Author Topic: [Resolved] Coupla Virus problems (Hijack log attached) (Read 3738 times)

bushka · « **on:** February 09, 2011, 08:43:10 AM »

Hi. I had the "Warning! Your computer is infected" blah blah wallpaper virus, and got rid of at least some of it with ccleaner, which I had to load from another computer. I now have the TR/uploader (I think it was called) and I'm constantly getting redirected anytime I try to get online (I'm on another pc now). I've attached the hijack log below:

thanks for any help, Hoov!

bushka · « **Reply #1 on:** February 09, 2011, 08:44:38 AM »

I just tried to post a hijackthis log, but I think I posted the message by accident. Here it is:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:32:35 AM, on 2/9/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [MpsOnn] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\MpsOnn.exe
O4 - HKLM\..\Run: [Ozerajifohavona] rundll32.exe "C:\WINDOWS\ifixiyal.dll",Startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1291832861515
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 7649 bytes

Hoov · « **Reply #2 on:** February 09, 2011, 09:59:42 AM »

I have worked with you before, so you know how I work. Please stick with me until the end.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware

Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

Make sure the "Perform Quick Scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

Click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

bushka · « **Reply #3 on:** February 09, 2011, 12:14:07 PM »

I ran malwarebytes yesterday (full scan) and it came up clean. I just did the TSS one you recommended and it found something the first time. I ran it again and it found nothing. Here is the last report:

2011/02/09 12:50:17.0734 2436   TDSS rootkit removing tool 2.4.16.0 Feb 1 2011 10:34:03
2011/02/09 12:50:17.0984 2436   ================================================================================
2011/02/09 12:50:17.0984 2436   SystemInfo:
2011/02/09 12:50:17.0984 2436
2011/02/09 12:50:17.0984 2436   OS Version: 5.1.2600 ServicePack: 3.0
2011/02/09 12:50:17.0984 2436   Product type: Workstation
2011/02/09 12:50:17.0984 2436   ComputerName: TOSHIBA-USER
2011/02/09 12:50:17.0984 2436   UserName: Toshiba Owner
2011/02/09 12:50:17.0984 2436   Windows directory: C:\WINDOWS
2011/02/09 12:50:17.0984 2436   System windows directory: C:\WINDOWS
2011/02/09 12:50:17.0984 2436   Processor architecture: Intel x86
2011/02/09 12:50:17.0984 2436   Number of processors: 2
2011/02/09 12:50:17.0984 2436   Page size: 0x1000
2011/02/09 12:50:17.0984 2436   Boot type: Normal boot
2011/02/09 12:50:17.0984 2436   ================================================================================
2011/02/09 12:50:18.0453 2436   Initialize success
2011/02/09 12:50:19.0593 2416   ================================================================================
2011/02/09 12:50:19.0593 2416   Scan started
2011/02/09 12:50:19.0593 2416   Mode: Manual;
2011/02/09 12:50:19.0593 2416   ================================================================================
2011/02/09 12:50:20.0734 2416   ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/02/09 12:50:20.0796 2416   ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/02/09 12:50:20.0859 2416   aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/02/09 12:50:20.0937 2416   AegisP (12dafd934641dcf61e446313bc261ec2) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/02/09 12:50:21.0093 2416   AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/02/09 12:50:21.0187 2416   AgereSoftModem (b3192376c7a3814b5341efc2202022f8) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2011/02/09 12:50:21.0484 2416   Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/02/09 12:50:21.0687 2416   ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
2011/02/09 12:50:21.0734 2416   AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/02/09 12:50:21.0796 2416   atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/02/09 12:50:21.0953 2416   Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/02/09 12:50:22.0015 2416   audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/02/09 12:50:22.0109 2416   avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2011/02/09 12:50:22.0171 2416   avgntflt (47b879406246ffdced59e18d331a0e7d) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2011/02/09 12:50:22.0328 2416   avipbb (da39805e2bad99d37fce9477dd94e7f2) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2011/02/09 12:50:22.0390 2416   Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/02/09 12:50:22.0437 2416   cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/02/09 12:50:22.0468 2416   Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/02/09 12:50:22.0500 2416   Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/02/09 12:50:22.0546 2416   Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/02/09 12:50:22.0750 2416   CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/02/09 12:50:22.0796 2416   Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/02/09 12:50:22.0890 2416   Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/02/09 12:50:22.0953 2416   DLABOIOM (ee4325becef51b8c32b4329097e4f301) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
2011/02/09 12:50:22.0968 2416   DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
2011/02/09 12:50:22.0984 2416   DLADResN (1e6c6597833a04c2157be7b39ea92ce1) C:\WINDOWS\system32\DLA\DLADResN.SYS
2011/02/09 12:50:23.0000 2416   DLAIFS_M (752376e109a090970bfa9722f0f40b03) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
2011/02/09 12:50:23.0031 2416   DLAOPIOM (62ee7902e74b90bf1ccc4643fc6c07a7) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
2011/02/09 12:50:23.0046 2416   DLAPoolM (5c220124c5afeaee84a9bb89d685c17b) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
2011/02/09 12:50:23.0062 2416   DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
2011/02/09 12:50:23.0078 2416   DLAUDFAM (4ebb78d9bbf072119363b35b9b3e518f) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
2011/02/09 12:50:23.0109 2416   DLAUDF_M (333b770e52d2cea7bd86391120466e43) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
2011/02/09 12:50:23.0312 2416   dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/02/09 12:50:23.0812 2416   dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/02/09 12:50:23.0953 2416   dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/02/09 12:50:24.0000 2416   DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/02/09 12:50:24.0046 2416   drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/02/09 12:50:24.0062 2416   DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
2011/02/09 12:50:24.0093 2416   DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
2011/02/09 12:50:24.0140 2416   e1express (e1fa10ed8f9f700c1be1eae05a80ef57) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2011/02/09 12:50:24.0281 2416   Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/02/09 12:50:24.0343 2416   Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/02/09 12:50:24.0453 2416   FdRedir (3314f3134ac59771a133a0cd3d343fff) C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys
2011/02/09 12:50:24.0484 2416   FileDisk2 (7b33f094a7a42a0225c344f5b25b1b05) C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys
2011/02/09 12:50:24.0609 2416   Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/02/09 12:50:24.0671 2416   Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/02/09 12:50:24.0734 2416   FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/02/09 12:50:24.0750 2416   Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/02/09 12:50:24.0796 2416   Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/02/09 12:50:24.0828 2416   Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/02/09 12:50:25.0000 2416   HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/02/09 12:50:25.0062 2416   HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/02/09 12:50:25.0156 2416   HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/02/09 12:50:25.0265 2416   i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/02/09 12:50:25.0484 2416   ialm (bc1f1ff8d5800398937966cdb0a97fdc) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/02/09 12:50:25.0703 2416   Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/02/09 12:50:25.0937 2416   IntcAzAudAddService (b12a9fc49cd2765a43829d834f518aed) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/02/09 12:50:26.0203 2416   intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/02/09 12:50:26.0250 2416   Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/02/09 12:50:26.0281 2416   IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/02/09 12:50:26.0343 2416   IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/02/09 12:50:26.0515 2416   IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/02/09 12:50:26.0578 2416   IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/02/09 12:50:26.0625 2416   IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/02/09 12:50:26.0671 2416   isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/02/09 12:50:26.0687 2416   Iviaspi (f59c3569a2f2c464bb78cb1bdcdca55e) C:\WINDOWS\system32\drivers\iviaspi.sys
2011/02/09 12:50:26.0750 2416   Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/02/09 12:50:26.0937 2416   kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/02/09 12:50:27.0015 2416   KR10N (00c1ea8decf810b8eccb5c5a8186a96e) C:\WINDOWS\system32\drivers\KR10N.sys
2011/02/09 12:50:27.0078 2416   KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/02/09 12:50:27.0140 2416   meiudf (7efac183a25b30fb5d64cc9d484b1eb6) C:\WINDOWS\system32\Drivers\meiudf.sys
2011/02/09 12:50:27.0187 2416   mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/02/09 12:50:27.0250 2416   Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/02/09 12:50:27.0406 2416   Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/02/09 12:50:27.0500 2416   mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/02/09 12:50:27.0531 2416   MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/02/09 12:50:27.0578 2416   MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/02/09 12:50:27.0656 2416   MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/02/09 12:50:27.0875 2416   Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/02/09 12:50:27.0937 2416   MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/02/09 12:50:27.0968 2416   MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/02/09 12:50:28.0015 2416   MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/02/09 12:50:28.0062 2416   mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/02/09 12:50:28.0265 2416   Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/02/09 12:50:28.0312 2416   NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/02/09 12:50:28.0375 2416   NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/02/09 12:50:28.0390 2416   Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/02/09 12:50:28.0421 2416   NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/02/09 12:50:28.0484 2416   NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/02/09 12:50:28.0687 2416   NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/02/09 12:50:28.0750 2416   NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/02/09 12:50:28.0796 2416   Netdevio (1265eb253ed4ebe4acb3bd5f548ff796) C:\WINDOWS\system32\DRIVERS\netdevio.sys
2011/02/09 12:50:29.0031 2416   NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/02/09 12:50:29.0093 2416   Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/02/09 12:50:29.0156 2416   Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/02/09 12:50:29.0375 2416   NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
2011/02/09 12:50:29.0437 2416   Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/02/09 12:50:29.0468 2416   NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/02/09 12:50:29.0515 2416   NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/02/09 12:50:29.0609 2416   ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/02/09 12:50:29.0687 2416   Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/02/09 12:50:29.0703 2416   PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/02/09 12:50:29.0734 2416   ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/02/09 12:50:29.0765 2416   PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/02/09 12:50:29.0812 2416   PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/02/09 12:50:29.0828 2416   Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/02/09 12:50:29.0984 2416   Pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys
2011/02/09 12:50:30.0031 2416   PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/02/09 12:50:30.0062 2416   PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/02/09 12:50:30.0078 2416   Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/02/09 12:50:30.0093 2416   PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/02/09 12:50:30.0218 2416   RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/02/09 12:50:30.0437 2416   Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/02/09 12:50:30.0484 2416   RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/02/09 12:50:30.0500 2416   Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/02/09 12:50:30.0562 2416   Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/02/09 12:50:30.0593 2416   RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/02/09 12:50:30.0609 2416   rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/02/09 12:50:30.0671 2416   RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/02/09 12:50:30.0703 2416   redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/02/09 12:50:30.0937 2416   s24trans (1cc074e0d48383d4e9bffc6a26c2a58a) C:\WINDOWS\system32\DRIVERS\s24trans.sys
2011/02/09 12:50:31.0031 2416   sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/02/09 12:50:31.0109 2416   Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/02/09 12:50:31.0156 2416   Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/02/09 12:50:31.0203 2416   Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/02/09 12:50:31.0500 2416   smihlp (94eede27fd7d46707be49127922695a7) C:\Program Files\Protector Suite QL\smihlp.sys
2011/02/09 12:50:31.0625 2416   splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/02/09 12:50:31.0671 2416   sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/02/09 12:50:31.0875 2416   Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/02/09 12:50:31.0953 2416   ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2011/02/09 12:50:32.0015 2416   swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/02/09 12:50:32.0046 2416   swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/02/09 12:50:32.0171 2416   SynTP (e295fffff3aaf9a6a40b29497901908f) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/02/09 12:50:32.0390 2416   sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/02/09 12:50:32.0468 2416   tbiosdrv (7147b0575bcc93a6ab7d5c90f47c0b9f) C:\WINDOWS\system32\DRIVERS\tbiosdrv.sys
2011/02/09 12:50:32.0531 2416   Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/02/09 12:50:32.0593 2416   TcUsb (fc6fe02f400308606a911640e72326b5) C:\WINDOWS\system32\Drivers\tcusb.sys
2011/02/09 12:50:32.0640 2416   TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/02/09 12:50:32.0843 2416   TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/02/09 12:50:32.0906 2416   TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/02/09 12:50:32.0953 2416   tifm21 (244cfbffdefb77f3df571a8cd108fc06) C:\WINDOWS\system32\drivers\tifm21.sys
2011/02/09 12:50:33.0015 2416   tosrfec (cc069342ee0eae55b32a0ae99cf6185c) C:\WINDOWS\system32\DRIVERS\tosrfec.sys
2011/02/09 12:50:33.0046 2416   TVALD (676db15ddf2e0ff6ec03068dea428b8b) C:\WINDOWS\system32\DRIVERS\NBSMI.sys
2011/02/09 12:50:33.0078 2416   Tvs (cc6763889198ef975b143d49789bcfa9) C:\WINDOWS\system32\DRIVERS\Tvs.sys
2011/02/09 12:50:33.0265 2416   Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/02/09 12:50:33.0359 2416   Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/02/09 12:50:33.0578 2416   usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/02/09 12:50:33.0671 2416   usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/02/09 12:50:33.0734 2416   usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/02/09 12:50:33.0765 2416   USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/02/09 12:50:33.0984 2416   usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/02/09 12:50:34.0046 2416   VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/02/09 12:50:34.0109 2416   VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/02/09 12:50:34.0218 2416   w39n51 (b1f126e7e28877106d60e6ff3998d033) C:\WINDOWS\system32\DRIVERS\w39n51.sys
2011/02/09 12:50:34.0468 2416   Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/02/09 12:50:34.0531 2416   wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
2011/02/09 12:50:34.0625 2416   Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/02/09 12:50:34.0875 2416   wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/02/09 12:50:35.0156 2416   ================================================================================
2011/02/09 12:50:35.0156 2416   Scan finished
2011/02/09 12:50:35.0156 2416   ================================================================================

Hoov · « **Reply #4 on:** February 09, 2011, 12:20:31 PM »

Can you post the last Malwarebytes' Anti-Malware log that you have? Also I need the log from the first TDSSKiller scan.

bushka · « **Reply #5 on:** February 09, 2011, 04:43:06 PM »

Unfortunately (stupidly?) I overwrote the first killer log with the second one that I posted above. Here is the latest Malwarebytes log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5714

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/8/2011 3:09:04 PM
mbam-log-2011-02-08 (15-09-04).txt

Scan type: Quick scan
Objects scanned: 37625
Time elapsed: 2 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\Temp\Ecw.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\Ecy.exe (Trojan.Agent) -> Quarantined and deleted successfully.

bushka · « **Reply #6 on:** February 09, 2011, 04:47:06 PM »

I should add that since I ran the killer program, I am able to access websites without redirect now. I haven't tested this out for long, so I don't know how clean I really am

This is the laptop I had so much trouble with. I ended up replacing the mother board (got a great price, so did it) and things were great. Then I let everybody at my work use this laptop, and now I am infected. Once this problem is fixed, the laptop doesn't get used by anybody.

Also, since the laptop came back from repair, I noticed that I am not getting any restore points saved. It appeared to me at first look that the settings I had should have allowed restore points, yet I had none. I don't know if that would have fixed this problem...

Hoov · « **Reply #7 on:** February 09, 2011, 05:58:07 PM »

Go ahead and play around with the computer for a day or so, make sure you can get into the system area's, check out the restore points (Make sure it is turned on and creating restore points), make sure you are not having any problems browsing. If you have a problem let me know as soon as you see it. If not, come back tomorrow and if there are no problems we can finish up.

bushka · « **Reply #8 on:** February 10, 2011, 01:44:19 PM »

OK, thanks. Give me another day or two to check it out.

bushka · « **Reply #9 on:** February 11, 2011, 05:59:04 PM »

Things seem mostly normal, but Avira keeps finding viruses. Avira popped up and said it found 12 viruses "or unwanted programs". It removed them, and did an automatic scan. I looked at the reports and it kept finding TR/Dropper.Gen. I am leaving for the evening but am going to run Antimalwarebytes overnight and will have a report in the morning when I am back in to work. Please let me know if you need any reports.

Thanks!

Hoov · « **Reply #10 on:** February 11, 2011, 07:12:30 PM »

Also can you post up a couple of the reports from Avira?

bushka · « **Reply #11 on:** February 12, 2011, 09:54:04 AM »

Here are the two avira reports. As I type this I'm getting another Avira pop up saying Dropper was found.

Here's the one I just got with 10 Droppers:

Avira AntiVir Personal
Report file date: Friday, February 11, 2011 19:03

Scanning for 2396161 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : TOSHIBA-USER

Version information:
BUILD.DAT : 10.0.0.611 31824 Bytes 1/14/2011 13:42:00
AVSCAN.EXE : 10.0.3.5 435368 Bytes 11/30/2010 23:13:17
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 17:57:04
LUKE.DLL : 10.0.3.2 104296 Bytes 11/30/2010 23:13:24
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 04:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 14:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 13:27:03
VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 23:38:43
VBASE003.VDF : 7.11.3.1 2048 Bytes 2/9/2011 23:38:43
VBASE004.VDF : 7.11.3.2 2048 Bytes 2/9/2011 23:38:43
VBASE005.VDF : 7.11.3.3 2048 Bytes 2/9/2011 23:38:43
VBASE006.VDF : 7.11.3.4 2048 Bytes 2/9/2011 23:38:44
VBASE007.VDF : 7.11.3.5 2048 Bytes 2/9/2011 23:38:44
VBASE008.VDF : 7.11.3.6 2048 Bytes 2/9/2011 23:38:44
VBASE009.VDF : 7.11.3.7 2048 Bytes 2/9/2011 23:38:44
VBASE010.VDF : 7.11.3.8 2048 Bytes 2/9/2011 23:38:44
VBASE011.VDF : 7.11.3.9 2048 Bytes 2/9/2011 23:38:44
VBASE012.VDF : 7.11.3.10 2048 Bytes 2/9/2011 23:38:45
VBASE013.VDF : 7.11.3.11 2048 Bytes 2/9/2011 23:38:45
VBASE014.VDF : 7.11.3.12 2048 Bytes 2/9/2011 23:38:45
VBASE015.VDF : 7.11.3.13 2048 Bytes 2/9/2011 23:38:45
VBASE016.VDF : 7.11.3.14 2048 Bytes 2/9/2011 23:38:45
VBASE017.VDF : 7.11.3.15 2048 Bytes 2/9/2011 23:38:45
VBASE018.VDF : 7.11.3.16 2048 Bytes 2/9/2011 23:38:45
VBASE019.VDF : 7.11.3.17 2048 Bytes 2/9/2011 23:38:46
VBASE020.VDF : 7.11.3.18 2048 Bytes 2/9/2011 23:38:46
VBASE021.VDF : 7.11.3.19 2048 Bytes 2/9/2011 23:38:46
VBASE022.VDF : 7.11.3.20 2048 Bytes 2/9/2011 23:38:46
VBASE023.VDF : 7.11.3.21 2048 Bytes 2/9/2011 23:38:46
VBASE024.VDF : 7.11.3.22 2048 Bytes 2/9/2011 23:38:46
VBASE025.VDF : 7.11.3.23 2048 Bytes 2/9/2011 23:38:47
VBASE026.VDF : 7.11.3.24 2048 Bytes 2/9/2011 23:38:47
VBASE027.VDF : 7.11.3.25 2048 Bytes 2/9/2011 23:38:47
VBASE028.VDF : 7.11.3.26 2048 Bytes 2/9/2011 23:38:47
VBASE029.VDF : 7.11.3.27 2048 Bytes 2/9/2011 23:38:47
VBASE030.VDF : 7.11.3.28 2048 Bytes 2/9/2011 23:38:47
VBASE031.VDF : 7.11.3.50 105984 Bytes 2/11/2011 23:38:48
Engineversion : 8.2.4.166
AEVDF.DLL : 8.1.2.1 106868 Bytes 11/30/2010 23:13:13
AESCRIPT.DLL : 8.1.3.53 1282427 Bytes 1/31/2011 19:17:08
AESCN.DLL : 8.1.7.2 127349 Bytes 11/30/2010 23:13:12
AESBX.DLL : 8.1.3.2 254324 Bytes 11/30/2010 23:13:12
AERDL.DLL : 8.1.9.2 635252 Bytes 11/30/2010 23:13:12
AEPACK.DLL : 8.2.4.9 512374 Bytes 1/31/2011 19:17:07
AEOFFICE.DLL : 8.1.1.16 205179 Bytes 1/31/2011 19:17:06
AEHEUR.DLL : 8.1.2.76 3273078 Bytes 2/11/2011 23:38:52
AEHELP.DLL : 8.1.16.1 246134 Bytes 2/4/2011 22:07:47
AEGEN.DLL : 8.1.5.2 397683 Bytes 1/21/2011 12:37:12
AEEMU.DLL : 8.1.3.0 393589 Bytes 11/30/2010 23:13:06
AECORE.DLL : 8.1.19.2 196983 Bytes 1/21/2011 12:37:06
AEBB.DLL : 8.1.1.0 53618 Bytes 11/30/2010 23:13:05
AVWINLL.DLL : 10.0.0.0 19304 Bytes 11/30/2010 23:13:17
AVPREF.DLL : 10.0.0.0 44904 Bytes 11/30/2010 23:13:16
AVREP.DLL : 10.0.0.8 62209 Bytes 6/17/2010 19:27:13
AVREG.DLL : 10.0.3.2 53096 Bytes 11/30/2010 23:13:17
AVSCPLR.DLL : 10.0.3.2 84328 Bytes 11/30/2010 23:13:17
AVARKT.DLL : 10.0.22.6 231784 Bytes 11/30/2010 23:13:14
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 11/30/2010 23:13:15
SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 19:27:22
AVSMTP.DLL : 10.0.0.17 63848 Bytes 11/30/2010 23:13:17
NETNT.DLL : 10.0.0.0 11624 Bytes 6/17/2010 19:27:21
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 18:10:20
RCTEXT.DLL : 10.0.58.0 97128 Bytes 11/30/2010 23:13:38

Configuration settings for the scan:
Jobname.............................: avguard_async_scan
Configuration file..................: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVGUARD_4d9088ab\guard_slideup.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: quarantine
Scan master boot sector.............: on
Scan boot sector....................: off
Process scan........................: on
Scan registry.......................: off
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: high

Start of the scan: Friday, February 11, 2011 19:03

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'mbam.exe' - '1' Module(s) have been scanned
Scan process 'ivpsvmgr.exe' - '1' Module(s) have been scanned
Scan process 'msdtc.exe' - '1' Module(s) have been scanned
Scan process 'dllhost.exe' - '1' Module(s) have been scanned
Scan process 'dllhost.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'thotkey .exe' - '1' Module(s) have been scanned
Scan process 'Toshiba.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh .exe' - '1' Module(s) have been scanned
Scan process 'Ltmoh .exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'TAPPSRV.exe' - '1' Module(s) have been scanned
Scan process 'swupdtmr.exe' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'mctskshd.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'mcdetect.exe' - '1' Module(s) have been scanned
Scan process 'DVDRAMSV.exe' - '1' Module(s) have been scanned
Scan process 'aoltpspd.exe' - '1' Module(s) have been scanned
Scan process 'CFSvcs.exe' - '1' Module(s) have been scanned
Scan process 'aoltsmon.exe' - '1' Module(s) have been scanned
Scan process 'AOLAcsd.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'RAMASST.exe' - '1' Module(s) have been scanned
Scan process 'toscdspd.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'winpatrol.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'ifrmewrk.exe' - '1' Module(s) have been scanned
Scan process 'ZCfgSvc.exe' - '1' Module(s) have been scanned
Scan process 'DLACTRLW.EXE' - '1' Module(s) have been scanned
Scan process 'SmoothView.exe' - '1' Module(s) have been scanned
Scan process 'TPSMain.exe' - '1' Module(s) have been scanned
Scan process 'TFncKy.exe' - '1' Module(s) have been scanned
Scan process 'TvsTray.exe' - '1' Module(s) have been scanned
Scan process 'NDSTray.exe' - '1' Module(s) have been scanned
Scan process 'launcher.exe' - '1' Module(s) have been scanned
Scan process 'AGRSMMSG.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
Scan process 'EvtEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting the file scan:

Begin scan in 'C:\Program Files\TOSHIBA\TOSHIBA Applet\thotkey.exe'
C:\Program Files\TOSHIBA\TOSHIBA Applet\thotkey.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
Begin scan in 'C:\Program Files\ltmoh\Ltmoh.exe'
C:\Program Files\ltmoh\Ltmoh.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
Begin scan in 'C:\Documents and Settings\All Users\Application Data\XG03mHGo.exe'
C:\Documents and Settings\All Users\Application Data\XG03mHGo.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
Begin scan in 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20110211-184033-3996E53E\ARKB.tmp'
C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20110211-184033-3996E53E\ARKB.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
Begin scan in 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20110211-184033-3996E53E\ARKC.tmp'
C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20110211-184033-3996E53E\ARKC.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
Begin scan in 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20110211-184033-3996E53E\ARKD.tmp'
C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20110211-184033-3996E53E\ARKD.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
Begin scan in 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20110211-184033-3996E53E\ARKE.tmp'
C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20110211-184033-3996E53E\ARKE.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
Begin scan in 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20110211-184033-3996E53E\ARKF.tmp'
C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20110211-184033-3996E53E\ARKF.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
Begin scan in 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20110211-184501-72DB4E1F\ARK10.tmp'
C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20110211-184501-72DB4E1F\ARK10.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
Begin scan in 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20110211-184501-72DB4E1F\ARK11.tmp'
C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20110211-184501-72DB4E1F\ARK11.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan

Beginning disinfection:
C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20110211-184501-72DB4E1F\ARK11.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '57074e22.qua'.
C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20110211-184501-72DB4E1F\ARK10.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '636f5b14.qua'.
C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20110211-184033-3996E53E\ARKF.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '59f04441.qua'.
C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20110211-184033-3996E53E\ARKE.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '69502827.qua'.
C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20110211-184033-3996E53E\ARKD.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '5d623cf3.qua'.
C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20110211-184033-3996E53E\ARKC.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '40872959.qua'.
C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20110211-184033-3996E53E\ARKB.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '0bb460de.qua'.
C:\Documents and Settings\All Users\Application Data\XG03mHGo.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '029a6fc5.qua'.
C:\Program Files\ltmoh\Ltmoh.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LtMoh> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '5a9c769d.qua'.
C:\Program Files\TOSHIBA\TOSHIBA Applet\thotkey.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\THotkey> was removed successfully.
[NOTE] The file was moved to the quarantine directory under the name '766e0f49.qua'.

End of the scan: Friday, February 11, 2011 19:04
Used time: 00:07 Minute(s)

The scan has been done completely.

0 Scanned directories
70 Files were scanned
10 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
10 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
60 Files not concerned
0 Archives were scanned
0 Warnings
3 Notes

The scan results will be transferred to the Guard.

The Malware scan overnight came up clean.

Hoov · « **Reply #12 on:** February 12, 2011, 10:05:57 AM »

Stop Avira from starting with Windows. It appears that it is detecting its own signatures as virus's. Once you have stopped it from starting with windows, reboot the computer and then using IE follow the instructions below.

Please perform a BitDefender Online Virus and Malware Scan here:
http://www.bitdefender.com/scan8/ie.html
   * Click on I Agree.
   * An ActiveX warning box will appear, click on Install.
   * Under Select What You Want To Check For Viruses.
   * Please Check My Computer and Click Ok
   * Now Click On Click Here To Scan
   * Next, Click on Click here to export the scan report
   * Save it to your Desktop.
   * In your next reply, please include the BitDefender log.

bushka · « **Reply #13 on:** February 12, 2011, 02:06:43 PM »

OK, it took me a little while to get the Avira stuff stopped, and Bit Defender hung up on me a couple of times for some reason, but it did finish scanning, and here's the report:

BitDefender Online Scanner - Real Time Virus Report

Generated at: Sat, Feb 12, 2011 - 15:05:19

--------------------------------------------------------------------------------

Scan Info

Scanned Files
181478

Infected Files
25

Virus Detected

Gen:Variant.Kazy.11296
1

Gen:Trojan.Heur.FU.emX@a4V2JCj
1

Gen:Variant.Kazy.3281
1

Gen:Trojan.Heur.FU.fmX@a0jjkrm
22

--------------------------------------------------------------------------------

This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world.

Hoov · « **Reply #14 on:** February 12, 2011, 02:24:03 PM »

DO you have access to a clean computer with a CD burner and a broadband connection?

News:

Author Topic: [Resolved] Coupla Virus problems (Hijack log attached) (Read 3738 times)

bushka

[Resolved] Coupla Virus problems (Hijack log attached)

bushka

Oops

Hoov

Re: [In Progress] Coupla Virus problems (Hijack log attached)

bushka

Re: [In Progress] Coupla Virus problems (Hijack log attached)

Hoov

Re: [In Progress] Coupla Virus problems (Hijack log attached)

bushka

Re: [In Progress] Coupla Virus problems (Hijack log attached)

bushka

Re: [In Progress] Coupla Virus problems (Hijack log attached)

Hoov

Re: [In Progress] Coupla Virus problems (Hijack log attached)

bushka

Re: [In Progress] Coupla Virus problems (Hijack log attached)

bushka

Re: [In Progress] Coupla Virus problems (Hijack log attached)

Hoov

Re: [In Progress] Coupla Virus problems (Hijack log attached)

bushka

Re: [In Progress] Coupla Virus problems (Hijack log attached)

Hoov

Re: [In Progress] Coupla Virus problems (Hijack log attached)

bushka

Re: [In Progress] Coupla Virus problems (Hijack log attached)

Hoov

Re: [In Progress] Coupla Virus problems (Hijack log attached)