Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: B_in Ohio on November 13, 2010, 02:08:33 AM
-
Hello all. I am under the belief that the think point worm/virus (?) got a bit further than we thought. was running 4.8 and I think someone here clicked a 'bogus' survey on face_ook, and the rest is unfortunate history.
occasional redirect of websites and 5.0 is blocking malicious url_rootkit?
Anyway, now on 5.0 and MBAM, and ccleaner. at least 3 full boat scans and still from time to time with just firefox open 5.0 will give me the pop up window that states, "malicious url blocked"..(I will try and attach a pic for this).
Also a lot less now, but still an occasional redirect when I want to google certain websites..So of course I used another machine and have driven myself crazy trying to figure this thing out...so all I can come up with is a rootkit? virus? How can I get rid of this without reformating (not an option anywhere near the top of my list). I wanted to ask the experts because there are no less than 6 solutions on utube (using other programs)and who knows if those are any good...Thanks in advance.
machine is hp mini with xp home, sp3
-
1.Do dr.web cure it! scan
http://www.freedrweb.com/cureit/?lng=en (http://www.freedrweb.com/cureit/?lng=en)
2.Do mbam scan
http://www.malwarebytes.org/mbam.php (http://www.malwarebytes.org/mbam.php)
3.Do super anti spyware scan
http://www.superantispyware.com/download.html (http://www.superantispyware.com/download.html)
4.Do scan with radix anti rootkit MAY THIS LEAD TO BSoD SO SAVE YOUR WORK BEFOR DOING SCAN
http://www.usec.at/rootkit.html (http://www.usec.at/rootkit.html)
5.Post a hijack hunter log here after doing 1. 2 .3 .4 steps
http://www.novirusthanks.org/products/hijack-hunter/ (http://www.novirusthanks.org/products/hijack-hunter/)
6.May be further steps will come after telling us about results for your scans
-
B_in Ohio
The stat you say above, give me 2 idea, your windows WinSock is hijacked or your Windows HOSTS file.
If you did a full scan with MBAM and avast! and still no luck. Do this:
in CCleaner (make sure you always use latest version) check 'DNS Cache' too and let it clean up everything.
now go to: http://www.omidfarhang.com/computer/security/virus-removing (http://www.omidfarhang.com/computer/security/virus-removing) and follow number #4 and #6 for a quick action, if no luck yet, start from number one to the end.
-
last night (early this morning) ran avast, super anti spyware and mbam again) neither pick up anything. i also did ccleaner. I will try ccleaner again jsut now with the specifics listed from Omid.
-
well if true hitman pro already found stuff that others did not...
"possible variant of the TDL3 rootkit",;;;it also says master boot record (sector 0)..C$MBR is this windows or malicious? it is program flagged for delete. I will wait to hear on that master boot record find before i delete....
-
Thinkpoint sometimes brings along the TDL4 bootkit for company - to check that out
DO NOT LET HITMANPRO DELETE THE MBR
Please read carefully and follow these steps.
- Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
- Extract its contents to your desktop.
- Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png)
- If an infected file is detected, the default action will be Cure, click on Continue.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png)
- If a suspicious file is detected, the default action will be Skip, click on Continue.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png)
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png)
- If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
- If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
-
i thought mbr was windows...i not delete....i will modify and then finis hit man
-
That is why i ask for an anti rootkit log Omid since the redirections may be a cause of a tdl rootkit ;)
-
ok Omid I am done with your recommendations...i am restarting comp now. BTW since previous posts..MBAM did not find anything and i ran the hitman and hosts pro...
what is good way to check system now, the only thing i can think of is to try and open firefox, and see if i get redirected....
superhacker i am also going to read your recommendations next....
-
No problem all helper here care about your system not the order of following ;)
-
reboot and firefox will not start...ie8 seems to load pages without redirects...(i tried going to some of the same websites that it redirected me from, google, search for cnet, major geeks, etc. well about 3 mins elapsed and a threat was just blocked...(a redirect)aaaaaaaaarrrrrrrgh!
how else can i check and see if my system is clean? will tdss killer find issue with outher programs installed> or just give it a go? and where do i get the tdss prog, from your link or cnet>>>?
-
This is the same malware I have been fighting for two weeks on multiple customer machines.
System scans ends up clean but TDSSKiller shows infection. Remove the MBR infection and 30 minutes later is infected again.
Only F-Secure seems to detect a single file tempb.exe in network and local service profiles other than that it's about as worthless.
-
i did a restore to a restore point a couple of days ago and that did not help.l, seemed to still be locked up etc. maybe i did not go back far enough.
-
Most viruses and malware infect the system restore points. It may have helped some damaged system files.
-
here is the tdss log...
2010/11/13 10:18:55.0453 TDSS rootkit removing tool 2.4.7.0 Nov 8 2010 10:52:22
2010/11/13 10:18:55.0453 ================================================================================
2010/11/13 10:18:55.0453 SystemInfo:
2010/11/13 10:18:55.0453
2010/11/13 10:18:55.0453 OS Version: 5.1.2600 ServicePack: 3.0
2010/11/13 10:18:55.0453 Product type: Workstation
2010/11/13 10:18:55.0453 ComputerName: ALESIA
2010/11/13 10:18:55.0453 UserName: hp
2010/11/13 10:18:55.0453 Windows directory: C:\WINDOWS
2010/11/13 10:18:55.0453 System windows directory: C:\WINDOWS
2010/11/13 10:18:55.0453 Processor architecture: Intel x86
2010/11/13 10:18:55.0453 Number of processors: 2
2010/11/13 10:18:55.0453 Page size: 0x1000
2010/11/13 10:18:55.0453 Boot type: Normal boot
2010/11/13 10:18:55.0453 ================================================================================
2010/11/13 10:18:55.0921 Initialize success
2010/11/13 10:19:14.0843 ================================================================================
2010/11/13 10:19:14.0843 Scan started
2010/11/13 10:19:14.0843 Mode: Manual;
2010/11/13 10:19:14.0843 ================================================================================
2010/11/13 10:19:15.0578 Accelerometer (a0baabb7d3549460e3f8c5ad6f778683) C:\WINDOWS\system32\DRIVERS\Accelerometer.sys
2010/11/13 10:19:15.0656 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/11/13 10:19:15.0718 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2010/11/13 10:19:15.0812 ADIHdAudAddService (fcc90e9aeb5aaa1fc39ab4d7ff163e39) C:\WINDOWS\system32\drivers\ADIHdAud.sys
2010/11/13 10:19:15.0890 AEAudio (fff87a9b1ab36ee4b7bec98a4cb01b79) C:\WINDOWS\system32\drivers\AEAudio.sys
2010/11/13 10:19:15.0953 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/11/13 10:19:16.0031 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/11/13 10:19:16.0375 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2010/11/13 10:19:16.0500 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/11/13 10:19:16.0843 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/11/13 10:19:16.0890 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/11/13 10:19:16.0984 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/11/13 10:19:17.0062 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/11/13 10:19:17.0140 Avgfwdx (0c5941af0b6bf2fdf378937392865217) C:\WINDOWS\system32\DRIVERS\avgfwdx.sys
2010/11/13 10:19:17.0156 Avgfwfd (0c5941af0b6bf2fdf378937392865217) C:\WINDOWS\system32\DRIVERS\avgfwdx.sys
2010/11/13 10:19:17.0250 AVGIDSDriver (0c61f066f4d94bd67063dc6691935143) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
2010/11/13 10:19:17.0359 AVGIDSEH (84853f800cd69252c3c764fe50d0346f) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
2010/11/13 10:19:17.0421 AVGIDSFilter (28d6adcd03e10f3838488b9b5d407dd4) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
2010/11/13 10:19:17.0453 AVGIDSShim (0eb16f4dbbb946360af30d2b13a52d1d) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
2010/11/13 10:19:17.0515 Avgldx86 (1119e5bec6e749e0d292f0f84d48edba) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
2010/11/13 10:19:17.0578 Avgmfx86 (54f1a9b4c9b540c2d8ac4baa171696b1) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
2010/11/13 10:19:17.0640 Avgrkx86 (8da3b77993c5f354cc2977b7ea06d03a) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
2010/11/13 10:19:17.0703 Avgtdix (2fd3e3a57fb90679a3a83eeed0360cfd) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
2010/11/13 10:19:17.0890 BCM43XX (37f385a93c620cbe0f89c17e45f697a1) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2010/11/13 10:19:17.0984 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/11/13 10:19:18.0171 btaudio (5bcf6090b825def29065bdbd59691dbe) C:\WINDOWS\system32\drivers\btaudio.sys
2010/11/13 10:19:18.0250 BTDriver (58a49bd10e08d3d4333a60dedcb1ced8) C:\WINDOWS\system32\DRIVERS\btport.sys
2010/11/13 10:19:18.0359 BTKRNL (ef5e0de0a7ca2977a9255f36f4d915ab) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
2010/11/13 10:19:18.0437 BTWUSB (053dc5be74621b63bb48c2b86bafc7b0) C:\WINDOWS\system32\Drivers\btwusb.sys
2010/11/13 10:19:18.0500 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/11/13 10:19:18.0562 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/11/13 10:19:18.0734 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/11/13 10:19:18.0765 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/11/13 10:19:18.0828 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/11/13 10:19:18.0937 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/11/13 10:19:19.0015 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/11/13 10:19:19.0234 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/11/13 10:19:19.0343 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/11/13 10:19:19.0406 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/11/13 10:19:19.0453 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/11/13 10:19:19.0531 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/11/13 10:19:19.0687 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/11/13 10:19:19.0796 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/11/13 10:19:19.0859 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/11/13 10:19:19.0921 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/11/13 10:19:19.0984 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/11/13 10:19:20.0046 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/11/13 10:19:20.0171 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/11/13 10:19:20.0234 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/11/13 10:19:20.0390 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/11/13 10:19:20.0546 HBtnKey (407e41ddb2bfece109132aec296e0d98) C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
2010/11/13 10:19:20.0609 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/11/13 10:19:20.0718 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/11/13 10:19:20.0812 hpdskflt (9f620e11b80b74f4dab50a81a5df357f) C:\WINDOWS\system32\DRIVERS\hpdskflt.sys
2010/11/13 10:19:20.0984 HpqKbFiltr (35956140e686d53bf676cf0c778880fc) C:\WINDOWS\system32\DRIVERS\HpqKbFiltr.sys
2010/11/13 10:19:21.0078 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/11/13 10:19:21.0203 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/11/13 10:19:21.0484 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2010/11/13 10:19:21.0781 iaStor (8ef427c54497c5f8a7a645990e4278c7) C:\WINDOWS\system32\DRIVERS\iaStor.sys
2010/11/13 10:19:21.0968 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/11/13 10:19:22.0171 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/11/13 10:19:22.0265 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/11/13 10:19:22.0312 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/11/13 10:19:22.0375 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/11/13 10:19:22.0421 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/11/13 10:19:22.0484 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/11/13 10:19:22.0531 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/11/13 10:19:22.0578 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/11/13 10:19:22.0734 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/11/13 10:19:22.0796 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/11/13 10:19:22.0843 kbdhid (9ef487a186dea361aa06913a75b3fa99)
continued...
-
C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/11/13 10:19:22.0890 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/11/13 10:19:22.0937 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/11/13 10:19:23.0093 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/11/13 10:19:23.0171 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/11/13 10:19:23.0203 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/11/13 10:19:23.0265 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/11/13 10:19:23.0328 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/11/13 10:19:23.0437 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/11/13 10:19:23.0546 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/11/13 10:19:23.0656 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/11/13 10:19:23.0765 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/11/13 10:19:23.0796 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/11/13 10:19:23.0828 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/11/13 10:19:23.0906 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/11/13 10:19:23.0984 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/11/13 10:19:24.0015 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/11/13 10:19:24.0078 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/11/13 10:19:24.0140 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/11/13 10:19:24.0203 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/11/13 10:19:24.0265 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/11/13 10:19:24.0312 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/11/13 10:19:24.0359 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/11/13 10:19:24.0406 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/11/13 10:19:24.0468 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/11/13 10:19:24.0515 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/11/13 10:19:24.0609 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/11/13 10:19:24.0671 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/11/13 10:19:24.0750 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/11/13 10:19:24.0890 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/11/13 10:19:24.0953 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/11/13 10:19:25.0000 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/11/13 10:19:25.0046 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/11/13 10:19:25.0140 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/11/13 10:19:25.0171 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/11/13 10:19:25.0265 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/11/13 10:19:25.0312 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/11/13 10:19:25.0375 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/11/13 10:19:25.0437 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2010/11/13 10:19:25.0515 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
2010/11/13 10:19:25.0921 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/11/13 10:19:25.0968 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/11/13 10:19:26.0031 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/11/13 10:19:26.0359 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/11/13 10:19:26.0421 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
2010/11/13 10:19:26.0468 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/11/13 10:19:26.0562 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/11/13 10:19:26.0656 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/11/13 10:19:26.0750 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
-
2010/11/13 10:19:26.0781 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/11/13 10:19:26.0890 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/11/13 10:19:27.0000 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/11/13 10:19:27.0218 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/11/13 10:19:27.0265 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2010/11/13 10:19:27.0484 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/11/13 10:19:27.0609 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/11/13 10:19:27.0687 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/11/13 10:19:27.0828 SFAUDIO (b6401608579b6431994425ba7653f774) C:\WINDOWS\system32\drivers\sfaudio.sys
2010/11/13 10:19:27.0875 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/11/13 10:19:28.0125 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/11/13 10:19:28.0203 SMCIRDA (707647a1aa0edb6cbef61b0c75c28ed3) C:\WINDOWS\system32\DRIVERS\smcirda.sys
2010/11/13 10:19:28.0390 SNP2UVC (50660e6b082a7bf86751a003c3bb5210) C:\WINDOWS\system32\DRIVERS\snp2uvc.sys
2010/11/13 10:19:28.0562 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/11/13 10:19:28.0703 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/11/13 10:19:28.0875 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/11/13 10:19:29.0031 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/11/13 10:19:29.0109 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/11/13 10:19:29.0296 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/11/13 10:19:29.0609 SynTP (f08667f79bbd339547f477c75c3ed0b9) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2010/11/13 10:19:29.0734 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/11/13 10:19:29.0890 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/11/13 10:19:29.0968 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/11/13 10:19:30.0062 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/11/13 10:19:30.0125 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/11/13 10:19:30.0375 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/11/13 10:19:30.0531 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/11/13 10:19:30.0765 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/11/13 10:19:30.0875 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/11/13 10:19:30.0984 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/11/13 10:19:31.0031 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/11/13 10:19:31.0125 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/11/13 10:19:31.0250 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/11/13 10:19:31.0359 VClone (1cdaa48cb2f7744b8d25650e050766a5) C:\WINDOWS\system32\DRIVERS\VClone.sys
2010/11/13 10:19:31.0421 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/11/13 10:19:31.0531 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/11/13 10:19:31.0625 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/11/13 10:19:31.0796 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/11/13 10:19:31.0937 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2010/11/13 10:19:32.0062 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/11/13 10:19:32.0218 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2010/11/13 10:19:32.0390 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/11/13 10:19:32.0515 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/11/13 10:19:32.0625 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/11/13 10:19:32.0796 yukonwxp (d57a909f1a9114d5d18a2eacb1afecd5) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
2010/11/13 10:19:32.0953 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/11/13 10:19:32.0953 ================================================================================
2010/11/13 10:19:32.0953 Scan finished
2010/11/13 10:19:32.0968 ================================================================================
2010/11/13 10:19:33.0000 Detected object count: 1
2010/11/13 10:20:13.0171 \HardDisk0 - will be cured after reboot
2010/11/13 10:20:13.0171 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2010/11/13 10:20:31.0968 Deinitialize success
sorry had to split log. it was over maximum....
-
sorry had to split log. it was over maximum....
Why didn't you attach it..?? ;)
-
i dunno...
i'm new and frustrated with this whole thing...up half the night, can't see etc etc...
-
As i see the rootkit should be cure after reboot. So now reboot and tell us the new with another scan attach log. To see if the rootkit is there again.
-
i dunno...
i'm new and frustrated with this whole thing...up half the night, can't see etc etc...
No problem..! And don't worry, essexboy will clean your machine...!! ;)
Have a nice weekend,
asyn
-
Well Asyn as i see TDSKiller did detect a rootkit for him. So he must reboot like Essex said. ;)
-
reboot has been done. twice...one hung up and then a good reboot....
had some browsers open and did not get the redirect....
but here is the log....
tell me what you see...(fingers crossed)
-
Looks to have gone - run a full scan with MBAM now and post the report it generates, plus any problems you are still experiencing
-
will do. you know i have had lots of luck with mbam...but i wonder why this time mbam needed all the help of the other programs? is that due to i am on free mbam or the virus was too far installed? anyway i will get it running...
-
Some malware requires multiple runs with different programmes to totally remove it - one that does them all would need to updated by the minute and rather large
-
ok...here is the report...Also, no known problems as of yet, (nothing like it was before with the redirects);
-
Still so far so good, but you know it has brought another question up for me to ask all of you experts...am I running to much or to little for protection programs...? I know this one probably started from clicking the wrong thing on a social network site, and we won't be doing that again..but anyway we are running: avast (live), and the free on demand (they are only running when I open them i presume) programs are MBAM, ccleaner, tdss killer, hosts man, superantispyware and hitmanpro 3.5., defogger. They seem to be interacting ok, and I do not see any negative interactions at this point.
Should i be putting zonealarm or sandboxie on this mini laptop as well? Too much here?? Overwhelmed with overkill? probably.
Thanks all.
-
Still so far so good, but you know it has brought another question up for me to ask all of you experts...am I running to much or to little for protection programs...? I know this one probably started from clicking the wrong thing on a social network site, and we won't be doing that again..but anyway we are running: avast (live), and the free on demand (they are only running when I open them i presume) programs are MBAM, ccleaner, tdss killer, hosts man, superantispyware and hitmanpro 3.5., defogger. They seem to be interacting ok, and I do not see any negative interactions at this point.
Should i be putting zonealarm or sandboxie on this mini laptop as well? Too much here?? Overwhelmed with overkill? probably.
Thanks all.
No, ZoneAlarm is not good like before, but if you like to use a Firewall, you can try Outpost Free or pay for that and buy outpost firewall pro.
-
Your MBAM log is clean, but Essexboy will continue working with you when he returns to the forum as some tools he uses he also may need to remove from your machine and clean things up. He will also instruct you on "How you got infected" in the first place.
Once everything is cleared up, we can address your issue of how much and what software is needed. It is true that you do not want to have too much to conflict and overkill, but you can also layer your software for defense. Since you now have over 20 posts, can you enter your Signature so others can assist you with this. Please go to PROFILE on the top of the main forum page > Modify Profile > Forum Profile Information > Signature. Enter information about your system like the Operating System (OS), RAM, browser, security software, what version and product of Avast and firewall you use and other items you wish to mention. See my signature or others as an example.
As for a firewall, there are several that are compatible with Avast that you can do a search on the forum. Some that have worked well are Online_Armor (free and Premium), Outp0st (free or paid). We have recently noted problems (on their end) with PC_Tools; and have noted problems with Ashamp0o, and some have had problems with ZA. I would suggest doing a trial for a month after everything is fixed on your machine to see if a software is compatible with your other software prior to buying anything. But before doing any of that, we need to continue fixing your malware problem first.
-
Still so far so good, but you know it has brought another question up for me to ask all of you experts...am I running to much or to little for protection programs...? I know this one probably started from clicking the wrong thing on a social network site, and we won't be doing that again..but anyway we are running: avast (live), and the free on demand (they are only running when I open them i presume) programs are MBAM, ccleaner, tdss killer, hosts man, superantispyware and hitmanpro 3.5., defogger. They seem to be interacting ok, and I do not see any negative interactions at this point.
Should i be putting zonealarm or sandboxie on this mini laptop as well? Too much here?? Overwhelmed with overkill? probably.
Thanks all.
If you really want to add some extra protection to your system you could add the pro license to your MBAM, about $20 for lifetime.
-
To remove all tools then
- Download OTC (http://oldtimer.geekstogo.com/OTC.exe) to your desktop and run it
- Click Yes to beginning the Cleanup process and remove these components, including this application.
- You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
SPRING CLEAN
Download and run Puran Disc Defragmenter (http://www.puransoftware.com/Puran-Defrag-Download.html)
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes: - SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) to help prevent spyware from installing in the first place.
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php). Run weekly to keep your system clean
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To keep your operating system up to date visit - Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe :wave:
-
Thanks all. and craigb i might do the $20 for a lifetime on the mbam. I think my buddy must have done that b/c his seems to run live and my free version does not.
Anyway essexboy, so you like spywareblaster better than hitmanpro and/or superantispyware? (i ask b/c those are already installed and seem to be ok.) does it use less resources? have you had better luck with it? I guess it may come down to 6 in 1; 1/2 a dozen in the other?
-
Spywareblaster just places killbits in your registry to stop spyware installing, and is totally passive. I use this just as a backstop
I have some doubts about hitmanpro as I have seen it remove system files leaving the computer unbootable..Mind you it is easier to clean in that state ;D
MBAM is the leader of the pack at the moment with SAS coming second, but positions change with time ;D
-
First of all, all - Thanks. thanks thanks. I guess from you guys that have read the logs and the way my machine is behaving, i guess i am clean........yay :)
OK, i'm a bit of a novice compared to you folks, so here is what is on there now, "Running avast (live), and the free on demand (they are only running when I open them i presume) programs are MBAM, ccleaner, tdss killer, hosts man, superantispyware and hitmanpro 3.5., defogger. They seem to be interacting ok, and I do not see any negative interactions at this point." So I think i get what you say about spywareblaster being passive. The superantispyware comes up when i turn on the machine...
So am I running too much? It seems some are not doing anything until opened...I just d/l'd online-armor and installing that...(is the superantispyware going to interact with online armor if running at the same time? I guess i will see in a bit.
should i delete anything that may be an interaction? And i have installed some of the firefox adons, no script and adblock.
-
well online armor just blocked something...i have no idea what this is...(i will hit block)....computer was just sitting on avast website, in firefox and the following was blocked..."program deploy.jar"wants to run'. located in c:program files\java\jre6\lib\deploy.jar. the parent program listed as:"c:program files\java\jre6\bin\javaws.exe"...again i will hit block...but does anyone know what this is or how to rid it?
is something hiding in java?
-
It is part of Java - to be honest if you do not use Java bin it - I have
-
"Spywareblaster just places killbits in your registry to stop spyware installing, and is totally passive. I use this just as a backstop"
About the spywareblaster and the killbits in the registry; I am a bit of a newbie..so I was wondering does that mean that once you install the program, it is in there or you have to "have it running" for it to put in the backstop/killbits..?
-
Killbit is a registry clsid/activeX registry entry with an annotation after it stating that is never to be run or changed
A small nearly legible explanation from MS http://support.microsoft.com/kb/240797
-
Well all was good for a while, and now online armor asked if something was ok to access the internet and i did not answer, i went to get a cup of coffee and i came back and the computer was restarting itself,
only the HP message comes up and then it goes to a blank screen and a cursor in the upper left....
thats it....
How messed up is it???? :(
.....update.....I did a bit of searching...its either a really bad virus, but a scan with mbam and superantispyware did not reveal anything this morning just before it died.....or it is a hard drive failure..... I can get to the f9 at start up....but that's it....any ideas? anyone?
-
It sure would help if you go to PROFILE then Modify Profile then Forum Profile Information then update your Signature: with information like my signature as this helps the helpers offer pertinent advice.
-
I can get to the f9 at start up....but that's it....any ideas? anyone?
You mean F8, or what does F9 do on your system..??
asyn
-
A sudden break like that does sound like a hardware problem
-
@essexboy and superhacker:
Latest Hitman Pro release:
Changed the default "Delete" action label on infected critical system files into "Replace". The old text confused some users. Please note that Hitman Pro never deletes critical system files or the master boot record. By design, Hitman Pro replaces (when available) infected files or code with verified clean safe versions and data.
-
@essexboy and superhacker:
Latest Hitman Pro release:
Changed the default "Delete" action label on infected critical system files into "Replace". The old text confused some users. Please note that Hitman Pro never deletes critical system files or the master boot record. By design, Hitman Pro replaces (when available) infected files or code with verified clean safe versions and data.
Thanks for info I will download and try ;D
-
Still a bit nervous of it - but thanks for the heads up ;D
-
You are welcome,
You've helped many, hope once I could help you ;)