Computer Hope
Software => Computer viruses and spyware => Virus and spyware removal => Topic started by: bicyclist on June 10, 2011, 07:40:33 PM
-
Hello,
I am having a problem when using Google. When I click on the search results I am usually directed to other websites that sometimes are related to the topic I searched. If I go back one page while the computer is being redirected and then hit the same desired search result again, the computer is usually not redirected and instead goes to the desired webpage. Sometimes I have to go back and forth several times to get to the desired webpage.
Also I am having problems connecting to the internet and I think it might be related to the redirect problem--happened about the same time. I also don't have any sound coming from my speakers--I did not notice when that problem started.
I've scanned the computer with PC Tools Spyware Doctor and Shield Deluxe Services virus checkers and they can't find the infection. I'm running Microsoft Windows XP, Version 2002, Service Pack 3.
Please help.
-
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*********************************************************
SUPERAntiSpyware
If you already have SUPERAntiSpyware be sure to check for updates before scanning!
Download SuperAntispyware Free Edition (SAS) (http://www.superantispyware.com/download.html)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.
•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:
•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked
•Click the Close button to leave the control center screen.
* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes
•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.
•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...
* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
*******************************************
(http://i424.photobucket.com/albums/pp322/digistar/mbamicontw5.gif) Please download Malwarebytes Anti-Malware from here. (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Full Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
- Please save the log to a location you will remember.
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy and paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
***********************************************
Download DDS from HERE (http://download.bleepingcomputer.com/sUBs/dds.scr) or HERE (http://www.forospyware.com/sUBs/dds) and save it to your desktop.
Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)
* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.
1) DDS.txt
2) Attach.txt
* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.
Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copying and pasting it into the reply.
-
Hi Dave,
Thank you for responding and helping me with my problem. The SuperAntiSpyware (SAS) doesn't seem to be running on my computer. Maybe the infection recognizes it and does not let it run? I do not get the SAS control center screen mentioned in your instructions (the prompts for Update, Preferences, Start-Up Options, etc.). So I never get to the scan command. :(
Here is a little more detail. After downloading SAS and pasting the file to my desktop and clicking on the SAS icon on the desktop, I get a window from my other spyware software that asks me if I want to run the SAS. I then clicked on the "run" in that window and the computer goes back to desktop view with the SAS icon highlighted and the only other activity is the hourglass appears occasionally next to my pointer/arrow.
I also heard a little murmur/electronic sound coming from my computer as though something was engaging. I let SAS "run" (?) in this fashion for an hour or two and nothing happened. I then deleted SAS and downloaded it again and then tried to run it again for about ten minutes with no luck.
By the way, I did check on the SAS file size (10.8 MB) on my computer and therefore I think SAS has downloaded successfully onto my computer.
What should I do next? ??? Maybe I need to run the SAS for several hours or overnight? I don't have problems running other programs such as the word processing software or the other anti-spyware programs on my computer. I'm stumped.
-
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
Save Rkill to your desktop.
There are 7 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
* Rkill.exe (http://download.bleepingcomputer.com/grinler/rkill.exe)
* Rkill.com (http://download.bleepingcomputer.com/grinler/rkill.com)
* Rkill.scr (http://download.bleepingcomputer.com/grinler/rkill.scr)
* WiNlOgOn.exe (http://download.bleepingcomputer.com/grinler/WiNlOgOn.exe)
* uSeRiNiT.exe (http://download.bleepingcomputer.com/grinler/uSeRiNiT.exe)
* iExplore.exe (http://download.bleepingcomputer.com/grinler/iExplore.exe)
* eXplorer.exe (http://download.bleepingcomputer.com/grinler/eXplorer.exe)
Once you've gotten one of them to run then try to immediately run the following.
Now try running MBAM, SAS and DDS and post the logs.
If that still doesn't work, re-boot in Safe Mode with NetWorking and run MBAM. Reboot in Normal mode and try running MBAM again
Here's (http://www.computerhope.com/issues/chsafe.htm) how to get into Safe Mode.
-
I think Rkill did not run; I tried all seven versions you listed. I got a similar message for all those versions: "Processes terminated by Rkill or while it was running: Rkill completed on 06/13/2011 at 20:54:18." While that message was being generated, I tried to run SAS and it did not run (SAS icon highlighted only). :(
As you instructed, I downloaded and installed Malwarebytes Anti-Malware (MBAM) while in normal mode, rebooted the system in "Safe Mode with Networking", and tried unsuccessfully to run MBAM in Safe Mode. :( I don't have problems running other programs such as my word processing software while in Safe Mode.
By the way, I did check on the MBAM file size (4.69 MB) installed on my computer and therefore I think MBAM is installed successfully. The file I downloaded in order to install MBAM (mbam-setup.exe) was a larger file (7.37 MB).
What should I do next? ???
-
Did you try running the DDS scan?
Please download ComboFix (http://img7.imageshack.us/img7/4930/combofix.gif) from BleepingComputer.com (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Alternate link: GeeksToGo.com (http://subs.geekstogo.com/ComboFix.exe)
and save it to your Desktop.
It would be easiest to download using Internet Explorer.
If you insist on using Firefox, make sure that your download settings are as follows:
* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here (http://www.bleepingcomputer.com/forums/topic114351.html)
Double click ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
(http://i424.photobucket.com/albums/pp322/digistar/Query_RC.gif)
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(http://i424.photobucket.com/albums/pp322/digistar/RC_successful.gif)
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
If you have problems with ComboFix usage, see How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
-
Sorry for the delayed response; I had a sick family member.
The dds.txt scan results:
.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Run by User at 16:37:40 on 2011-06-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.1073 [GMT -7:00]
.
AV: The Shield Deluxe Antivirus *Enabled/Updated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\The Shield Deluxe\The Shield Deluxe Update Service\livesrv.exe
C:\Program Files\The Shield Deluxe\The Shield Deluxe 2010\vsserv.exe
svchost.exe
svchost.exe
svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\The Shield Deluxe\The Shield Deluxe 2010\bdagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Psion\PsiWin\Psconsv.exe
C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alarm95\Alarm95.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\PROGRA~1\Psion\PsiWin\Elogerr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
TB: The Shield Deluxe 2010 Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\the shield deluxe\the shield deluxe 2010\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\the shield deluxe\the shield deluxe 2010\IEShow.exe"
mRun: [BDAgent] "c:\program files\the shield deluxe\the shield deluxe 2010\bdagent.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [eFax 4.3] "c:\program files\efax messenger 4.3\J2GDllCmd.exe" /R
mRun: [DrvLsnr] c:\program files\analog devices\soundmax\DrvLsnr.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\alarm9~2.lnk - c:\windows\winhelp.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\alarm9~1.lnk - c:\program files\alarm95\Alarm95.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\efax43~1.lnk - c:\program files\efax messenger 4.3\J2GTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\psiwin~1.lnk - c:\program files\psion\psiwin\Psconsv.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\trendnet\tew-424ub\WlanCU.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
Trusted Zone: google.com\earth
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{BACC9A4A-C40D-46E4-9B44-F839EAFD5C13} : DhcpNameServer = 192.168.1.1
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\lc6vgsqt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\lc6vgsqt.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\lc6vgsqt.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npJoostPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
.
============= SERVICES / DRIVERS ===============
.
R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2007-12-18 40840]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-5-16 130936]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2007-12-18 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2007-12-18 81288]
R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [2010-3-6 20480]
R3 BDFM;BDFM;c:\windows\system32\drivers\bdfm.sys [2009-9-17 152328]
R3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\RTL8187B.sys [2010-3-7 264576]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-7-16 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-7-16 40552]
S3 SjyPkt;SjyPkt;\??\c:\windows\system32\drivers\sjypkt.sys --> c:\windows\system32\drivers\SjyPkt.sys [?]
.
=============== Created Last 30 ================
.
2011-06-14 04:49:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-14 04:49:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-14 04:49:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800JB-00JJC0 rev.05.01C05 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x88FC5EC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x88570872; SUB DWORD [EBP-0x4], 0x8857012e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x898DCAB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\0000005c[0x8971D8E8]
5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E37D5] -> [0x8965D940]
[0x891C0218] -> IRP_MJ_CREATE -> 0x88FC5EC5
kernel: MBR read successfully
_asm { CALL 0x115; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD800JB-00JJC0______________________05.01C05#5&31036641&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x88FC5AEA
user & kernel MBR OK
sectors 156301486 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 16:41:17.98 ===============
The attach.txt file:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-12.02)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/3/2007 3:05:34 PM
System Uptime: 6/14/2011 11:56:59 AM (5 hours ago)
.
Motherboard: Hewlett-Packard | | 090Ch
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | XU1 PROCESSOR | 2792/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 75 GiB total, 54.458 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 6/10/2011 11:23:04 AM - System Checkpoint
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9.4.0
Alarm95
ArcSoft PhotoImpression 4
Audacity 1.2.6
Broadcom Management Programs
Broadcom NetXtreme Ethernet Controller
Camera Driver
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
eFax Messenger 4.3
GIMP 2.4.5
Google Desktop
Google Earth
Google Photos Screensaver
Google Toolbar for Firefox
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
GTK+ Runtime 2.12.8 rev a (remove only)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) Extreme Graphics 2 Driver
iTunes
Java(TM) 6 Update 4
Java(TM) 6 Update 7
Joost (tm) Beta 1.1.4
LizardTech DjVu Control
Malwarebytes' Anti-Malware
McAfee Security Scan Plus
MediaCoder 0.6.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel Viewer
Microsoft Office Word Viewer 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Miro
Mozilla Firefox 4.0.1 (x86 en-US)
Mozilla Thunderbird (2.0.0.17)
MSXML 6.0 Parser (KB933579)
OpenOffice.org 2.4
Picasa 3
Pidgin
POV-Ray for Windows v3.6.1b
PsiWin 2.3
QuickTime
Rhapsody Player Engine
Santa Clara County Water Wise Gardening
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SoundMAX
Spyware Doctor 6.0
The Shield Deluxe 2010
TRENDnet TEW-424UB Wireless USB 2.0 Adapter
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebEx
WebFldrs XP
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
XML Paper Specification Shared Components Pack 1.0
Yahoo! Install Manager
Yahoo! Widgets
.
==== Event Viewer Messages From Past Week ========
.
6/9/2011 8:34:28 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service gupdate with arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}
6/9/2011 10:54:45 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/9/2011 10:33:17 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
6/8/2011 9:52:07 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
6/8/2011 5:45:32 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 4 time(s).
6/8/2011 12:48:59 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
6/8/2011 10:32:07 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
6/8/2011 10:30:15 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0014D148339E. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
6/8/2011 1:50:51 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 3 time(s).
6/13/2011 12:39:43 PM, error: DCOM [10005] - DCOM got error "%109" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
6/13/2011 12:08:56 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the iPodService service to connect.
6/13/2011 12:08:56 PM, error: Service Control Manager [7000] - The iPodService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/13/2011 12:06:44 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service iPodService with arguments "-Service" in order to run the server: {7A7FB085-6068-4898-8CCA-480A9187277C}
6/10/2011 7:24:13 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 7 time(s).
6/10/2011 6:53:41 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 6 time(s).
6/10/2011 6:23:49 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 5 time(s).
6/10/2011 11:49:57 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
6/10/2011 11:49:57 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
6/10/2011 11:44:57 AM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: The system cannot find the file specified.
6/10/2011 11:44:57 AM, error: Service Control Manager [7023] - The IPSEC Services service terminated with the following error: The requested service provider could not be loaded or initialized.
.
==== End Of File ===========================
I'm in the process of disabling my virus checkers and firewalls in order to run ComboFix. I have disabled two virus checkers that are in regular use on my system: the Shield Deluxe and PC Tools Spyware's IntelliGuard. I cannot display the Windows firewall settings on my computer. :(
I do have a Windows Firewall icon in my Control Panel window; so I think there may be a Windows firewall on my system. By the way, I no longer have the McAfee Security Scan Plus service and I think I have deleted that software from my computer (I don't know why it shows up in the DDS scans--maybe I should investigate?). I have downloaded but not successfully run the Malwarebytes' Anti-Malware nor the SAS software on my system as I mentioned in my earlier post; therefore, I don't think I need to disable those programs.
When I followed the directions from BleepingComputer to see if the Windows Firewall is running ("To check if the Windows Firewall is turned on or off, go to Start > Run and type: firewall.cpl press OK ") I got a window that said "Window Firewall settings cannot be displayed because the associated service is not running". When I clicked "Yes" to start the Internet Connection Service, I got a window that said "Windows cannot start the Windows/Internet Connection Sharing (ICS) service".
What should I do next? ???
-
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
* Open OTL
* Copy and Paste the following text in the codebox into the Custom Scans/Fixes window.
:OTL
Trusted Zone: google.com\earth
Trusted Zone: internet
Trusted Zone: mcafee.com
:COMMANDS
[resethosts]
[purity]
[emptytemp]
[start explorer]
* Click Run Fix
* OTLI2 may ask to reboot the machine. Please do so if asked.
* Click OK
* A report will open. Copy and Paste that report in your next reply.
*************************************************************
- Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
- Extract its contents to your desktop.
- Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
- If an infected file is detected, the default action will be Cure, click on Continue.
- If a suspicious file is detected, the default action will be Skip, click on Continue.
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
- Click the Report button and copy/paste the contents of it into your next reply
Note:It will also create a log in the C:\ directory..
-
Dave,
After following your instructions in your last post, I'm not having redirect problems anymore. :) The TDSSKiller found a problem and cured it. Thank you.
I there anything else I need to do?
The OTL report:
All processes killed
========== OTL ==========
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
[EMPTYTEMP]
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56545 bytes
User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 2643102 bytes
->FireFox cache emptied: 4545144 bytes
->Flash cache emptied: 567 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: User
->Temp folder emptied: 1602551775 bytes
->Temporary Internet Files folder emptied: 135845320 bytes
->Java cache emptied: 8733415 bytes
->FireFox cache emptied: 112916619 bytes
->Flash cache emptied: 78437 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2163145 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 139871984 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 227530693 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 2,133.00 mb
OTL by OldTimer - Version 3.2.25.0 log created on 07012011_130002
Files\Folders moved on Reboot...
Registry entries deleted on Reboot...
The TDSSKiller report:
2011/07/01 14:53:43.0671 3812 TDSS rootkit removing tool 2.5.8.0 Jun 28 2011 19:12:16
2011/07/01 14:53:43.0687 3812 ================================================================================
2011/07/01 14:53:43.0687 3812 SystemInfo:
2011/07/01 14:53:43.0687 3812
2011/07/01 14:53:43.0687 3812 OS Version: 5.1.2600 ServicePack: 3.0
2011/07/01 14:53:43.0687 3812 Product type: Workstation
2011/07/01 14:53:43.0687 3812 ComputerName: KENCOMPUTER
2011/07/01 14:53:43.0687 3812 UserName: User
2011/07/01 14:53:43.0687 3812 Windows directory: C:\WINDOWS
2011/07/01 14:53:43.0687 3812 System windows directory: C:\WINDOWS
2011/07/01 14:53:43.0687 3812 Processor architecture: Intel x86
2011/07/01 14:53:43.0687 3812 Number of processors: 1
2011/07/01 14:53:43.0687 3812 Page size: 0x1000
2011/07/01 14:53:43.0687 3812 Boot type: Normal boot
2011/07/01 14:53:43.0687 3812 ================================================================================
2011/07/01 14:53:48.0984 3812 Initialize success
2011/07/01 14:54:05.0312 3920 ================================================================================
2011/07/01 14:54:05.0312 3920 Scan started
2011/07/01 14:54:05.0312 3920 Mode: Manual;
2011/07/01 14:54:05.0312 3920 ================================================================================
2011/07/01 14:54:05.0859 3920 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/07/01 14:54:05.0921 3920 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/07/01 14:54:06.0031 3920 aeaudio (e696e749bedcda8b23757b8b5ea93780) C:\WINDOWS\system32\drivers\aeaudio.sys
2011/07/01 14:54:06.0125 3920 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/07/01 14:54:06.0187 3920 AegisP (30bb1bde595ca65fd5549462080d94e5) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/07/01 14:54:06.0250 3920 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/07/01 14:54:06.0578 3920 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/07/01 14:54:06.0625 3920 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/07/01 14:54:06.0703 3920 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/07/01 14:54:06.0750 3920 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/07/01 14:54:06.0843 3920 b57w2k (3a3a82ffd268bcfb7ae6a48cecf00ad9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/07/01 14:54:06.0921 3920 BDFM (2b4257ff280b93e3c503925f61d24cba) C:\WINDOWS\system32\drivers\bdfm.sys
2011/07/01 14:54:07.0015 3920 bdfsfltr (9b281f5f673cbc5b9ec886d59e0b4f26) C:\WINDOWS\system32\drivers\bdfsfltr.sys
2011/07/01 14:54:07.0125 3920 bdftdif (bf1088ece2236621aa31d9108afcc53c) C:\Program Files\Common Files\The Shield Deluxe\The Shield Deluxe Firewall\bdftdif.sys
2011/07/01 14:54:07.0218 3920 BDSelfPr (5eaf583c0b1cc2499761ea3b065f5db2) C:\Program Files\The Shield Deluxe\The Shield Deluxe 2010\bdselfpr.sys
2011/07/01 14:54:07.0312 3920 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/07/01 14:54:07.0437 3920 Blfp (07a758bffb297819252aa72bab0e6611) C:\WINDOWS\system32\DRIVERS\baspxp32.sys
2011/07/01 14:54:07.0515 3920 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/07/01 14:54:07.0578 3920 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/07/01 14:54:07.0656 3920 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/07/01 14:54:07.0921 3920 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/07/01 14:54:07.0968 3920 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/07/01 14:54:08.0234 3920 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/07/01 14:54:08.0343 3920 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/07/01 14:54:08.0453 3920 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/07/01 14:54:08.0562 3920 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/07/01 14:54:08.0625 3920 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/07/01 14:54:08.0703 3920 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/07/01 14:54:08.0781 3920 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/07/01 14:54:08.0843 3920 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/07/01 14:54:08.0906 3920 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/07/01 14:54:08.0968 3920 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/07/01 14:54:09.0031 3920 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/07/01 14:54:09.0109 3920 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/07/01 14:54:09.0156 3920 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/07/01 14:54:09.0234 3920 GEARAspiWDM (32a73a8952580b284a47290adb62032a) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/07/01 14:54:09.0312 3920 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/07/01 14:54:09.0406 3920 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/07/01 14:54:09.0546 3920 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/07/01 14:54:09.0703 3920 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/07/01 14:54:09.0796 3920 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/07/01 14:54:09.0953 3920 IKFileSec (ff9f262494fc23d77a6148d49d87d2de) C:\WINDOWS\system32\drivers\ikfilesec.sys
2011/07/01 14:54:10.0000 3920 IKSysFlt (7e359671fd9595ecb1b0a33fb4184b19) C:\WINDOWS\system32\drivers\iksysflt.sys
2011/07/01 14:54:10.0062 3920 IKSysSec (a44cb3cf3af266665261a6e6c9cac27c) C:\WINDOWS\system32\drivers\iksyssec.sys
2011/07/01 14:54:10.0109 3920 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/07/01 14:54:10.0218 3920 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/07/01 14:54:10.0296 3920 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/07/01 14:54:10.0343 3920 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/07/01 14:54:10.0406 3920 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/07/01 14:54:10.0500 3920 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/07/01 14:54:10.0578 3920 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/07/01 14:54:10.0640 3920 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/07/01 14:54:10.0750 3920 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/07/01 14:54:10.0796 3920 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/07/01 14:54:10.0859 3920 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/07/01 14:54:10.0906 3920 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/07/01 14:54:10.0968 3920 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/07/01 14:54:11.0031 3920 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/07/01 14:54:11.0125 3920 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys
2011/07/01 14:54:11.0187 3920 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys
2011/07/01 14:54:11.0250 3920 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/07/01 14:54:11.0359 3920 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/07/01 14:54:11.0421 3920 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/07/01 14:54:11.0484 3920 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/07/01 14:54:11.0546 3920 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/07/01 14:54:11.0625 3920 MR97310_USB_DUAL_CAMERA (1aae79a4176a957bf2bb679812f04655) C:\WINDOWS\system32\DRIVERS\mr97310c.sys
2011/07/01 14:54:11.0718 3920 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/07/01 14:54:11.0796 3920 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/07/01 14:54:11.0859 3920 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/07/01 14:54:11.0906 3920 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/07/01 14:54:11.0953 3920 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/07/01 14:54:12.0031 3920 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/07/01 14:54:12.0093 3920 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/07/01 14:54:12.0187 3920 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/07/01 14:54:12.0375 3920 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/07/01 14:54:12.0546 3920 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/07/01 14:54:12.0703 3920 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/07/01 14:54:12.0750 3920 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/07/01 14:54:12.0796 3920 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/07/01 14:54:12.0875 3920 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/07/01 14:54:12.0937 3920 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/07/01 14:54:12.0984 3920 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/07/01 14:54:13.0093 3920 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/07/01 14:54:13.0171 3920 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/07/01 14:54:13.0281 3920 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/07/01 14:54:13.0375 3920 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/07/01 14:54:13.0453 3920 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/07/01 14:54:13.0546 3920 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/07/01 14:54:13.0625 3920 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/07/01 14:54:13.0687 3920 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/07/01 14:54:13.0750 3920 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/07/01 14:54:13.0828 3920 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/07/01 14:54:13.0890 3920 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/07/01 14:54:13.0984 3920 PCTCore (aa9cfa67850893fbb168b9c4e4c86952) C:\WINDOWS\system32\drivers\PCTCore.sys
2011/07/01 14:54:14.0296 3920 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/07/01 14:54:14.0421 3920 Profos (d90a33660d328a9f587580f0b38c85de) C:\Program Files\Common Files\The Shield Deluxe\The Shield Deluxe Threat Scanner\profos.sys
2011/07/01 14:54:14.0484 3920 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/07/01 14:54:14.0562 3920 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/07/01 14:54:14.0750 3920 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/07/01 14:54:14.0828 3920 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/07/01 14:54:14.0906 3920 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/07/01 14:54:14.0937 3920 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/07/01 14:54:15.0000 3920 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/07/01 14:54:15.0062 3920 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/07/01 14:54:15.0171 3920 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/07/01 14:54:15.0234 3920 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/07/01 14:54:15.0390 3920 RTL8187B (fe999b16e967c84790be6dc1b4e78f2d) C:\WINDOWS\system32\DRIVERS\RTL8187B.sys
2011/07/01 14:54:15.0515 3920 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/07/01 14:54:15.0609 3920 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/07/01 14:54:15.0671 3920 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/07/01 14:54:15.0750 3920 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/07/01 14:54:15.0906 3920 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/07/01 14:54:15.0984 3920 smwdm (fa3368a7039f5abaa4b933703ac34763) C:\WINDOWS\system32\drivers\smwdm.sys
2011/07/01 14:54:16.0156 3920 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/07/01 14:54:16.0218 3920 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/07/01 14:54:16.0296 3920 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/07/01 14:54:16.0359 3920 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/07/01 14:54:16.0421 3920 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/07/01 14:54:16.0609 3920 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/07/01 14:54:16.0687 3920 Tcpip (a7d39994cf210133afd8c6ed090765b1) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/07/01 14:54:16.0687 3920 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\tcpip.sys. Real md5: a7d39994cf210133afd8c6ed090765b1, Fake md5: 9aefa14bd6b182d61e3119fa5f436d3d
2011/07/01 14:54:16.0703 3920 Tcpip - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/07/01 14:54:16.0765 3920 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/07/01 14:54:16.0828 3920 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/07/01 14:54:16.0921 3920 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/07/01 14:54:17.0109 3920 Trufos (b16d66a71de03285e14e9f165b59eda4) C:\Program Files\Common Files\The Shield Deluxe\The Shield Deluxe Threat Scanner\trufos.sys
2011/07/01 14:54:17.0203 3920 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/07/01 14:54:17.0328 3920 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/07/01 14:54:17.0390 3920 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/07/01 14:54:17.0640 3920 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/07/01 14:54:17.0703 3920 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/07/01 14:54:17.0781 3920 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/07/01 14:54:17.0859 3920 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/07/01 14:54:17.0968 3920 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/07/01 14:54:18.0046 3920 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/07/01 14:54:18.0125 3920 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/07/01 14:54:18.0234 3920 WLNdis50 (bb2c5a7a555b387b85481b8bde5370d7) C:\WINDOWS\system32\DRIVERS\wlndis50.sys
2011/07/01 14:54:18.0343 3920 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/07/01 14:54:18.0437 3920 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/07/01 14:54:18.0500 3920 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/07/01 14:54:18.0593 3920 MBR (0x1B8) (5f8b5082f3482cc06b72ec5806598ae9) \Device\Harddisk0\DR0
2011/07/01 14:54:18.0671 3920 Boot (0x1200) (c7994081284bdc325ed2291034ec901e) \Device\Harddisk0\DR0\Partition0
2011/07/01 14:54:18.0671 3920 ================================================================================
2011/07/01 14:54:18.0671 3920 Scan finished
2011/07/01 14:54:18.0671 3920 ================================================================================
2011/07/01 14:54:18.0687 2804 Detected object count: 1
2011/07/01 14:54:18.0687 2804 Actual detected object count: 1
2011/07/01 14:54:34.0218 2804 Tcpip (a7d39994cf210133afd8c6ed090765b1) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/07/01 14:54:34.0218 2804 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\tcpip.sys. Real md5: a7d39994cf210133afd8c6ed090765b1, Fake md5: 9aefa14bd6b182d61e3119fa5f436d3d
2011/07/01 14:54:40.0937 2804 Backup copy found, using it..
2011/07/01 14:54:41.0765 2804 C:\WINDOWS\system32\DRIVERS\tcpip.sys - will be cured after reboot
2011/07/01 14:54:41.0765 2804 Rootkit.Win32.TDSS.tdl3(Tcpip) - User select action: Cure
2011/07/01 14:55:00.0265 2888 Deinitialize success
-
I there anything else I need to do?
I want to run some more scans to make sure everything is gone.
Please download ComboFix (http://img7.imageshack.us/img7/4930/combofix.gif) from BleepingComputer.com (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Alternate link: GeeksToGo.com (http://subs.geekstogo.com/ComboFix.exe)
and save it to your Desktop.
It would be easiest to download using Internet Explorer.
If you insist on using Firefox, make sure that your download settings are as follows:
* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here (http://www.bleepingcomputer.com/forums/topic114351.html)
Double click ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
(http://i424.photobucket.com/albums/pp322/digistar/Query_RC.gif)
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(http://i424.photobucket.com/albums/pp322/digistar/RC_successful.gif)
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
If you have problems with ComboFix usage, see How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
-
Dave,
I ran ComboFix somewhat successfully. Please find the log below.
It lost the Internet connection while it was trying to create the new system restore point. It was trying to connect to get the MS Recovery Console--I never got the console.
I did not touch the computer at all when Combofix was trying to run so I was not the cause of the disconnection. It prompted me to make the connection but there was nothing for me to do to reconnect; the Internet connection icon in the system tray was indicating intermittent Internet connection (icon went back and forth between red "X" and wave symbol next to the monitor symbol).
By the way, ComboFix prompted me earlier to allow them to update their software to the newest version and I clicked 'OK". It was able to download a newer version so I had an Internet connection at that point (I had an earlier version because I downloaded it a week ago at your direction noted in your post of June 14).
In order to get something going, I went ahead and clicked "OK" in the "Kindly connect before clicking OK" in the ComboFix window. The next window said that it was aborting because it could not download files and I clicked "OK" in that window to continue the scan for bad files.
On the automatic rebooting of the system, the ComboFix log was eventually posted but the Internet connection was still lost. On the next (manual) reboot the connection was restored.
I disabled my Windows XP firewall as well as my Shield Deluxe antivirus protection before running ComboFix.
I noticed in the ComboFix log that a McAfee firewall might still be on my machine. I don't know where or how to disable this; I do not have an icon in my system tray for that program. I cancelled that service months ago and, if I remember correctly, I thought I uninstalled it. It is possible that I deleted their files rather than used them to uninstall their features--I don't think McAfee gave me clear directions on the correct uninstall procedures at the time I cancelled their service. I know I deleted some McAfee program files after I cancelled their service. Should I contact McAfee to see what I need to do? ???
My computer is still working well; no redirect problem. :)
What should I do next? Should I try to run ComboFix after figuring out the firewall issue? ???
ComboFix log:
ComboFix 11-07-09.03 - User 07/09/2011 19:47:51.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.1080 [GMT -7:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: The Shield Deluxe Antivirus *Disabled/Updated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\$winnt$.inf
c:\windows\system32\closeapp.exe
c:\windows\vb.ini
.
.
((((((((((((((((((((((((( Files Created from 2011-06-10 to 2011-07-10 )))))))))))))))))))))))))))))))
.
.
2011-07-06 06:23 . 2011-07-06 06:23 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-07-06 06:23 . 2011-07-06 06:23 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-07-01 20:00 . 2011-07-01 20:00 -------- d-----w- C:\_OTL
2011-06-27 00:10 . 2011-06-27 00:10 0 ---ha-w- c:\documents and settings\User\Local Settings\Application Data\BITC4.tmp
2011-06-24 20:34 . 2011-06-24 20:34 -------- d-----w- c:\program files\Common Files\InstallShield
2011-06-19 01:34 . 2011-06-19 01:34 0 ---ha-w- c:\documents and settings\User\Local Settings\Application Data\BITBD.tmp
2011-06-19 01:17 . 2011-06-19 01:17 0 ---ha-w- c:\documents and settings\User\Local Settings\Application Data\BITBC.tmp
2011-06-15 06:11 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-14 04:49 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-14 04:49 . 2011-06-14 04:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-14 04:49 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-01 21:55 . 2004-08-04 12:00 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-05-02 15:31 . 2007-02-03 23:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-04 12:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-04 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-07-06 06:23 . 2011-04-30 21:08 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2009-09-14 05:10 . 2010-08-07 21:24 47104 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2011-07-01 22:45 . 2008-06-03 17:15 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-18 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"BitDefender Antiphishing Helper"="c:\program files\The Shield Deluxe\The Shield Deluxe 2010\IEShow.exe" [2009-09-14 71152]
"BDAgent"="c:\program files\The Shield Deluxe\The Shield Deluxe 2010\bdagent.exe" [2009-09-24 1114536]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-04 282624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-06-15 278528]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-07-01 30192]
"eFax 4.3"="c:\program files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 116224]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
Alarm 95 Help.lnk - c:\windows\winhelp.exe [2004-8-4 256192]
Alarm 95.lnk - c:\program files\Alarm95\Alarm95.exe [2009-8-23 426496]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-11 3746856]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
eFax 4.3.lnk - c:\program files\eFax Messenger 4.3\J2GTray.exe [2008-9-6 629248]
PsiWin 2.3 Connection Server.lnk - c:\program files\Psion\PsiWin\Psconsv.exe [2008-7-16 286720]
Wireless Configuration Utility.lnk - c:\program files\TRENDnet\TEW-424UB\WlanCU.exe [2010-3-7 368640]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LMIRescue_05cc69be-ef6c-40d9-a32e-51b51a08a20b"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Participatory Culture Foundation\\Miro\\xulrunner\\python\\Miro_Downloader.exe"=
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/16/2009 3:34 PM 130936]
R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [3/6/2010 5:51 PM 20480]
R3 BDFM;BDFM;c:\windows\system32\drivers\bdfm.sys [9/17/2009 4:12 PM 152328]
R3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\RTL8187B.sys [3/7/2010 4:25 PM 264576]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/10/2010 2:51 PM 135664]
S2 WLSVC;WLSVC;c:\program files\TRENDnet\TEW-424UB\WLSVC.exe [3/7/2010 4:25 PM 167936]
S3 Arrakis3;The Shield Deluxe Arrakis Server;c:\program files\Common Files\The Shield Deluxe\The Shield Deluxe Arrakis Server\bin\arrakis3.exe [9/13/2009 11:31 PM 183880]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/18/2007 12:00 PM 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/10/2010 2:51 PM 135664]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/2/2008 10:18 AM 348752]
S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-18 03:27]
.
2011-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc076dadee6214.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 21:50]
.
2011-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 21:50]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
Trusted Zone: google.com\earth
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{BACC9A4A-C40D-46E4-9B44-F839EAFD5C13}: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\lc6vgsqt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-22771467.sys
AddRemove-InstallShield_{54C0D94A-F467-4ABC-9D02-6E58748668D4} - c:\progra~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe
AddRemove-InstallShield_{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} - c:\progra~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe
AddRemove-MSMONEYV4 - c:\program files\Microsoft Money\setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-09 20:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2084)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-07-09 20:08:20 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-10 03:08
.
Pre-Run: 59,208,437,760 bytes free
Post-Run: 59,103,842,304 bytes free
.
- - End Of File - - C8C30CBA04197C1CFEA51D93309AA454
-
I forgot to mention that the Security check indicates that you have Panda Antivirus Pro 2012 and Norton 360 running at the same time on your computer. One of these AV's will have to be disabled/uninstalled.
*********************************************
Re-running ComboFix to remove infections:
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Open notepad and copy/paste the text in the quotebox below into it:
KillAll::
File::
C:\found.005
C:\found.004
C:\found.003
C:\found.002
C:\found.001
DirLook::
C:\40d9b26e2a8b3f767a
C:\ef60c58cdd1f56bf95401cfaf20940ef
Firefox::
Trusted Zone: internet
Trusted Zone: mcafee.com
- Save this as CFScript.txt, in the same location as ComboFix.exe
(http://i424.photobucket.com/albums/pp322/digistar/cfscriptb4.gif)
- Referring to the picture above, drag CFScript into ComboFix.exe
- When finished, it shall produce a log for you at C:\ComboFix.txt
- Please post the contents of the log in your next reply.
*********************************************************
Please go to Jotti's malware scan (http://virusscan.jotti.org/)
(If more than one file needs scanned they must be done separately and links posted for each one)
* Copy the file path in the below Code box:
c:\windows\system32\x64
c:\windows\system32\igxpun.exe
c:\windows\system32\Drivers\utkwnty5.sys
* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
-
Dave,
Sorry about the delayed response; I have some family members that are sick and it takes most of my free time (elderly father and mother in-law). I could not find the Panda Antivirus Pro 2012 nor the Norton 360 after scanning my system. Did I miss something?
I ran the combo fix and it was able to download the Microsoft Windows recovery console and complete its scan. The log is below.
I was not able to scan the files you indicated with Jott's malware scanner. When I pasted each file (one at a time) into the file upload window, I got a window that says "file not found".
By the way I might have picked up another redirecting virus (slow/intermittent connection to internet, the hard drive runs unusually fast on start-up as if something is loading, and I lose my internet connection after a few minutes) prior to my running ComboFix. I don't think CobmboFix cured it. I re-enabled my Deluxe Shield as well as my PC Tools Spyware Doctor antivirus checkers and ran them after the ComboFix scan. I'm not sure I did a good thing. The PC Tools Spyware caught a lot of items, though did not defined what items it caught, and fixed those files and the system does not run better.
I appreciate all the help you have provided. Let me know what I should do next.
Ken
The ComboFix log:
ComboFix 11-08-09.02 - User 08/09/2011 19:23:46.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.1115 [GMT -7:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: The Shield Deluxe Antivirus *Disabled/Updated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
FILE ::
"C:\found.001"
"C:\found.002"
"C:\found.003"
"C:\found.004"
"C:\found.005"
.
.
((((((((((((((((((((((((( Files Created from 2011-07-10 to 2011-08-10 )))))))))))))))))))))))))))))))
.
.
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-01 21:55 . 2004-08-04 12:00 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-27 00:10 . 2011-06-27 00:10 0 ---ha-w- c:\documents and settings\User\Local Settings\Application Data\BITC4.tmp
2011-06-19 01:34 . 2011-06-19 01:34 0 ---ha-w- c:\documents and settings\User\Local Settings\Application Data\BITBD.tmp
2011-06-19 01:17 . 2011-06-19 01:17 0 ---ha-w- c:\documents and settings\User\Local Settings\Application Data\BITBC.tmp
2011-06-02 14:02 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-07-06 06:23 . 2011-04-30 21:08 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2009-09-14 05:10 . 2010-08-07 21:24 47104 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2011-07-01 22:45 . 2008-06-03 17:15 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\40d9b26e2a8b3f767a ----
.
.
---- Directory of C:\ef60c58cdd1f56bf95401cfaf20940ef ----
.
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-10_03.04.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-14 07:08 . 2011-04-26 11:07 33280 c:\windows\system32\dllcache\csrsrv.dll
- 2009-12-14 07:08 . 2010-12-09 14:30 33280 c:\windows\system32\dllcache\csrsrv.dll
- 2004-08-04 12:00 . 2010-12-09 14:30 33280 c:\windows\system32\csrsrv.dll
+ 2004-08-04 12:00 . 2011-04-26 11:07 33280 c:\windows\system32\csrsrv.dll
+ 2011-08-07 06:47 . 2011-08-07 06:47 22016 c:\windows\Installer\1024b4.msi
- 2004-08-04 12:00 . 2010-06-18 17:45 293376 c:\windows\system32\winsrv.dll
+ 2004-08-04 12:00 . 2011-04-26 11:07 293376 c:\windows\system32\winsrv.dll
+ 2007-02-03 14:53 . 2011-07-13 16:42 142832 c:\windows\system32\FNTCACHE.DAT
- 2007-02-03 14:53 . 2011-06-09 05:19 142832 c:\windows\system32\FNTCACHE.DAT
+ 2010-06-18 17:45 . 2011-04-26 11:07 293376 c:\windows\system32\dllcache\winsrv.dll
- 2010-06-18 17:45 . 2010-06-18 17:45 293376 c:\windows\system32\dllcache\winsrv.dll
+ 2008-10-15 04:07 . 2011-06-02 14:02 1858944 c:\windows\system32\dllcache\win32k.sys
+ 2007-12-18 20:16 . 2011-07-13 08:54 49089992 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-18 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"BitDefender Antiphishing Helper"="c:\program files\The Shield Deluxe\The Shield Deluxe 2010\IEShow.exe" [2009-09-14 71152]
"BDAgent"="c:\program files\The Shield Deluxe\The Shield Deluxe 2010\bdagent.exe" [2009-09-24 1114536]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-04 282624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-06-15 278528]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-07-01 30192]
"eFax 4.3"="c:\program files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 116224]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
Alarm 95 Help.lnk - c:\windows\winhelp.exe [2004-8-4 256192]
Alarm 95.lnk - c:\program files\Alarm95\Alarm95.exe [2009-8-23 426496]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-11 3746856]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
eFax 4.3.lnk - c:\program files\eFax Messenger 4.3\J2GTray.exe [2008-9-6 629248]
PsiWin 2.3 Connection Server.lnk - c:\program files\Psion\PsiWin\Psconsv.exe [2008-7-16 286720]
Wireless Configuration Utility.lnk - c:\program files\TRENDnet\TEW-424UB\WlanCU.exe [2010-3-7 368640]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LMIRescue_05cc69be-ef6c-40d9-a32e-51b51a08a20b"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Participatory Culture Foundation\\Miro\\xulrunner\\python\\Miro_Downloader.exe"=
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/16/2009 3:34 PM 130936]
R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [3/6/2010 5:51 PM 20480]
R3 BDFM;BDFM;c:\windows\system32\drivers\bdfm.sys [9/17/2009 4:12 PM 152328]
R3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\RTL8187B.sys [3/7/2010 4:25 PM 264576]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/10/2010 2:51 PM 135664]
S2 WLSVC;WLSVC;c:\program files\TRENDnet\TEW-424UB\WLSVC.exe [3/7/2010 4:25 PM 167936]
S3 Arrakis3;The Shield Deluxe Arrakis Server;c:\program files\Common Files\The Shield Deluxe\The Shield Deluxe Arrakis Server\bin\arrakis3.exe [9/13/2009 11:31 PM 183880]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/18/2007 12:00 PM 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/10/2010 2:51 PM 135664]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/2/2008 10:18 AM 348752]
S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-18 03:27]
.
2011-08-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc076dadee6214.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 21:50]
.
2011-08-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 21:50]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
Trusted Zone: google.com\earth
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{BACC9A4A-C40D-46E4-9B44-F839EAFD5C13}: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\lc6vgsqt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-09 19:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2368)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-08-09 20:00:06 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-10 03:00
ComboFix2.txt 2011-07-10 03:08
.
Pre-Run: 59,016,167,424 bytes free
Post-Run: 59,009,564,672 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 7CCFC895A45A57F525FADF7D75C17742
-
Sorry about the delayed response; I have some family members that are sick and it takes most of my free time (elderly father and mother in-law). I could not find the Panda Antivirus Pro 2012 nor the Norton 360 after scanning my system. Did I miss something?
I'm really sorry about your relatives and also the mix-up I caused. I must have confused your thread with another thread. I was juggling too many balls at once.
Are you still getting the re-directs?
By the way I might have picked up another redirecting virus (slow/intermittent connection to internet, the hard drive runs unusually fast on start-up as if something is loading, and I lose my internet connection after a few minutes) prior to my running ComboFix. I don't think CobmboFix cured it. I re-enabled my Deluxe Shield as well as my PC Tools Spyware Doctor antivirus checkers and ran them after the ComboFix scan. I'm not sure I did a good thing.
That could becuse it appears that you two AV programs running at one; McAfee Anti-Virus and Anti-Spyware and The Shield Deluxe Antivirus You should only have one AV running.
Please download: HiJackThis (http://go.trendmicro.com/free-tools/hijackthis/HijackThisInstaller.exe) to your Desktop.
Open HijackThis and select Do a system scan only
Place a check mark next to the following entries: (if there)
Trusted Zone: google.com\earth
Trusted Zone: internet
Trusted Zone: mcafee.com
Important: Close all open windows except for HijackThis and then click Fix checked.
Once completed, exit HijackThis.
************************************************
* Download the following tool: RootRepeal - Rootkit Detector (http://rootrepeal.googlepages.com/)
* Direct download link is here: RootRepeal.zip (http://rootrepeal.googlepages.com/RootRepeal.zip)
* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of such programs and how to disable them.
* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.
-
Dave,
The major re-direct problem I originally was having has been solved so my system works much better since I ran the TDSSKiller several posts ago per your instructions. :) Mozilla Firefox is preventing a few re-directs but those are mostly during my visits to commercial websites so I think that might be OK--I overreacted to the few redirects I got after all the work we did.
By the way , the sound on my system has been restored again due to running the TDSSKiller several posts ago per your instructions. :)
I seem to be having trouble hooking up to the internet. I understand the need to have only have one AV running at a time. I'll try contacting McAfee about how to uninstall their anti-virus software that might still be on my system (I may have inadvertently deleted it rather than uninstalled it when I cancelled their service).
I could not get the HiJackThis to run on my system. When I tried to run it I got a window that said "C:\Documents & Settings\User\Desktop\HiJackThisInstaller.exe is not a valid win32 application".
Thought I should not run RootRepeal until we finished with HiJackThis---OK?
What should I do next?
Ken
-
You can use this tool to remove McAfee.
•McAfee Consumer Products Removal Tool - Use on McAfee, AOL distributions of McAfee, CA distributions of McAfee - McAfee Consumer Products Removal tool (http://service.mcafee.com/FAQDocument.aspx?id=TS100507&lc=1033)(MCPR.exe)
Sorry. Please try doing this:
Note: If you still have HJT on your desktop you can skip number 1 and go to number 2.
1. Please download: HiJackThis (http://go.trendmicro.com/free-tools/hijackthis/HijackThisInstaller.exe) to your Desktop.
2. Double Click the HijackThis icon, located on your Desktop.
By Default, it will install to: C:\Program Files\Trend Micro\HijackThis
3. Accept the license agreement.
4. Open HijackThis and select Do a system scan only
Place a check mark next to the following entries: (if there)
Trusted Zone: google.com\earth
Trusted Zone: internet
Trusted Zone: mcafee.com
Important: Close all open windows except for HijackThis and then click Fix checked.
Once completed, exit HijackThis.
*****************************************************
Please run RootRepeal even if HJT doesn't run for you.
-
Dave,
I ran the McAfee Consumer products Removal Tool and all the old McAfee files are gone (I scanned my system as a check). :) Though there is a new McAffee file, McAfee.xml (in C:\Program Files\common Files\the shield deluxe\Setup Info\(alpha numeric code)\extern), from my re-installation of The Shield Deluxe antivirus checker (see next paragraph) that is part of that install.
I took a big detour in order to run the programs you requested in your last post. I had to re-install the Shield Deluxe (I now have the 2011 version) because I forgot my password that is needed in order to disable the checker in order to run RootRepeal--really stupid mistake on my part losing my password. I latter found the password buried in my notes.
It was lucky I found my password because the re-install of Shield Deluxe still insisted on my password to change any settings. By the way, I decided to password protect the Shield Deluxe antivirus setting because I think something (not me) changed only one of the settings, the real time protection, without my knowledge while the other settings were left alone (when I disable my virus checker I turn off all settings).
I tried to run HiJackThis as you requested in your last post. I could not get it to run on my system. When I tried to run it I got a window that said "C:\Documents & Settings\User\Desktop\HiJackThisInstaller.exe is not a valid win32 application". :(
I tried to run RootRepeal, as you requested in your last post, after I turned off my Windows Firewall and the Shield Deluxe anti-virus checker. I could not get it to run on my system. When I tried to run it I got a pop-up window from the Shield Deluxe that said "RootRepeal has been terminated by Active Virus Control". I turned off all the product settings on the preferences window of the Shield Deluxe in preparation for the RootRepeal run. I must not be missing something somewhere and I didn't see the Shield Deluxe listed in your link to methods to disable programs. :(
What do I do next?
Ken
-
I'd like to scan your machine with ESET OnlineScan
•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
•Click the (http://i424.photobucket.com/albums/pp322/digistar/esetOnline.png) button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on (http://i424.photobucket.com/albums/pp322/digistar/esetSmartInstall.png) to download the ESET Smart Installer. Save it to your desktop.
- Double click on the (http://i424.photobucket.com/albums/pp322/digistar/esetSmartInstallDesktopIcon-1.png) icon on your desktop.
•Check (http://i424.photobucket.com/albums/pp322/digistar/esetAcceptTerms.png)
•Click the (http://i424.photobucket.com/albums/pp322/digistar/esetStart.png) button.
•Accept any security warnings from your browser.
•Check (http://i424.photobucket.com/albums/pp322/digistar/esetScanArchives.png)
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push (http://i424.photobucket.com/albums/pp322/digistar/esetListThreats.png)
•Push (http://i424.photobucket.com/albums/pp322/digistar/esetExport.png), and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the (http://i424.photobucket.com/albums/pp322/digistar/esetBack.png) button.
•Push (http://i424.photobucket.com/albums/pp322/digistar/esetFinish.png)
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
-
Dave,
I ran the ESET OnlineScanner and no threats were found. It took about four hours to scan my system's seventy thousand files.
My observations of my current system status: my system does not have the redirect problem and I have sound thanks to your directions to remedy those problems.
However, I think I still have some less serious issues regarding connection. During the mid-afternoon portion of the day (between about 2pm and 5pm) and mid-evening (about 7pm to 9pm) I have problems connecting to the Internet or, while on the Internet during those time periods, my system is so slow it seems as though my machine has locked up. I think this might be a problem with the Internet service provider (Earthlink) because my wife's computer, with whom I share that service via a wireless connection, has a similar problem but her's is not as severe.
Also, I think some of my connection problem might be caused by my wireless network connection (Trendnet to Linksys router) since the signal strength changes occasionally; the signal strength is not steady since it changes from excellent or good to average on occasion.
Additionally, I think an icon in the system tray on my computer is indicating intermittent or loss of wireless network connection when the wave symbol, that normally lights up periodically (white color to green color) next to the monitor symbol, either freezes in the on position (green light) or fails to light (white color).
Any suggestions? What do I do next? I'm interested in making sure all viruses and malware have been removed from my system.
I do appreciate all your help; my improved Internet experience due to your help has allowed me to explore and navigate all the health care options for my ailing father and mother in-law. Again, thank you.
Ken
-
Any suggestions? What do I do next? I'm interested in making sure all viruses and malware have been removed from my system.
I'm quite confident that your computer is clean. Let's run one more scan to check that connection problem
Please download MiniToolBox (http://download.bleepingcomputer.com/farbar/MiniToolBox.exe) to Desktop and run it.
(http://i424.photobucket.com/albums/pp322/digistar/MiniToolBox.png)
Checkmark the following boxes:
- Flush DNS
- Report IE Proxy Settings
- Reset IE Proxy Settings
- List content of Hosts
- List IP Configuration
- Lst Last 10 Event Viewer Errors
- List Users, Partitions and Memory Size
[/b]
Click Go and copy/paste the log (Result.txt) into your next post. .
-
Dave,
The MiniToolBox log:
MiniToolBox by Farbar
Ran by User (administrator) on 06-09-2011 at 11:45:46
Microsoft Windows XP Service Pack 3 (X86)
***************************************************************************
========================= Flush DNS: ===================================
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
========================= IE Proxy Settings: ==============================
Proxy is not enabled.
No Proxy Server is set.
"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================
127.0.0.1 localhost
========================= IP Configuration: ================================
# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip
# Interface IP Configuration for "Local Area Connection"
set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp
# Interface IP Configuration for "Wireless Network Connection 11"
set address name="Wireless Network Connection 11" source=dhcp
set dns name="Wireless Network Connection 11" source=dhcp register=PRIMARY
set wins name="Wireless Network Connection 11" source=dhcp
popd
# End of interface IP configuration
Windows IP Configuration
Host Name . . . . . . . . . . . . : KenComputer
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet for hp
Physical Address. . . . . . . . . : 00-0F-20-6F-6B-2E
Ethernet adapter Wireless Network Connection 11:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TRENDnet TEW-424UB 54M USB Dongle
Physical Address. . . . . . . . . : 00-14-D1-48-33-9E
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.2.102
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DNS Servers . . . . . . . . . . . : 192.168.1.1
Lease Obtained. . . . . . . . . . : Tuesday, September 06, 2011 9:31:46 AM
Lease Expires . . . . . . . . . . : Wednesday, September 07, 2011 9:31:46 AM
Server: UnKnown
Address: 192.168.1.1
Name: google.com
Addresses: 74.125.93.106, 74.125.93.103, 74.125.93.147, 74.125.93.105
74.125.93.99, 74.125.93.104
Pinging google.com [74.125.93.99] with 32 bytes of data:
Reply from 74.125.93.99: bytes=32 time=95ms TTL=53
Reply from 74.125.93.99: bytes=32 time=94ms TTL=53
Ping statistics for 74.125.93.99:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 94ms, Maximum = 95ms, Average = 94ms
Server: UnKnown
Address: 192.168.1.1
Name: yahoo.com
Addresses: 209.191.122.70, 67.195.160.76, 69.147.125.65, 72.30.2.43
98.137.149.56
Pinging yahoo.com [98.137.149.56] with 32 bytes of data:
Reply from 98.137.149.56: bytes=32 time=41ms TTL=56
Reply from 98.137.149.56: bytes=32 time=71ms TTL=56
Ping statistics for 98.137.149.56:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 41ms, Maximum = 71ms, Average = 56ms
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 0f 20 6f 6b 2e ...... Broadcom NetXtreme Gigabit Ethernet for hp
0x10004 ...00 14 d1 48 33 9e ...... TRENDnet TEW-424UB 54M USB Dongle
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.102 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.2.0 255.255.255.0 192.168.2.102 192.168.2.102 25
192.168.2.102 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.2.255 255.255.255.255 192.168.2.102 192.168.2.102 25
224.0.0.0 240.0.0.0 192.168.2.102 192.168.2.102 25
255.255.255.255 255.255.255.255 192.168.2.102 10003 1
255.255.255.255 255.255.255.255 192.168.2.102 192.168.2.102 1
Default Gateway: 192.168.2.1
===========================================================================
Persistent Routes:
None
========================= Event log errors: ===============================
Application errors:
==================
Error: (08/29/2011 00:11:06 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.
Error: (08/29/2011 00:11:06 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.
Error: (08/29/2011 00:11:06 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.
Error: (08/29/2011 00:11:06 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.
Error: (08/29/2011 00:11:06 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.
Error: (08/29/2011 00:11:06 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.
Error: (08/29/2011 00:11:05 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.
Error: (08/29/2011 00:11:05 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.
Error: (08/29/2011 00:11:05 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.
Error: (08/29/2011 00:11:04 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.
System errors:
=============
Error: (09/06/2011 09:30:46 AM) (Source: Service Control Manager) (User: )
Description: The IPSEC Services service terminated with the following error:
%%1747
Error: (09/04/2011 10:37:16 AM) (Source: Windows Update Agent) (User: )
Description: Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.
Error: (09/04/2011 10:35:32 AM) (Source: Service Control Manager) (User: )
Description: The IPSEC Services service terminated with the following error:
%%1747
Error: (09/01/2011 09:57:19 PM) (Source: Service Control Manager) (User: )
Description: The IPSEC Services service terminated with the following error:
%%1747
Error: (09/01/2011 09:30:57 PM) (Source: Service Control Manager) (User: )
Description: The IPSEC Services service terminated with the following error:
%%1747
Error: (09/01/2011 09:08:36 PM) (Source: Service Control Manager) (User: )
Description: The IPSEC Services service terminated with the following error:
%%1747
Error: (09/01/2011 08:19:46 PM) (Source: Service Control Manager) (User: )
Description: The IPSEC Services service terminated with the following error:
%%1747
Error: (09/01/2011 08:18:51 PM) (Source: Service Control Manager) (User: )
Description: The Remote Access Connection Manager service failed to start due to the following error:
%%231
Error: (09/01/2011 08:18:51 PM) (Source: Service Control Manager) (User: )
Description: The Remote Access Connection Manager service failed to start due to the following error:
%%231
Error: (09/01/2011 08:18:22 PM) (Source: Service Control Manager) (User: )
Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
%%1070
Microsoft Office Sessions:
=========================
Error: (08/29/2011 00:11:06 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis network connection does not exist.
Error: (08/29/2011 00:11:06 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis network connection does not exist.
Error: (08/29/2011 00:11:06 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis network connection does not exist.
Error: (08/29/2011 00:11:06 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis network connection does not exist.
Error: (08/29/2011 00:11:06 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis network connection does not exist.
Error: (08/29/2011 00:11:06 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis network connection does not exist.
Error: (08/29/2011 00:11:05 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis network connection does not exist.
Error: (08/29/2011 00:11:05 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis network connection does not exist.
Error: (08/29/2011 00:11:05 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis network connection does not exist.
Error: (08/29/2011 00:11:04 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis network connection does not exist.
========================= Memory info: ===================================
Percentage of memory in use: 36%
Total physical RAM: 1527.48 MB
Available physical RAM: 966.02 MB
Total Pagefile: 2904.86 MB
Available Pagefile: 2485.6 MB
Total Virtual: 2047.88 MB
Available Virtual: 1905.03 MB
========================= Partitions: =====================================
1 Drive c: () (Fixed) (Total:74.53 GB) (Free:51.72 GB) NTFS
========================= Users: ========================================
User accounts for \\
Administrator ASPNET Guest
HelpAssistant SUPPORT_388945a0 User
**** End of log ****
-
The signal is going through but, like you said, it is intermittent. Have you tried hardwiring your computer to the modem? It would appear to be a problem with the wireless. Also, please reset your modem and router. Unplug them for a minute.
-
Dave,
With a hardwire connecting my computer to the router located at my wife's computer, I have a good Internet connection. :)
My wife reset the router (pushed the button and unplugged the unit) and disconnected the modem (turned it off at the switch as well as unplugged the unit). It was a lot of work to follow the instructions to get the router, that is wired directly to my wife's system, back up and running but she was finally able to accomplish the task and she has her Internet phone and Internet connection back. There was a side benefit of all this work: we found and properly filed our computer system literature and found some other missing items as well!
My system required more work and was not entirely successful. My wireless Internet connection is worse since the router/modem reset and my reinstalling the wireless software & adapter. :(
After the resetting the modem and router, I could not hookup my system to the Internet (my system: Trendnet wireless USB adapter [TEW-424UB] to Linksys router [Wireless-G Broadband Router--mdl. WRT54G2]). After checking on the Trendnet status, I reentered the security key and was able to get some activity on that device (searching to establish a connection with the router) but still no connection.
I decided to reinstall the Trendnet software on my computer. Immediately after reinstalling, I got fifteen minutes of uninterrupted, though slow, Internet connection until I was disconnected. I could only continue intermittent connection by repairing the connection (by clicking on the icon in the system tray to pop-up a window for that device and then clicking on "Repair"). I had to do this continually to receive about a minute or two of connection.
I kept an eye on the signal strength during this phase of the problem and noticed that it would go from a good connection (multi-bar green) to weak connection (single bar red) back to fair connection (no bar) back to good connection and so forth. The Internet connection was slow during this time frame (for a minute or two) until I loss the connection entirely (red "X"). I have not had this condition in the past.
Before the router/modem reset and my reinstalling the Trendnet software and adapter, I would routinely get periods of no connection to connection periods of an hour or two. Things have gone downhill in regard to wireless connectivity.
By the way, I wonder if the wireless connection is having problems due to the building structure where I live. My place is a small townhouse and has concrete party walls (the wall between units) with wood framing in the interior of the unit. The router is located about twenty five feet away from my computer and is in another room.
Again, the hardwire connection between my computer and the router is working very well and the Google redirect problem has been solved due to your direction. I have an uninterrupted Internet connection with the hardwire.
I'm not sure if my wireless Internet connection problem is a virus\malware issue; perhaps I should start a new post? If so, please advise if I should uninstall the various anti virus software packages that I have installed on my system at your direction. Please include any tips on making the uninstalls successful.
Thank you for your help to date.
Ken
-
I'm not sure if my wireless Internet connection problem is a virus\malware issue
From what you described to me, it would appear that the problem is with the router sending the signal or the receiver. Unfortunately, I can't help you with this. You could start another thread in another forum. Perhaps that may help.
Let's do some cleanup.
To uninstall ComboFix
- Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
- In the field, type in ComboFix /uninstall
(http://i424.photobucket.com/albums/pp322/digistar/Combofix_uninstall_image.jpg)
(Note: Make sure there's a space between the word ComboFix and the forward-slash.)
- Then, press Enter, or click OK.
- This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
*************************************************
To remove all of the tools we used and the files and folders they created do the following:
Double click OTL.exe.
- Click the CleanUp button.
- Select Yes when the "Begin cleanup Process?" prompt appears.
- If you are prompted to Reboot during the cleanup, select Yes.
- The tool will delete itself once it finishes.
Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
**************************************************
Clean out your temporary internet files and temp files.
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.
Double-click TFC.exe to run it.
Note: If you are running on Vista, right-click on the file and choose Run As Administrator
TFC will close all programs when run, so make sure you have saved all your work before you begin.
* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.
Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
*****************************************************
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
•Click Start Now
•Check the box next to Enable thorough system inspection.
•Click Start
•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer (http://www.bleepingcomputer.com/forums/tutorial49.html) from Spyware and Malware
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. (http://www.safer-networking.org/en/spybotsd/index.html) Guide: Use Spybot's Immunize Feature (http://www.bleepingcomputer.com/tutorials/tutorial43.html#immunize) to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ (http://www.safer-networking.org/en/faq/index.html)
Check out Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It may not be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!
-
Dave,
I successfully completed the uninstall of ComboFix. :)
I don't have OTL.exe on my system; it must have been removed by my running my anti-virus during this Google redirect problem process (see my reply #12, August 10--I shouldn't have done that as you mention in your introductory instructions). :( Do I delete or try to uninstall the following programs that are on my desktop that I downloaded at your direction?
1. TDSKiller.exe
2. tdskiller zip
3. Support-LogMeInRescue.exe
4. RootRepeal zip
5. MiniToolBox.exe
6. HjackThisInstaller.exe
7. esetsmartinstalaler_enu.exe
I want to make sure I don't accidentally run these programs again. To delete I should double right click on the icon and left click on delete in that window? If I need to uninstall any of these programs, please provide instructions.
Are there any other things I have to do to take care of any possible buried files from my deletion of programs that were on my system prior to my reply #12 of August 10 (deleted due to my errant running of my Deluxe Shield anti virus and PC Tools Spyware Doctor)? Those programs were:
1. Super Antispyware (SAS)
2. Malawarebytes
3. DDS
4. RKill
5. Combo.fix
6. Jotti's Malaware scan (I don't think this was a downloaded program?)
The following describes what I did at that time of deletion of those programs (from my reply #12 in August):
"I re-enabled my Deluxe Shield as well as my PC Tools Spyware Doctor antivirus checkers and ran them after the ComboFix scan. I'm not sure I did a good thing. The PC Tools Spyware caught a lot of items, though did not defined what items it caught, and fixed those files and the system does not run better."
Thank you,
Ken
-
Do I delete or try to uninstall the following programs that are on my desktop that I downloaded at your direction?
Yes. If the programs are installed on your desktop, simply delete them or drag them to your Recycling bin. If not installed on your desktop, uninstall them.
Support-LogMeInRescue.exe is not one of the programs I asked you to install.
You may keep SAS and MBAM, if you wish. Update them and run them on a regular basis. All the others can go.
-
Dave,
I got the other programs off my system per your direction. My system is running very well--thank you.
Sorry about the "Support-LogMeIn" program citing. That was the Shield Deluxe anti-virus personnel log-in to help me install their new 2011 program after I thought I lost my password for the 2010 edition. That was a big mess and totally my fault. I now take better care of my passwords.
I think I have one last question. To prevent the loss of my files on the hard drive, I saved some of my files (personal files and not programs I think) on thumb drives (two or three thumb drives up to 1GB capacity each) prior to all your work on my system. I want to know if I can reuse those thumb drives without jeopardizing my system? In other words, can I can plug those thumb drives back into my system, delete the contents, and reuse the thumb drives? I thought I should be safe rather than sorry and ask you before I do this.
Ken
-
In other words, can I can plug those thumb drives back into my system, delete the contents, and reuse the thumb drives? I thought I should be safe rather than sorry and ask you before I do this.
Yes. When you plug in the thumb drives hold the Shift key down for about 10 secs. while inserting them in the USB drive. Then, scan them with your AV and also with SAS and MBAM to be sure that they're clean.
I will lock this thread. If you need it re-opened, please send me a pm.