Google Redirect Virus strikes again!

Dell / Dell dxp051...
April 17, 2010 at 06:50:22
Specs: Microsoft Windows XP Professional, 2.793 GHz / 1022 MB
So I got on my computer the other day to search on Google and every time I clicked on a link heading, it redirects me to some other place. Also I get randomly booted while browsing the net and playing my mmorpg.
I went to access my McAfee to run a scan and it had been disabled though I did not disable it.
Also my McAfee now was not working at all after trying to enable it.
So I asked a computerly inclined person what I should do and they said to uninstall McAfee and install this AVG, and Mawarebytes.
So I tried to uninstall all of McAfee but I kept getting errors mess. saying it was still installed.
I was then told to install Hijackthis and remove the rest of McAfee, also we installed the ATF cleaner and ran it.
Since I did all that craziness,
AVG found Trojanhorse S Heur3.RSP, and some fast tracking cookies.
Malwarebytes seemingly finds nothing every scan.

My computer still is booting me from the net and I am still getting misdirected every time I click on a link.

I don't want to bury my pc just yet, So Please Please Computing.net Unpimp My Virus!

Thank you, thank you


See More: Google Redirect Virus strikes again!

Report •


#1
April 17, 2010 at 07:25:13
Download DDS and save it to your desktop.
DDS.scr


Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt (do not zip just copy/paste)

Save both reports to your desktop then post them please.You may need to post in segments to get all the info to us as the logs may be to large to fit in one post.

Download TDSSKiller to your Desktop from the following link.

TDSSKiller

1. Extract the contents of TDSSKiller.zip to your Desktop.

2. Double click on TDSSKiller.exe to run it.

3. If it finds something and asks you what to do, follow the instructions to type in "delete".

4. When done, a log file should be created on your C: drive called TDSSKiller.txt(with time+date appended) please post this log in your next reply.


Report •

#2
April 17, 2010 at 21:31:34
DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 11/23/2008 11:21:34 AM
System Uptime: 4/17/2010 10:15:06 PM (0 hours ago)

Motherboard: Dell Inc. | | 0FJ030
Processor: Intel(R) Pentium(R) D CPU 2.80GHz | Microprocessor | 2793/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 144 GiB total, 86.056 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP517: 4/17/2010 6:49:02 AM - System Checkpoint
RP518: 4/17/2010 7:39:37 AM - Installed Java(TM) 6 Update 20

==== Hosts File Hijack ======================

Hosts: 89.149.249.198 www.google.com
Hosts: 89.149.249.198 www.google.de
Hosts: 89.149.249.198 www.google.fr
Hosts: 89.149.249.198 www.google.co.uk
Hosts: 89.149.249.198 www.google.com.br
Hosts: 89.149.249.198 www.google.it
Hosts: 89.149.249.198 www.google.es
Hosts: 89.149.249.198 www.google.co.jp
Hosts: 89.149.249.198 www.google.com.mx
Hosts: 89.149.249.198 www.google.ca
Hosts: 89.149.249.198 www.google.com.au
Hosts: 89.149.249.198 www.google.nl
Hosts: 89.149.249.198 www.google.co.za
Hosts: 89.149.249.198 www.google.be
Hosts: 89.149.249.198 www.google.gr
Hosts: 89.149.249.198 www.google.at
Hosts: 89.149.249.198 www.google.se
Hosts: 89.149.249.198 www.google.ch
Hosts: 89.149.249.198 www.google.pt
Hosts: 89.149.249.198 www.google.dk
Hosts: 89.149.249.198 www.google.fi
Hosts: 89.149.249.198 www.google.ie
Hosts: 89.149.249.198 www.google.no
Hosts: 89.149.249.198 www.google.ru
Hosts: 89.149.249.198 www.google.ua
Hosts: 89.149.249.198 www.google.pl
Hosts: 89.149.249.198 www.google.ro
Hosts: 89.149.249.198 www.google.co.nz
Hosts: 89.149.249.198 www.google.in
Hosts: 89.149.249.198 www.google.th
Hosts: 89.149.249.198 www.google.tr
Hosts: 89.149.249.198 www.google.hu
Hosts: 89.149.249.198 www.google.cr
Hosts: 89.149.249.198 www.google.lv
Hosts: 89.149.249.198 www.google.lt
Hosts: 89.149.249.198 www.google.bg
Hosts: 89.149.249.198 www.google.be
Hosts: 89.149.249.198 www.google.vn
Hosts: 89.149.249.198 www.google.ve
Hosts: 89.149.249.198 www.google.sw
Hosts: 89.149.249.198 search.yahoo.com
Hosts: 89.149.249.198 us.search.yahoo.com
Hosts: 89.149.249.198 uk.search.yahoo.com

==== Installed Programs ======================

ACDSee for PENTAX 3.0
Akamai NetSession Interface
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
AVG 9.0
Bonjour
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
Catalyst Control Center Localization All
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Conexant D850 56K V.9x DFVc Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell Driver Download Manager
FrostWire 4.18.0
GemMaster Mystic
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Intel(R) PRO Network Connections Drivers
iTunes
Java Auto Updater
Java(TM) 6 Update 20
Junk Mail filter update
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE Redistributable
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional 2007 Trial
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.6.3)
MSVCRT
MSXML 6 Service Pack 2 (KB954459)
Otto
QuickTime
Sansa Media Converter
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB980470)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Segoe UI
SigmaTel Audio
Skins
Sonic Encoders
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB981715)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Outlook 2007 Junk Email Filter (kb981433)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
Update Rollup 2 for Windows XP Media Center Edition 2005
Ventrilo Client
Warcraft III: All Products
WebFldrs XP
Windows 7 Upgrade Advisor
Windows Imaging Component
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows Presentation Foundation
Windows System Scanner
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver
World of Warcraft
Xfire (remove only)
XML Paper Specification Shared Components Pack 1.0
Yahoo! Messenger
Yahoo! Software Update

==== Event Viewer Messages From Past Week ========

4/17/2010 4:47:22 AM, error: Service Control Manager [7000] - The McAfee Proxy Service service failed to start due to the following error: The system cannot find the file specified.
4/17/2010 4:47:22 AM, error: Service Control Manager [7000] - The McAfee Personal Firewall Service service failed to start due to the following error: The system cannot find the path specified.
4/17/2010 2:15:51 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the dlcd_device service to connect.
4/17/2010 2:15:51 AM, error: Service Control Manager [7000] - The dlcd_device service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/15/2010 2:33:59 AM, error: Service Control Manager [7000] - The McAfee Services service failed to start due to the following error: The system cannot find the path specified.
4/15/2010 2:33:59 AM, error: Service Control Manager [7000] - The McAfee Personal Firewall Service service failed to start due to the following error: The system cannot find the file specified.
4/14/2010 4:24:47 PM, error: Service Control Manager [7031] - The McAfee Personal Firewall Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Run the configured recovery program.
4/14/2010 2:29:49 PM, error: Service Control Manager [7023] - The McAfee SystemGuards service terminated with the following error: Unspecified error
4/14/2010 2:27:40 PM, error: Service Control Manager [7000] - The McAfee Network Agent service failed to start due to the following error: The system cannot find the path specified.
4/13/2010 8:52:46 PM, error: Service Control Manager [7034] - The WebClient service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================


Report •

#3
April 17, 2010 at 21:32:17
DDS (Ver_10-03-17.01) - NTFSx86
Run by Melody and Martin at 22:27:04.89 on Sat 04/17/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.458 [GMT -6:00]

AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Melody and Martin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page =
uSearch Bar =
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://192.168.1.1/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Melody and Martin] c:\documents and settings\melody and martin\Melody and Martin.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [DLCDCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCDtime.dll,_RunDLLEntry@16
mRun: [dlcdmon.exe] "c:\program files\dell photo aio printer 944\dlcdmon.exe"
mRun: [MemoryCardManager] c:\program files\dell photo aio printer 944\memcard.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 89.149.249.198 www.google.com
Hosts: 89.149.249.198 www.google.de
Hosts: 89.149.249.198 www.google.fr
Hosts: 89.149.249.198 www.google.co.uk
Hosts: 89.149.249.198 www.google.com.br

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\melody~1\applic~1\mozilla\firefox\profiles\yl83sjag.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2010-4-14 25096]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-4-14 52872]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-6-17 340592]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-14 216200]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-14 29512]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-14 242696]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-10 14336]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-14 308064]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-4-14 2325816]
R2 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-4-7 54752]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-4-14 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2010-4-14 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2010-4-14 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2010-4-14 26120]
S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe --> c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [?]
S3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\jqrjnu.sys --> c:\windows\system32\drivers\jqrjnu.sys [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-4-14 30104]
S3 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-4-14 5888008]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~2\mcsysmon.exe --> c:\progra~1\mcafee\viruss~2\mcsysmon.exe [?]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-6-17 90360]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-6-17 42424]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-8-24 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-8-24 40552]

=============== Created Last 30 ================

2010-04-17 13:39:58 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-17 13:39:57 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-17 12:19:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-17 12:19:06 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-17 12:19:06 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-17 11:46:48 10 ----a-w- c:\windows\WININIT.INI
2010-04-17 11:16:03 0 d-----w- c:\windows\Performance
2010-04-17 11:15:25 0 d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2010-04-17 01:24:13 0 d-----w- c:\docume~1\melody~1\applic~1\AVG9
2010-04-15 04:35:59 0 d-----w- c:\docume~1\melody~1\applic~1\Malwarebytes
2010-04-15 04:34:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-14 21:45:10 0 d--h--w- C:\$AVG
2010-04-14 21:41:11 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-14 21:41:08 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-14 21:41:02 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-14 21:40:51 0 d-----w- c:\windows\system32\drivers\Avg
2010-04-14 21:39:07 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-04-14 21:39:07 25096 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-04-14 21:38:45 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-04-14 21:38:45 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-04-14 21:36:54 0 d-----w- c:\program files\AVG
2010-04-14 21:36:20 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-04-14 21:18:48 0 d-----w- c:\windows\system32\wbem\Repository
2010-04-12 12:24:01 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-26 00:17:55 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-03-26 00:17:55 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys

==================== Find3M ====================

2010-04-15 01:14:28 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 05:43:57 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43:54 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll

============= FINISH: 22:27:49.20 ===============


Report •

Related Solutions

#4
April 17, 2010 at 21:53:04
22:45:35:359 3756 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
22:45:35:359 3756 ================================================================================
22:45:35:359 3756 SystemInfo:

22:45:35:359 3756 OS Version: 5.1.2600 ServicePack: 3.0
22:45:35:359 3756 Product type: Workstation
22:45:35:359 3756 ComputerName: HOME-COMPUTER
22:45:35:359 3756 UserName: Melody and Martin
22:45:35:359 3756 Windows directory: C:\WINDOWS
22:45:35:359 3756 Processor architecture: Intel x86
22:45:35:359 3756 Number of processors: 2
22:45:35:359 3756 Page size: 0x1000
22:45:35:359 3756 Boot type: Normal boot
22:45:35:359 3756 ================================================================================
22:45:35:375 3756 UnloadDriverW: NtUnloadDriver error 2
22:45:35:375 3756 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
22:45:35:406 3756 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
22:45:35:406 3756 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
22:45:35:406 3756 wfopen_ex: Trying to KLMD file open
22:45:35:406 3756 wfopen_ex: File opened ok (Flags 2)
22:45:35:406 3756 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
22:45:35:406 3756 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
22:45:35:406 3756 wfopen_ex: Trying to KLMD file open
22:45:35:406 3756 wfopen_ex: File opened ok (Flags 2)
22:45:35:406 3756 Initialize success
22:45:35:406 3756
22:45:35:406 3756 Scanning Services ...
22:45:35:593 3756 Raw services enum returned 361 services
22:45:35:609 3756
22:45:35:609 3756 Scanning Kernel memory ...
22:45:35:609 3756 Devices to scan: 4
22:45:35:609 3756
22:45:35:609 3756 Driver Name: Disk
22:45:35:609 3756 IRP_MJ_CREATE : F7598BB0
22:45:35:609 3756 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
22:45:35:609 3756 IRP_MJ_CLOSE : F7598BB0
22:45:35:609 3756 IRP_MJ_READ : F7592D1F
22:45:35:609 3756 IRP_MJ_WRITE : F7592D1F
22:45:35:609 3756 IRP_MJ_QUERY_INFORMATION : 804F4562
22:45:35:609 3756 IRP_MJ_SET_INFORMATION : 804F4562
22:45:35:609 3756 IRP_MJ_QUERY_EA : 804F4562
22:45:35:609 3756 IRP_MJ_SET_EA : 804F4562
22:45:35:609 3756 IRP_MJ_FLUSH_BUFFERS : F75932E2
22:45:35:609 3756 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
22:45:35:609 3756 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
22:45:35:609 3756 IRP_MJ_DIRECTORY_CONTROL : 804F4562
22:45:35:609 3756 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
22:45:35:609 3756 IRP_MJ_DEVICE_CONTROL : F75933BB
22:45:35:609 3756 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7596F28
22:45:35:609 3756 IRP_MJ_SHUTDOWN : F75932E2
22:45:35:609 3756 IRP_MJ_LOCK_CONTROL : 804F4562
22:45:35:609 3756 IRP_MJ_CLEANUP : 804F4562
22:45:35:609 3756 IRP_MJ_CREATE_MAILSLOT : 804F4562
22:45:35:609 3756 IRP_MJ_QUERY_SECURITY : 804F4562
22:45:35:609 3756 IRP_MJ_SET_SECURITY : 804F4562
22:45:35:609 3756 IRP_MJ_POWER : F7594C82
22:45:35:609 3756 IRP_MJ_SYSTEM_CONTROL : F759999E
22:45:35:609 3756 IRP_MJ_DEVICE_CHANGE : 804F4562
22:45:35:609 3756 IRP_MJ_QUERY_QUOTA : 804F4562
22:45:35:609 3756 IRP_MJ_SET_QUOTA : 804F4562
22:45:35:625 3756 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
22:45:35:625 3756
22:45:35:625 3756 Driver Name: Disk
22:45:35:625 3756 IRP_MJ_CREATE : F7598BB0
22:45:35:625 3756 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
22:45:35:625 3756 IRP_MJ_CLOSE : F7598BB0
22:45:35:625 3756 IRP_MJ_READ : F7592D1F
22:45:35:625 3756 IRP_MJ_WRITE : F7592D1F
22:45:35:625 3756 IRP_MJ_QUERY_INFORMATION : 804F4562
22:45:35:625 3756 IRP_MJ_SET_INFORMATION : 804F4562
22:45:35:625 3756 IRP_MJ_QUERY_EA : 804F4562
22:45:35:625 3756 IRP_MJ_SET_EA : 804F4562
22:45:35:625 3756 IRP_MJ_FLUSH_BUFFERS : F75932E2
22:45:35:625 3756 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
22:45:35:625 3756 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
22:45:35:625 3756 IRP_MJ_DIRECTORY_CONTROL : 804F4562
22:45:35:625 3756 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
22:45:35:625 3756 IRP_MJ_DEVICE_CONTROL : F75933BB
22:45:35:625 3756 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7596F28
22:45:35:625 3756 IRP_MJ_SHUTDOWN : F75932E2
22:45:35:625 3756 IRP_MJ_LOCK_CONTROL : 804F4562
22:45:35:625 3756 IRP_MJ_CLEANUP : 804F4562
22:45:35:625 3756 IRP_MJ_CREATE_MAILSLOT : 804F4562
22:45:35:625 3756 IRP_MJ_QUERY_SECURITY : 804F4562
22:45:35:625 3756 IRP_MJ_SET_SECURITY : 804F4562
22:45:35:625 3756 IRP_MJ_POWER : F7594C82
22:45:35:625 3756 IRP_MJ_SYSTEM_CONTROL : F759999E
22:45:35:625 3756 IRP_MJ_DEVICE_CHANGE : 804F4562
22:45:35:625 3756 IRP_MJ_QUERY_QUOTA : 804F4562
22:45:35:625 3756 IRP_MJ_SET_QUOTA : 804F4562
22:45:35:625 3756 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
22:45:35:625 3756
22:45:35:625 3756 Driver Name: Disk
22:45:35:625 3756 IRP_MJ_CREATE : F7598BB0
22:45:35:625 3756 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
22:45:35:625 3756 IRP_MJ_CLOSE : F7598BB0
22:45:35:625 3756 IRP_MJ_READ : F7592D1F
22:45:35:625 3756 IRP_MJ_WRITE : F7592D1F
22:45:35:625 3756 IRP_MJ_QUERY_INFORMATION : 804F4562
22:45:35:625 3756 IRP_MJ_SET_INFORMATION : 804F4562
22:45:35:625 3756 IRP_MJ_QUERY_EA : 804F4562
22:45:35:625 3756 IRP_MJ_SET_EA : 804F4562
22:45:35:625 3756 IRP_MJ_FLUSH_BUFFERS : F75932E2
22:45:35:625 3756 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
22:45:35:625 3756 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
22:45:35:625 3756 IRP_MJ_DIRECTORY_CONTROL : 804F4562
22:45:35:625 3756 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
22:45:35:625 3756 IRP_MJ_DEVICE_CONTROL : F75933BB
22:45:35:625 3756 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7596F28
22:45:35:625 3756 IRP_MJ_SHUTDOWN : F75932E2
22:45:35:625 3756 IRP_MJ_LOCK_CONTROL : 804F4562
22:45:35:625 3756 IRP_MJ_CLEANUP : 804F4562
22:45:35:625 3756 IRP_MJ_CREATE_MAILSLOT : 804F4562
22:45:35:625 3756 IRP_MJ_QUERY_SECURITY : 804F4562
22:45:35:625 3756 IRP_MJ_SET_SECURITY : 804F4562
22:45:35:625 3756 IRP_MJ_POWER : F7594C82
22:45:35:625 3756 IRP_MJ_SYSTEM_CONTROL : F759999E
22:45:35:625 3756 IRP_MJ_DEVICE_CHANGE : 804F4562
22:45:35:625 3756 IRP_MJ_QUERY_QUOTA : 804F4562
22:45:35:625 3756 IRP_MJ_SET_QUOTA : 804F4562
22:45:35:640 3756 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
22:45:35:640 3756
22:45:35:640 3756 Driver Name: iastor
22:45:35:640 3756 IRP_MJ_CREATE : 85D8EAC8
22:45:35:640 3756 IRP_MJ_CREATE_NAMED_PIPE : 85D8EAC8
22:45:35:640 3756 IRP_MJ_CLOSE : 85D8EAC8
22:45:35:640 3756 IRP_MJ_READ : 85D8EAC8
22:45:35:640 3756 IRP_MJ_WRITE : 85D8EAC8
22:45:35:640 3756 IRP_MJ_QUERY_INFORMATION : 85D8EAC8
22:45:35:640 3756 IRP_MJ_SET_INFORMATION : 85D8EAC8
22:45:35:640 3756 IRP_MJ_QUERY_EA : 85D8EAC8
22:45:35:640 3756 IRP_MJ_SET_EA : 85D8EAC8
22:45:35:640 3756 IRP_MJ_FLUSH_BUFFERS : 85D8EAC8
22:45:35:640 3756 IRP_MJ_QUERY_VOLUME_INFORMATION : 85D8EAC8
22:45:35:640 3756 IRP_MJ_SET_VOLUME_INFORMATION : 85D8EAC8
22:45:35:640 3756 IRP_MJ_DIRECTORY_CONTROL : 85D8EAC8
22:45:35:640 3756 IRP_MJ_FILE_SYSTEM_CONTROL : 85D8EAC8
22:45:35:640 3756 IRP_MJ_DEVICE_CONTROL : 85D8EAC8
22:45:35:640 3756 IRP_MJ_INTERNAL_DEVICE_CONTROL : 85D8EAC8
22:45:35:640 3756 IRP_MJ_SHUTDOWN : 85D8EAC8
22:45:35:640 3756 IRP_MJ_LOCK_CONTROL : 85D8EAC8
22:45:35:640 3756 IRP_MJ_CLEANUP : 85D8EAC8
22:45:35:640 3756 IRP_MJ_CREATE_MAILSLOT : 85D8EAC8
22:45:35:640 3756 IRP_MJ_QUERY_SECURITY : 85D8EAC8
22:45:35:640 3756 IRP_MJ_SET_SECURITY : 85D8EAC8
22:45:35:640 3756 IRP_MJ_POWER : 85D8EAC8
22:45:35:640 3756 IRP_MJ_SYSTEM_CONTROL : 85D8EAC8
22:45:35:640 3756 IRP_MJ_DEVICE_CHANGE : 85D8EAC8
22:45:35:640 3756 IRP_MJ_QUERY_QUOTA : 85D8EAC8
22:45:35:640 3756 IRP_MJ_SET_QUOTA : 85D8EAC8
22:45:35:640 3756 Driver "iastor" infected by TDSS rootkit!
22:45:35:640 3756 C:\WINDOWS\system32\drivers\iaStor.sys - Verdict: 1
22:45:35:640 3756 File "C:\WINDOWS\system32\drivers\iaStor.sys" infected by TDSS rootkit ... 22:45:35:640 3756 Processing driver file: C:\WINDOWS\system32\drivers\iaStor.sys
22:45:35:640 3756 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
22:45:35:734 3756 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\OemDir\*) error 3
22:45:35:968 3756 !fdfb7
22:45:35:968 3756 vfvi6
22:45:36:046 3756 !dsvbh1
22:45:36:171 3756 dsvbh2
22:45:36:171 3756 Backup copy2 found, using it..
22:45:36:171 3756 will be cured on next reboot
22:45:36:171 3756 Reboot required for cure complete..
22:45:36:187 3756 Cure on reboot scheduled successfully
22:45:36:187 3756
22:45:36:187 3756 Completed
22:45:36:187 3756
22:45:36:187 3756 Results:
22:45:36:187 3756 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
22:45:36:187 3756 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
22:45:36:187 3756 File objects infected / cured / cured on reboot: 1 / 0 / 1
22:45:36:187 3756
22:45:36:187 3756 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
22:45:36:187 3756 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
22:45:36:187 3756 UnloadDriverW: NtUnloadDriver error 1
22:45:36:187 3756 KLMD(ARK) unloaded successfully


Report •

#5
April 17, 2010 at 21:54:29
ok hopefully this will help you guys help me, I'll keep checking from time to time for further responses, again thank you for any help you give or will give x:o)

Report •

#6
April 17, 2010 at 22:26:46
The 1st thing you should have done was to use McAfee's uninstaller from their website. That will uninstall the registry entries.

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#7
April 18, 2010 at 07:02:48
Please download OTL from following site:

OTL by OldTimer

1. Save it to your desktop
2. Double click the OTL icon on your desktop
3. Close any open browsers.
4. Double-click on OTL.exe to start the program.

Under the Custom Scans/Fixes box at the bottom, paste in text between the X's
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
:Commands
[resethosts]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Then click the Run Fix button at the top
Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
Please post that log in your next reply.

McAfee Removal Tool Instructions

Please download Combofix with internet explorer instead of any other browser if possible.

Remember..your AVG antivirus, Windows Defender, and Ad-Aware must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled.

Please download ComboFix to the desktop from one of the following links:

ComboFix

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

#8
April 18, 2010 at 10:35:35
his is the OTL log:

========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.1.2 log created on 04182010_112018



Report •

#9
April 18, 2010 at 12:41:29
I do believe my virus has been UNPIMPED!

status: x:o)

I have the combofix log it created after it was done, do you want me to post it?


Report •

#10
April 18, 2010 at 15:15:41
Please post your combofix log, malware often rebuilds itself using morphed files the we may need to delete. And there is some clean up you need to do after we look at the log.

Report •


Ask Question