.0062 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/15 23:48:46.0109 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/10/15 23:48:46.0140 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/15 23:48:46.0187 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2010/10/15 23:48:46.0203 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/15 23:48:46.0250 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/15 23:48:46.0296 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/15 23:48:46.0328 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/15 23:48:46.0359 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/15 23:48:46.0375 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/15 23:48:46.0421 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/15 23:48:46.0453 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/15 23:48:46.0484 NAL (9121d8ffff773c66bbf4955e4f7aac23) C:\WINDOWS\system32\Drivers\iqvw32.sys
2010/10/15 23:48:46.0562 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/15 23:48:46.0578 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/15 23:48:46.0609 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/15 23:48:46.0656 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/15 23:48:46.0671 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/15 23:48:46.0687 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/15 23:48:46.0734 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/15 23:48:46.0812 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/15 23:48:46.0859 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/15 23:48:46.0906 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/15 23:48:47.0000 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/10/15 23:48:47.0078 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/15 23:48:47.0109 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/15 23:48:47.0156 omci (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys
2010/10/15 23:48:47.0218 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/10/15 23:48:47.0265 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/15 23:48:47.0296 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/15 23:48:47.0343 pccsmcfd (fd2041e9ba03db7764b2248f02475079) C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys
2010/10/15 23:48:47.0375 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/15 23:48:47.0421 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/10/15 23:48:47.0453 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/10/15 23:48:47.0562 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2010/10/15 23:48:47.0578 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2010/10/15 23:48:47.0796 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/15 23:48:47.0828 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/10/15 23:48:47.0859 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/15 23:48:47.0906 PxHelp20 (7c81ae3c9b82ba2da437ed4d31bc56cf) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/10/15 23:48:47.0968 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2010/10/15 23:48:48.0000 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2010/10/15 23:48:48.0046 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2010/10/15 23:48:48.0078 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2010/10/15 23:48:48.0093 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2010/10/15 23:48:48.0140 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/15 23:48:48.0187 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/15 23:48:48.0203 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/15 23:48:48.0234 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/15 23:48:48.0265 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/15 23:48:48.0312 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/15 23:48:48.0375 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/10/15 23:48:48.0421 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/15 23:48:48.0453 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/15 23:48:48.0515 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/15 23:48:48.0562 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/10/15 23:48:48.0609 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/10/15 23:48:48.0640 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/10/15 23:48:48.0703 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2010/10/15 23:48:48.0750 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2010/10/15 23:48:48.0781 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/15 23:48:48.0812 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/15 23:48:48.0859 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/15 23:48:48.0937 STHDA (6b14c6e98f752ebbab24a4e0bd0f3a24) C:\WINDOWS\system32\drivers\sthda.sys
2010/10/15 23:48:48.0968 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/15 23:48:49.0000 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/15 23:48:49.0046 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2010/10/15 23:48:49.0078 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2010/10/15 23:48:49.0125 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2010/10/15 23:48:49.0171 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2010/10/15 23:48:49.0218 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/15 23:48:49.0281 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/15 23:48:49.0312 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/15 23:48:49.0343 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/15 23:48:49.0375 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/15 23:48:49.0421 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2010/10/15 23:48:49.0468 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/15 23:48:49.0500 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2010/10/15 23:48:49.0546 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/15 23:48:49.0625 USBAAPL (e8c1b9ebac65288e1b51e8a987d98af6) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/10/15 23:48:49.0656 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/15 23:48:49.0703 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/10/15 23:48:49.0750 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/15 23:48:49.0781 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/10/15 23:48:49.0828 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/10/15 23:48:49.0859 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/15 23:48:49.0906 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/10/15 23:48:49.0937 usb_rndisx (b6cc50279d6cd28e090a5d33244adc9a) C:\WINDOWS\system32\DRIVERS\usb8023x.sys
2010/10/15 23:48:49.0984 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/10/15 23:48:50.0031 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2010/10/15 23:48:50.0062 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/10/15 23:48:50.0078 vncmirror (3b8f222b23917c041e4da29ccc57e7d0) C:\WINDOWS\system32\DRIVERS\vncmirror.sys
2010/10/15 23:48:50.0125 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/15 23:48:50.0187 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/15 23:48:50.0265 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
2010/10/15 23:48:50.0328 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/15 23:48:50.0406 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2010/10/15 23:48:50.0468 WudfPf (50eb9e21963b4f06fd010d007d54351b) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/10/15 23:48:50.0515 WudfRd (6e209664bdea8a15b5e8e480d6c607c2) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/10/15 23:48:50.0578 ================================================================================
2010/10/15 23:48:50.0578 Scan finished
2010/10/15 23:48:50.0578 ================================================================================
2010/10/15 23:48:50.0593 Detected object count: 1
2010/10/15 23:50:10.0984 Imapi (5bde850571f88121ea17ae4cc9a9fde4) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/15 23:50:10.0984 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\imapi.sys. Real md5: 5bde850571f88121ea17ae4cc9a9fde4, Fake md5: fdf5c0f9999b56ab8fd5f808155058e2
2010/10/15 23:50:12.0828 Backup copy found, using it..
2010/10/15 23:50:12.0843 C:\WINDOWS\system32\DRIVERS\imapi.sys - will be cured after reboot
2010/10/15 23:50:12.0843 Rootkit.Win32.TDSS.tdl3(Imapi) - User select action: Cure
2010/10/15 23:50:22.0062 Deinitialize success
freewaydrew
Active Member
 
Posts: 7
Joined: October 13th, 2010, 4:16 am

Re: Unable to remove redirect Virus.

Unread postby askey127 » October 15th, 2010, 7:47 pm

freewaydrew,
You have had a rootkit TidServ infection.
-----------------------------------------------------------
Download and Run ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without guidance.
ComboFix uses very forceful tactics to remove malware from your system. Your antivirus software may warn you about the file.
You will need to disable all your antivirus software after downloading but BEFORE running ComboFix.
.
  • Download ComboFix from here
  • Rename it while saving the download to zzz.exe and save it to your Desktop. Do not try to rename it after it has been saved to your desktop, or the infection may prevent you from using it.
    **Note: It is important that it is saved directly to your desktop and run from the desktop, not from any other folder on your computer**
  • DISABLE AVG
    Please open the AVG Control Center, by right clicking on the AVG icon in the task bar.
    • Click on Tools.
    • Select Advanced.
    • In the left hand pane, scroll down to "Resident Shield".
    • In the main pane, DESELECT the option to "Enable Resident Shield."
  • Now start ComboFix (zzz.exe)
  • The tool will check whether the Recovery Console is present on your system. If it is not, ComboFix will prompt you whether you would like to install it. (You would).
  • If it is not, make sure you are connected to the internet as ComboFix needs to download a file. When you are connected to the internet, click Yes and follow the prompts.
    When asked whether to continue scanning or to exit, click Yes to continue scanning (no need to disconnect from the internet as ComboFix breaks your internet connection for you).
  • It will run through about 50 procedures, then take a while to assemble its output log.
  • Do not touch the computer AT ALL while ComboFix is running.
  • When finished, the report will open. Post the log in your next reply, and then Reenable your protection software
A copy of the log will be located here if you need it-> C:\ComboFix.txt
If you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.

The Recovery Console produces a brief (2 second) black screen at bootup which allows an additional technical resource for repair in case of a major failure. In regular operation, you can ignore it.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Unable to remove redirect Virus.

Unread postby freewaydrew » October 16th, 2010, 3:48 pm

Please find requested log file.

Dont know if this is an issue but this log was produced the second time I ran ComboFix. The first one went through all the procedures then said to not run any programs till its finished and then froze. I left the computer alone for 5 hours and it was still stuck at the same screen. I had to do a forced shut down then ran ComboFix again and the it produced the following log.

ComboFix 10-10-15.04 - Drew 16/10/2010 20:30:27.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3318.2810 [GMT 1:00]
Running from: c:\documents and settings\Drew\Desktop\zzz.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-09-16 to 2010-10-16 )))))))))))))))))))))))))))))))
.

2010-10-15 22:47 . 2010-10-15 22:47 -------- d-----w- c:\program files\Common Files\Java
2010-10-15 22:46 . 2010-10-15 22:46 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-15 22:46 . 2010-10-15 22:46 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-15 22:46 . 2010-10-15 22:46 -------- d-----w- C:\TEMP
2010-10-15 22:45 . 2010-10-15 22:45 -------- d-----w- C:\Sun
2010-10-13 22:48 . 2010-10-13 22:48 388096 ----a-r- c:\documents and settings\Drew\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-13 22:48 . 2010-10-13 22:48 -------- d-----w- c:\program files\Trend Micro
2010-10-12 23:27 . 2010-10-12 23:28 -------- dc-h--w- c:\windows\ie8
2010-10-12 20:13 . 2010-10-12 20:13 -------- d-----w- c:\documents and settings\Drew\Local Settings\Application Data\Mozilla
2010-10-12 18:17 . 2010-10-12 18:17 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-10-12 18:12 . 2010-10-12 18:12 -------- d-----w- c:\documents and settings\Drew\Local Settings\Application Data\Sunbelt Software
2010-10-04 19:54 . 2010-10-05 21:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-10-03 20:15 . 2010-10-03 21:49 -------- d-----w- c:\program files\Windows Live Safety Center
2010-09-30 22:09 . 2010-09-30 22:09 -------- d-----w- c:\windows\system32\wbem\Repository
2010-09-30 22:01 . 2010-09-30 22:01 -------- d-sh--w- c:\documents and settings\Administrator.D8RKHR1J\PrivacIE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-14 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-06 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-06 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-06 114688]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-10-03 2067808]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-09-14 122368]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-17 07:38 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 23:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 12:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 14:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 20:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-11-13 11:31 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-18 19:05 204288 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinVNC4"=3 (0x3)
"TomTomHOMEService"=2 (0x2)
"Nero BackItUp Scheduler 4.0"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"helpsvc"=2 (0x2)
"Fax"=2 (0x2)
"EPSON_PM_RPCV4_01"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync Application
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync RAPI Manager
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Disabled:ActiveSync Service

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/10/2009 18:49 216400]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/10/2009 18:50 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [17/07/2010 08:38 308136]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [01/02/2010 18:49 135664]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S4 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [13/11/2009 12:31 92008]
.
Contents of the 'Scheduled Tasks' folder

2010-10-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 17:49]

2010-10-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 17:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.co.uk/myway
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} - hxxp://assets.photobox.com/assets/aurig ... 1203144706
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1824)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-10-16 20:37:02
ComboFix-quarantined-files.txt 2010-10-16 19:37

Pre-Run: 34,009,587,712 bytes free
Post-Run: 33,994,104,832 bytes free

- - End Of File - - BD86EB4BB545663E4A6B8FBB46BA5481
freewaydrew
Active Member
 
Posts: 7
Joined: October 13th, 2010, 4:16 am

Re: Unable to remove redirect Virus.

Unread postby askey127 » October 16th, 2010, 6:23 pm

freewaydrew,
I can't tell for sure what was done and what still needs doing.
So we must forge ahead.

Let's check whether you have any other leftover infected files or settings.
This scan can take a long time (hours), but it is very thorough. Please start it when you can let it finish.
It doesn't remove anything. The report, however, is very valuable.
-----------------------------------------------------
Run an Online Kaspersky WebScan
  • Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the Program and Database downloads have finished, (may take a while), Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post the contents of this log in your next reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Unable to remove redirect Virus.

Unread postby freewaydrew » October 17th, 2010, 4:51 am

askey127

Please see below:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, October 17, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, October 16, 2010 21:56:30
Records in database: 4180942
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 59858
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 01:40:04


File name / Threat / Threats count
C:\Documents and Settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\48\4084a7b0-4de4d8dc Infected: Exploit.Java.Agent.bu 1

Selected area has been scanned.


Freewaydrew
freewaydrew
Active Member
 
Posts: 7
Joined: October 13th, 2010, 4:16 am

Re: Unable to remove redirect Virus.

Unread postby askey127 » October 17th, 2010, 6:52 am

freewaydrew,
-------------------------------------------------------------
  • Open a new Notepad window (Start>All programs>accessories>notepad). Choose File, New.
  • Highlight the contents of the codebox below and press Ctrl+C to copy it to the clipboard. Do Not copy the word "Code".
    Code: Select all
    Folder::
    C:\Documents and Settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0
    
    RegLock::
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    
    
  • Paste the contents of the clipboard into the Notepad window by pressing Ctrl+V or Edit, Paste
  • Save it to your desktop as CFScript.txt

    Image
  • Now drag and drop the CFScript.txt icon onto combofix.exe (zzz.exe) as in the picture above, and follow the prompts.
  • Then post the resultant log, C:\ComboFix.txt, in your next reply.
------------------------------------------------------------
Run MalwareBytes' Anti-Malware
  • Start Malwarebytes' Anti-Malware.
  • Click on The Update tab. Choose Check for Updates.
  • If an update is found, it will download and install the latest version.
  • If necessary, start Malwarebytes Anti-Malware again.
  • Once the program is running, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • If it shows any malware items, Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.
  • The log can also be found using the "Logs" tab in the program. You can click any log listed to open its contents.
  • Recent logs are named by time/date stamp in this format : mbam-log-2010-mm-dd(hour-min-sec).txt
.

Tell me how the machine is running.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Unable to remove redirect Virus.

Unread postby freewaydrew » October 17th, 2010, 7:42 am

askey127

Please find both ComboFix and Malwarebytes logs below.

The computer seems to be running ok now. Its letting me open all antivirus/antispyware normally and it doesnt seem to be redirecting by browser anymore.

Im I clean now?

ComboFix 10-10-16.03 - Drew 17/10/2010 12:17:57.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3318.2676 [GMT 1:00]
Running from: c:\documents and settings\Drew\Desktop\zzz.exe
Command switches used :: c:\documents and settings\Drew\Desktop\CFScript.txt
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\0\4d43e080-62cd9cc4
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\0\4d43e080-62cd9cc4.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\10\653a8b4a-5d0bfcf6
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\10\653a8b4a-5d0bfcf6.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\11\2b98eb8b-50c13ecc
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\11\2b98eb8b-50c13ecc.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\14\3a44f14e-3021fc82
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\14\3a44f14e-3021fc82.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\14\757e808e-457dedfb
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\14\757e808e-457dedfb.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\15\48d7188f-6fd0d708
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\15\48d7188f-6fd0d708.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\17\6d0ad391-118d2bb1-n\decora-d3d.dll
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\17\6d0ad391-118d2bb1-n\decora-sse.dll
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\17\6d0ad391-118d2bb1
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\17\6d0ad391-118d2bb1.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\18\44029d52-6ae6dd61
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\18\44029d52-6ae6dd61.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\19\75a72d3-27c89831
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\19\75a72d3-27c89831.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\23\f34b057-12cdad17
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\23\f34b057-12cdad17.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\24\2a20e358-111c25fb.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\24\96cee98-6399ef13
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\24\96cee98-6399ef13.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\25\794f2bd9-149b1702
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\25\794f2bd9-149b1702.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\25\ff37559-26de6122
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\25\ff37559-26de6122.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\27\3a3fec5b-23be3b26
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\27\3a3fec5b-23be3b26.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\32\3c877e0-19538c24
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\32\3c877e0-19538c24.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\32\3c877e0-2d9a78e7
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\32\3c877e0-2d9a78e7.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\32\6c34baa0-26bb7de6.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\33\6eee3aa1-4f270257
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\33\6eee3aa1-4f270257.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\35\41e8aee3-3e6a29d4
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\35\41e8aee3-3e6a29d4.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\4\3e142b04-1c03f54b
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\4\3e142b04-1c03f54b.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\4\770de004-36b526e9
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\4\770de004-36b526e9.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-23cdc81c-n\gluegen-rt.dll
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-23cdc81c
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-23cdc81c.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\45\738ee96d-33d7a322
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\45\738ee96d-33d7a322.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\46\6d6756ee-47be3cf6
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\46\6d6756ee-47be3cf6.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\46\759e98ee-235c7dba-n\decora-d3d.dll
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\46\759e98ee-235c7dba-n\decora-sse.dll
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\46\759e98ee-235c7dba-n\jmc.dll
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\46\759e98ee-235c7dba-n\msvcp71.dll
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\46\759e98ee-235c7dba-n\msvcr71.dll
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\46\759e98ee-235c7dba
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\46\759e98ee-235c7dba.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\48\4084a7b0-4de4d8dc
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\48\4084a7b0-4de4d8dc.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\50\3a4e6332-22380294
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\50\3a4e6332-22380294.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\53\6c37fcf5-4204b0e2
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\53\6c37fcf5-4204b0e2.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\54\1a209876-761be470-n\jmc.dll
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\54\1a209876-761be470-n\msvcp71.dll
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\54\1a209876-761be470-n\msvcr71.dll
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\54\1a209876-761be470
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\54\1a209876-761be470.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\54\41274ef6-761bbe34
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\54\41274ef6-761bbe34.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\55\28db50f7-471fa61f
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\55\28db50f7-471fa61f.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\56\25450178-169bc2d1
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\56\25450178-169bc2d1.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\57\10fa0cb9-3c3ab0f1
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\57\10fa0cb9-3c3ab0f1.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\58\76cf8efa-59f3dbfa
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\58\76cf8efa-59f3dbfa.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\59\1ea183bb-231c73e6
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\59\1ea183bb-231c73e6.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\59\30a022bb-15cf5104
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\59\30a022bb-15cf5104.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\6\306e1546-3e098080
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\6\306e1546-3e098080.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-647a5780-n\jogl.dll
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-647a5780-n\jogl_awt.dll
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-647a5780-n\jogl_cg.dll
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-647a5780
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-647a5780.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\8\7782c888-75ab59df
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\8\7782c888-75ab59df.idx
c:\documents and settings\Drew\Application Data\Sun\Java\Deployment\cache\6.0\lastAccessed

.
((((((((((((((((((((((((( Files Created from 2010-09-17 to 2010-10-17 )))))))))))))))))))))))))))))))
.

2010-10-15 22:47 . 2010-10-15 22:47 -------- d-----w- c:\program files\Common Files\Java
2010-10-15 22:46 . 2010-10-15 22:46 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-15 22:46 . 2010-10-15 22:46 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-15 22:46 . 2010-10-15 22:46 -------- d-----w- C:\TEMP
2010-10-15 22:45 . 2010-10-15 22:45 -------- d-----w- C:\Sun
2010-10-13 22:48 . 2010-10-13 22:48 388096 ----a-r- c:\documents and settings\Drew\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-13 22:48 . 2010-10-13 22:48 -------- d-----w- c:\program files\Trend Micro
2010-10-12 23:27 . 2010-10-12 23:28 -------- dc-h--w- c:\windows\ie8
2010-10-12 20:13 . 2010-10-12 20:13 -------- d-----w- c:\documents and settings\Drew\Local Settings\Application Data\Mozilla
2010-10-12 18:17 . 2010-10-12 18:17 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-10-12 18:12 . 2010-10-12 18:12 -------- d-----w- c:\documents and settings\Drew\Local Settings\Application Data\Sunbelt Software
2010-10-04 19:54 . 2010-10-05 21:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-10-03 20:15 . 2010-10-03 21:49 -------- d-----w- c:\program files\Windows Live Safety Center
2010-09-30 22:09 . 2010-09-30 22:09 -------- d-----w- c:\windows\system32\wbem\Repository
2010-09-30 22:01 . 2010-09-30 22:01 -------- d-sh--w- c:\documents and settings\Administrator.D8RKHR1J\PrivacIE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-14 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-06 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-06 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-06 114688]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-10-03 2067808]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-09-14 122368]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-17 07:38 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 23:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 12:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 14:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 20:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-11-13 11:31 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-18 19:05 204288 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinVNC4"=3 (0x3)
"TomTomHOMEService"=2 (0x2)
"Nero BackItUp Scheduler 4.0"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"helpsvc"=2 (0x2)
"Fax"=2 (0x2)
"EPSON_PM_RPCV4_01"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync Application
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync RAPI Manager
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Disabled:ActiveSync Service

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/10/2009 18:49 216400]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/10/2009 18:50 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [17/07/2010 08:38 308136]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [01/02/2010 18:49 135664]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S4 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [13/11/2009 12:31 92008]
.
Contents of the 'Scheduled Tasks' folder

2010-10-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 17:49]

2010-10-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 17:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.co.uk/myway
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} - hxxp://assets.photobox.com/assets/aurig ... 1203144706
.
.
Completion time: 2010-10-17 12:23:05
ComboFix-quarantined-files.txt 2010-10-17 11:23
ComboFix2.txt 2010-10-16 19:37

Pre-Run: 33,872,642,048 bytes free
Post-Run: 33,974,423,552 bytes free

- - End Of File - - 8C314EB0B7B94853EF3A5A961E4B8606


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4859

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

17/10/2010 12:32:45
mbam-log-2010-10-17 (12-32-45).txt

Scan type: Quick scan
Objects scanned: 155324
Time elapsed: 4 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Freewaydrew
freewaydrew
Active Member
 
Posts: 7
Joined: October 13th, 2010, 4:16 am

Re: Unable to remove redirect Virus.

Unread postby askey127 » October 17th, 2010, 8:02 am

freewaydrew,
Let's do a few things to clean up and also to make your system more secure.
First make sure your Antivirus is turned back ON.
-----------------------------------------------------------
Replace the Current HOSTS File with MVPs
You can read about HOSTS files here : http://www.mvps.org/winhelp2002/hosts.htm

  • Disable DNS Client Service. This is necessary when installing a large HOSTS file.
    From Start, or Start, Run
    Type services.msc in the box and hit <Enter>
    Give permission to continue if necessary.
    Scroll down to DNS Client on the list, Right Click it and choose Properties.
    Under Service Status, click Stop. Wait until it reports the service stopped.
    Under Startup Type, choose Disabled.
    Then click Apply, OK

  • Use HostsXpert to Install the HOSTS File
    Download HostsXpert and unzip (extract) it to your computer, somewhere where you can find it.
    • Double click on HostsXpert.exe to launch the program. Give whatever Permissions are required.
    • In the bottom half of the left pane, click on File Handling
    • If the first button at the top is labeled Make Writeable?, click on it so the label changes to Make Read Only
    • Click third button from the bottom, labeled Download. A couple new buttons will appear at the top.
    • Click on the top button labeled MVPs Hosts and choose Replace
    • When asked to verify if you want to Replace present Hosts file, click OK.
    • When it finishes, click on File Handling again.
    • Click the button at the top labeled Make Read Only, so the label changes to Make Writeable?
    • Hit the X in the upper right corner to exit HostsXpert
------------------------------------------------
Reset System Restore Points
  • Click Start, All Programs, Accessories, System Tools, System Restore
  • Click Create A Restore Point then click Next. Give it a name and then click Create, then Close.
  • Click Start, Run and type Cleanmgr
  • Select the Windows drive (usually C:), then click OK.
  • After it scans, Click the More Options tab.
  • Click Clean Up in the System Restore Section.
This will remove all previous restore points except the newly created one.

Reboot your machine to record the changes you have made.
This System Restore sequence is not to be done regularly, but only as a Special Case after the removal of malware or changes in the Restore settings.

Good Job.
You should be good to go.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Unable to remove redirect Virus.

Unread postby freewaydrew » October 17th, 2010, 6:43 pm

askey127

Im I done?

Thanyou so much for all your help. I really appreciate it. Thanks for giving up your time to help a total stranger. Its more than most would do. You are truly self less.

Thanks

Drew
freewaydrew
Active Member
 
Posts: 7
Joined: October 13th, 2010, 4:16 am

Re: Unable to remove redirect Virus.

Unread postby askey127 » October 17th, 2010, 8:01 pm

Drew,
I think you should be all set.
You are more than welcome to the help we can provide.
Good Luck!

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Unable to remove redirect Virus.

Unread postby askey127 » October 20th, 2010, 3:59 pm

this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 44 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware