Free Malware Removal Forum

[tblue]

Results of SystemLook completed on 7/18:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 14:59 on 18/07/2010 by Toby Blue (Administrator - Elevation successful)

========== reg ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Main]
(Unable to open key - key not found)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
(No values found)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
"NoExplorer"= 0x0000000001 (1)
@="AcroIEHelperStub"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
(No values found)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
"NoExplorer"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
"NoExplorer"= 0x0000000001 (1)
@="JQSIEStartDetectorImpl"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\MIME]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\PluginsPage]
@="http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\PluginsPageFriendlyName]
@="Microsoft ActiveX Gallery"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
"SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
(No values found)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks]
(Unable to open key - key not found)

-=End Of File=-

[askey127]

tblue,
Please post the results from SystemLook.
Thanks
askey

[tblue]

Were the first results not correct?
I ran the SystemLook again, here is the results below. Thanks.

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 19:59 on 18/07/2010 by Toby Blue (Administrator - Elevation successful)

========== reg ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Main]
(Unable to open key - key not found)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
(No values found)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
"NoExplorer"= 0x0000000001 (1)
@="AcroIEHelperStub"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
(No values found)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
"NoExplorer"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
"NoExplorer"= 0x0000000001 (1)
@="JQSIEStartDetectorImpl"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\MIME]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\PluginsPage]
@="http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\PluginsPageFriendlyName]
@="Microsoft ActiveX Gallery"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
"SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
(No values found)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks]
(Unable to open key - key not found)

-=End Of File=-

[askey127]

tblue,
(You did fine. I just missed the page 2 entry. Sorry.)
------------------------------------------------------------
Backup Your Registry with ERUNT:

• Download erunt.zip to your Desktop from here:
  http://aumha.org/downloads/erunt.zip
• Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to your Desktop. It will create a new folder.
• Inside the new folder, if you have XP, double click ERUNT.exe. If you have Vista, right click ERUNT.exe and choose "Run as administrator"
• OK all the prompts to back up your registry to the default location.

Note: If you ever need to restore your registry later, you would go to the default backup folder and start ERDNT.exe
(The default backup folder is C:\Windows\ERDNT\ and the backups are saved according to date stamp)
-----------------------------------------------------------
Copy/Paste/Run a Registry Edit
Copy/paste the contents of the following code box into a new notepad document:

Code: Select all

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=-
"SearchAssistant"=-

Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Save it as File Type All Files (not as a Text document, or it won't work).
Save it to your Desktop as fixme.reg
Double click fixme.reg on your Desktop, and merge it into the registry when asked.
-----------------------------------------------------------
REBOOT(RESTART) Your Machine

Tell me if you are still getting redirects.
askey127

[tblue]

Yes, I am still getting redirects. When I search on bing and click on the link it provides I get redirected to a totally different website. Thanks.

[askey127]

What is the brand and model of your router, if you have one?
It is possible you may have a DNS changer router hijack.
Are you using a router that still has the default password for its administrator account?
If you have a router, are there any other computers on it, and are they seeing redirects?

[tblue]

Router is a Linksys WRT54G. My desktop is connected directly to the router. I use the desktop to log into the router and set up my password so that only my family's pc can use the router.

[askey127]

tblue,
They actually publish the list of the original, default passwords for each router on the Internet.
You can look it up for your make and model.
Router Passwords Default List : http://www.phenoelit-us.org/dpl/dpl.html
If you don't change it, a ZLOB or other infection can use the default password to change your router settings, so as to intercept every communication by passing it through a spyware server.
It will definitely produce redirects.

The router settings will likely have to be re-installed so any "extra" malware server addresses can be removed. (Then you can change your own password)
If you can find the instructions that came with the router, it may save a bit of work. Or look up the User manual online.
I can't tell you what the server addresses are for your Service Provider, but router instructions will be online at their site.

For your router, to change settings, you will need the Linksys address to plug into the Internet Explorer bar, and the admin password. The default username and password for that model are:
username : admin
Password : Admin <== after you are sure the router settings work OK, you need to change this one.
One of the router settings will include a method to change that password.
askey127

[tblue]

Ok, I will look into this. I believe the router password is still the default. I also have a desktop that I need assistance with; it runs very slow. Would you be able to assist me with that, or should I just post another request for assistance on it and wait for a reply? Thanks so much.

[askey127]

tblue,
Please just start a new topic for your other computer (HJT log, Uninstall list, and brief description of the problem) and someone will help.
We don't do multiple computers in the same thread.

If you find you need help with the router, we may be able to help in this topic. Let me know.
Thanks,
askey127

[tblue]

Thanks askey127, I will try to find the router manual and reset it to factory default then change my password. Thanks for all your assistance, the laptop is running much better and I believe most of the issues are corrected. I will try to touch base with you in the next few days to let you know how it went with the router. I'll open another topic on the desktop issue as you suggested. Thanks.

[tblue]

The Avira Antivirus you instructed me to install found a problem that it put in quarantine. Can i post the contents of the report here for you to review? Thanks.

[tblue]

I restored router back to default settings and changed the login password; still getting redirects.

Results from Avira:
Begin scan in 'C:\Documents and Settings\Toby Blue\Local Settings\Temporary Internet Files\Content.IE5\Z9VSJRJM\bv[1].htm'
C:\Documents and Settings\Toby Blue\Local Settings\Temporary Internet Files\Content.IE5\Z9VSJRJM\bv[1].htm
[DETECTION] Contains recognition pattern of the HTML/FakeAlert.lok HTML script virus
[NOTE] The file was moved to the quarantine directory under the name '56bc2a06.qua'.

Searched another forum(bleeding computer) and found another user that used TDSSKILLER to clear his redirects and pop-ups.
Do you know anything about this executable? Would you suggest it? Thanks.

[askey127]

tblue,
We have some other options.
I like to see some evidence of a rootkit before calling for the remedy. I your case Gmer did not show the usual signs of a TDSS infection.
It's always possible that a new strain of rootkit is not being detected by Gmer.
We can flush any recalled bad server addresses, and run TDSSKiller and see if it picks up any of your system files as infected.
--------------------------------------------
Go to Start, Run and type ipconfig /flushdns
Hit <Enter>
--------------------------------------------
Double Click and Run Rkill on your desktop.
--------------------------------------------
TDSSKiller

• Download the file TDSSKiller.zip and save it on your desktop
• Extract the file tdskiller.zip, it will create a folder named tdsskiller on your desktop.
• Double-click the tdsskiller Folder on your desktop.
• Right-click on the file named tdsskiller.exe, choose Copy, then Paste it directly on to your Desktop (right click an open place on your desktop and choose Paste).
• Highlight and copy (Ctrl+C) the text inside the codebox below.
  

  Code: Select all

  "%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"

• Click Start, click Run... and paste (Ctrl+V) the text above into the Open: line and click OK.
• Wait for the scan and disinfection process to be over.
• It is important that you run this once and only once!
• Open tdskiller.txt on your desktop and post the contents in your next reply

If, for some reason,you can't locate the text file to paste into your reply, just tell me, but DO NOT run the program a second time.

askey127

[tblue]

2010/07/24 09:23:02.0046 TDSS rootkit removing tool 2.4.0.0 Jul 22 2010 16:09:49
2010/07/24 09:23:02.0046 ================================================================================
2010/07/24 09:23:02.0046 SystemInfo:
2010/07/24 09:23:02.0046
2010/07/24 09:23:02.0046 OS Version: 5.1.2600 ServicePack: 3.0
2010/07/24 09:23:02.0046 Product type: Workstation
2010/07/24 09:23:02.0046 ComputerName: TOBY-DELLD610
2010/07/24 09:23:02.0046 UserName: Toby Blue
2010/07/24 09:23:02.0046 Windows directory: C:\WINDOWS
2010/07/24 09:23:02.0046 System windows directory: C:\WINDOWS
2010/07/24 09:23:02.0046 Processor architecture: Intel x86
2010/07/24 09:23:02.0046 Number of processors: 1
2010/07/24 09:23:02.0046 Page size: 0x1000
2010/07/24 09:23:02.0046 Boot type: Normal boot
2010/07/24 09:23:02.0046 ================================================================================
2010/07/24 09:23:02.0671 Initialize success
2010/07/24 09:23:36.0343 ================================================================================
2010/07/24 09:23:36.0343 Scan started
2010/07/24 09:23:36.0343 Mode: Manual;
2010/07/24 09:23:36.0343 ================================================================================
2010/07/24 09:23:38.0437 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/07/24 09:23:38.0515 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/07/24 09:23:38.0656 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/07/24 09:23:38.0765 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/07/24 09:23:39.0062 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
2010/07/24 09:23:39.0234 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/07/24 09:23:39.0328 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/07/24 09:23:39.0515 ati2mtag (8eb17cf829df300cc885651cfeaf931c) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/07/24 09:23:39.0671 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/07/24 09:23:39.0890 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/07/24 09:23:40.0000 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2010/07/24 09:23:40.0046 avgntflt (a88d29d928ad2b830e87b53e3f9bc182) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2010/07/24 09:23:40.0093 avipbb (1289e9a5d9118a25a13c0009519088e3) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2010/07/24 09:23:40.0250 b57w2k (2acf06176b9d011567d7f25b83ddd066) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2010/07/24 09:23:40.0421 BCM43XX (b89bcf0a25aeb3b47030ac83287f894a) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2010/07/24 09:23:40.0593 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/07/24 09:23:40.0687 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/07/24 09:23:40.0796 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/07/24 09:23:40.0890 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/07/24 09:23:41.0015 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/07/24 09:23:41.0109 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/07/24 09:23:41.0203 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/07/24 09:23:41.0312 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
2010/07/24 09:23:41.0421 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/07/24 09:23:41.0515 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/07/24 09:23:41.0671 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/07/24 09:23:41.0781 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/07/24 09:23:41.0890 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/07/24 09:23:42.0000 DNE (86d52c32a308f84bbc626bff7c1fb710) C:\WINDOWS\system32\DRIVERS\dne2000.sys
2010/07/24 09:23:42.0140 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/07/24 09:23:42.0281 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/07/24 09:23:42.0328 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/07/24 09:23:42.0437 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/07/24 09:23:42.0468 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/07/24 09:23:42.0546 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/07/24 09:23:42.0609 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/07/24 09:23:42.0640 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/07/24 09:23:42.0703 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/07/24 09:23:42.0812 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/07/24 09:23:42.0984 HSFHWICH (a84bbbdd125d370593004f6429f8445c) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
2010/07/24 09:23:43.0062 HSF_DPV (b678fa91cf4a1c19b462d8db04cd02ab) C:\WINDOWS\system32\DRIVERS\HSF_DPV.SYS
2010/07/24 09:23:43.0390 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/07/24 09:23:43.0468 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/07/24 09:23:43.0500 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/07/24 09:23:43.0593 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/07/24 09:23:43.0625 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/07/24 09:23:43.0734 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/07/24 09:23:43.0890 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/07/24 09:23:44.0000 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/07/24 09:23:44.0062 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/07/24 09:23:44.0125 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/07/24 09:23:44.0187 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/07/24 09:23:44.0234 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/07/24 09:23:44.0281 klmd24 (6485ad0a17a0d6286b4d44c652adabb2) C:\WINDOWS\system32\drivers\klmd.sys
2010/07/24 09:23:44.0359 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/07/24 09:23:44.0500 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/07/24 09:23:44.0625 LuIPSec (84487df0b0768ed431de4792ba4ebc36) C:\WINDOWS\system32\DRIVERS\luipsec.sys
2010/07/24 09:23:44.0765 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/07/24 09:23:44.0828 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/07/24 09:23:44.0953 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/07/24 09:23:45.0062 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/07/24 09:23:45.0171 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/07/24 09:23:45.0234 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/07/24 09:23:45.0343 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/07/24 09:23:45.0515 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/07/24 09:23:45.0593 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/07/24 09:23:45.0687 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/07/24 09:23:45.0765 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/07/24 09:23:45.0796 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/07/24 09:23:45.0843 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/07/24 09:23:45.0875 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/07/24 09:23:45.0937 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/07/24 09:23:45.0984 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/07/24 09:23:46.0046 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/07/24 09:23:46.0093 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/07/24 09:23:46.0125 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/07/24 09:23:46.0187 NEOFLTR_630_13725 (e6f4104575eb71b9ba53469f84ce7bbc) C:\WINDOWS\system32\Drivers\NEOFLTR_630_13725.SYS
2010/07/24 09:23:46.0203 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/07/24 09:23:46.0250 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/07/24 09:23:46.0359 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/07/24 09:23:46.0468 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/07/24 09:23:46.0593 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/07/24 09:23:46.0671 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/07/24 09:23:46.0734 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/07/24 09:23:46.0843 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
2010/07/24 09:23:46.0937 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/07/24 09:23:47.0015 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/07/24 09:23:47.0109 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/07/24 09:23:47.0156 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/07/24 09:23:47.0203 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/07/24 09:23:47.0234 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2010/07/24 09:23:47.0437 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/07/24 09:23:47.0468 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/07/24 09:23:47.0515 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/07/24 09:23:47.0546 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/07/24 09:23:47.0625 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/07/24 09:23:47.0750 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/07/24 09:23:47.0828 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/07/24 09:23:47.0843 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/07/24 09:23:47.0875 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/07/24 09:23:47.0906 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/07/24 09:23:47.0953 RDPCDD (91615c5292aef2c6991ae0e3426b16ea) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/07/24 09:23:47.0953 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\RDPCDD.sys. Real md5: 91615c5292aef2c6991ae0e3426b16ea, Fake md5: 4912d5b403614ce99c28420f75353332
2010/07/24 09:23:47.0953 RDPCDD - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/07/24 09:23:47.0984 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/07/24 09:23:48.0062 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/07/24 09:23:48.0125 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/07/24 09:23:48.0234 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/07/24 09:23:48.0328 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/07/24 09:23:48.0359 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/07/24 09:23:48.0406 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/07/24 09:23:48.0484 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/07/24 09:23:48.0593 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/07/24 09:23:48.0687 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/07/24 09:23:48.0750 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2010/07/24 09:23:48.0828 STAC97 (19fcec67aaffab07ba358860a602cb4a) C:\WINDOWS\system32\drivers\STAC97.sys
2010/07/24 09:23:48.0906 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/07/24 09:23:48.0984 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/07/24 09:23:49.0093 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/07/24 09:23:49.0140 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/07/24 09:23:49.0218 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/07/24 09:23:49.0312 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/07/24 09:23:49.0328 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/07/24 09:23:49.0421 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/07/24 09:23:49.0546 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/07/24 09:23:49.0625 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/07/24 09:23:49.0671 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/07/24 09:23:49.0812 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/07/24 09:23:49.0921 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/07/24 09:23:50.0015 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/07/24 09:23:50.0093 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/07/24 09:23:50.0156 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/07/24 09:23:50.0250 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/07/24 09:23:50.0406 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/07/24 09:23:50.0484 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/07/24 09:23:50.0593 winachsf (0c5b9cf1bdf998750d9c5eeb5f8c55ac) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2010/07/24 09:23:50.0890 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/07/24 09:23:50.0953 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/07/24 09:23:51.0015 ================================================================================
2010/07/24 09:23:51.0015 Scan finished
2010/07/24 09:23:51.0015 ================================================================================
2010/07/24 09:23:51.0031 Detected object count: 1
2010/07/24 09:24:36.0171 RDPCDD (91615c5292aef2c6991ae0e3426b16ea) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/07/24 09:24:36.0171 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\RDPCDD.sys. Real md5: 91615c5292aef2c6991ae0e3426b16ea, Fake md5: 4912d5b403614ce99c28420f75353332
2010/07/24 09:24:37.0968 Backup copy found, using it..
2010/07/24 09:24:38.0000 C:\WINDOWS\system32\DRIVERS\RDPCDD.sys - will be cured after reboot
2010/07/24 09:24:38.0000 Rootkit.Win32.TDSS.tdl3(RDPCDD) - User select action: Cure
2010/07/24 09:25:25.0015 Deinitialize success