IE pops up windows with random URLs

[ect]

Hello,

I recently noticed that when I run Internet Explorer, an additional window will pop up with a link to a seemingly random URL. Sometimes the URL will contain search terms from previous Google searches I have done. Sometimes the window pops up right away when I first start IE, other times it won't pop up until I have been browsing for a while. Additionally, the first time I start IE after turning on my computer, it will pop up a message saying the previous session closed unexpectedly, though it seemed to close fine.

My logs are attached. Thanks in advance for your help!

Garrett

-------------------------------------------------

Malwarebytes Log

-------------------------------------------------

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4450

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

8/20/2010 10:13:13 AM

mbam-log-2010-08-20 (10-13-13).txt

Scan type: Quick scan

Objects scanned: 133843

Time elapsed: 7 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

-----------------------------------------------

DDS.txt

-----------------------------------------------

DDS (Ver_10-03-17.01) - NTFSx86

Run by Garrett at 22:45:26.12 on Mon 08/23/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1084 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: iolo AntiVirus

Attach.zip

[Kenny94]

Hi ect and Welcome to Malwarebytes Forum!

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
  
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
• Click the Report button and copy/paste the contents of it into your next reply
  

Note:It will also create a log in the C:\ directory.

======================

Run MBRCheck.exe

• Run MBRCheck.exe
  
• Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  
• Please push the 'Y' key and then press Enter
  
• When program ask you Enter your choice: enter 2 and press the Enter key
  
• Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
  
• Enter 0 and press the Enter key.
  
• The program will show Available MBR codes:, followed by a list of operating systems. Please enter 1 for Windows XP, and then press Enter.
  
• When asked Do you want to fix the MBR code? type in YES and press enter
  
• Restart your PC.
  

Post both reports here please.

[ect]

I ran TDSSKiller and MBRCheck. They both found some issues. I have posted the logs below.

Thanks for your prompt response!

Garrett

------------------------------------------

TDSSKiller

------------------------------------------

2010/08/27 08:44:46.0781 TDSS rootkit removing tool 2.4.1.3 Aug 27 2010 08:53:42

2010/08/27 08:44:46.0781 ================================================================================

2010/08/27 08:44:46.0781 SystemInfo:

2010/08/27 08:44:46.0781

2010/08/27 08:44:46.0781 OS Version: 5.1.2600 ServicePack: 3.0

2010/08/27 08:44:46.0781 Product type: Workstation

2010/08/27 08:44:46.0781 ComputerName: GARRETT-89A06AD

2010/08/27 08:44:46.0781 UserName: Garrett

2010/08/27 08:44:46.0781 Windows directory: C:\WINDOWS

2010/08/27 08:44:46.0781 System windows directory: C:\WINDOWS

2010/08/27 08:44:46.0781 Processor architecture: Intel x86

2010/08/27 08:44:46.0781 Number of processors: 2

2010/08/27 08:44:46.0781 Page size: 0x1000

2010/08/27 08:44:46.0781 Boot type: Normal boot

2010/08/27 08:44:46.0781 ================================================================================

2010/08/27 08:44:47.0093 Initialize success

2010/08/27 08:45:01.0046 ================================================================================

2010/08/27 08:45:01.0046 Scan started

2010/08/27 08:45:01.0046 Mode: Manual;

2010/08/27 08:45:01.0046 ================================================================================

2010/08/27 08:45:02.0203 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/08/27 08:45:02.0296 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

2010/08/27 08:45:02.0453 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/08/27 08:45:02.0515 AegisP (a1ad1a4a9f18d900ca9c93fa3efdcb56) C:\WINDOWS\system32\DRIVERS\AegisP.sys

2010/08/27 08:45:02.0609 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/08/27 08:45:03.0093 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/08/27 08:45:03.0421 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/08/27 08:45:03.0468 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/08/27 08:45:03.0593 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/08/27 08:45:03.0671 ATMhelpr (3ef1db7f168851914517d4ed36b57c04) C:\WINDOWS\system32\drivers\ATMhelpr.sys

2010/08/27 08:45:03.0781 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/08/27 08:45:03.0890 avgio (6a646c46b9415e13095aa9b352040a7a) C:\Program Files\Avira\AntiVir Desktop\avgio.sys

2010/08/27 08:45:04.0000 avgntflt (14fe36d8f2c6a2435275338d061a0b66) C:\WINDOWS\system32\DRIVERS\avgntflt.sys

2010/08/27 08:45:04.0062 avipbb (452e382340bb0c5e694ed9d3625356d0) C:\WINDOWS\system32\DRIVERS\avipbb.sys

2010/08/27 08:45:04.0125 AX88772 (35c86dee8492d04ad9918329c4ecaf8a) C:\WINDOWS\system32\DRIVERS\ax88772.sys

2010/08/27 08:45:04.0203 b57w2k (f96038aa1ec4013a93d2420fc689d1e9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys

2010/08/27 08:45:04.0296 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/08/27 08:45:04.0468 btaudio (0f249be872f618aaba8d641e81aa3d21) C:\WINDOWS\system32\drivers\btaudio.sys

2010/08/27 08:45:04.0546 BTDriver (07f0a66cfa550b13ad0674ae09e3cba0) C:\WINDOWS\system32\DRIVERS\btport.sys

2010/08/27 08:45:04.0656 BTKRNL (ade37ab15c958f5db2f85431cca8763a) C:\WINDOWS\system32\DRIVERS\btkrnl.sys

2010/08/27 08:45:04.0796 BTWDNDIS (b1d350f3f13cf340fce93912d2ba1ebf) C:\WINDOWS\system32\DRIVERS\btwdndis.sys

2010/08/27 08:45:04.0906 btwhid (6beb0adaa3d2b80e6515eec5d03b7540) C:\WINDOWS\system32\DRIVERS\btwhid.sys

2010/08/27 08:45:04.0984 BTWUSB (a01fd9851406de0870c23759e2f7b6ea) C:\WINDOWS\system32\Drivers\btwusb.sys

2010/08/27 08:45:05.0062 CamFilter (727d84761f6890a9bdd5832661c0f3c5) C:\WINDOWS\system32\Drivers\CamFilter.sys

2010/08/27 08:45:05.0140 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/08/27 08:45:05.0250 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2010/08/27 08:45:05.0406 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/08/27 08:45:05.0484 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/08/27 08:45:05.0562 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/08/27 08:45:05.0718 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2010/08/27 08:45:05.0843 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2010/08/27 08:45:06.0203 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/08/27 08:45:06.0281 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/08/27 08:45:06.0390 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/08/27 08:45:06.0453 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/08/27 08:45:06.0531 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/08/27 08:45:06.0625 Dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys

2010/08/27 08:45:06.0734 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys

2010/08/27 08:45:06.0812 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys

2010/08/27 08:45:06.0953 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/08/27 08:45:07.0046 EMSC (553cff6cf3622de0d7fefdebe72a6395) C:\WINDOWS\system32\DRIVERS\EMSC.SYS

2010/08/27 08:45:07.0328 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/08/27 08:45:07.0562 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2010/08/27 08:45:07.0593 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/08/27 08:45:07.0640 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2010/08/27 08:45:07.0687 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/08/27 08:45:07.0734 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/08/27 08:45:07.0765 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/08/27 08:45:07.0828 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys

2010/08/27 08:45:07.0859 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/08/27 08:45:07.0906 grmnusb (6003bc70f1a8307262bd3c941bda0b7e) C:\WINDOWS\system32\drivers\grmnusb.sys

2010/08/27 08:45:07.0968 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2010/08/27 08:45:08.0015 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/08/27 08:45:08.0125 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/08/27 08:45:08.0203 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/08/27 08:45:08.0234 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/08/27 08:45:08.0437 IntcAzAudAddService (a799e941c3d19bcf6f93cbe12b55bc17) C:\WINDOWS\system32\drivers\RtkHDAud.sys

2010/08/27 08:45:08.0609 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/08/27 08:45:08.0656 iomdisk (75931ebd581b9f79010640f924085fd4) C:\WINDOWS\system32\DRIVERS\iomdisk.sys

2010/08/27 08:45:08.0765 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/08/27 08:45:08.0828 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/08/27 08:45:08.0906 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/08/27 08:45:08.0984 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/08/27 08:45:09.0046 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/08/27 08:45:09.0093 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/08/27 08:45:09.0203 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/08/27 08:45:09.0265 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/08/27 08:45:09.0328 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2010/08/27 08:45:09.0375 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/08/27 08:45:09.0468 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/08/27 08:45:09.0531 Ktp (69e35a38e573e12e2d20634233403d8d) C:\WINDOWS\system32\DRIVERS\Ktp.sys

2010/08/27 08:45:09.0796 MASPINT (a2ae666cee860babe7fa6f1662b71737) C:\WINDOWS\system32\drivers\MASPINT.sys

2010/08/27 08:45:09.0875 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/08/27 08:45:09.0968 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/08/27 08:45:10.0015 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/08/27 08:45:10.0109 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/08/27 08:45:10.0156 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/08/27 08:45:10.0296 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/08/27 08:45:10.0359 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/08/27 08:45:10.0453 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/08/27 08:45:10.0562 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/08/27 08:45:10.0593 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/08/27 08:45:10.0671 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/08/27 08:45:10.0734 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/08/27 08:45:10.0812 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

2010/08/27 08:45:10.0875 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/08/27 08:45:10.0937 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2010/08/27 08:45:11.0031 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/08/27 08:45:11.0078 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2010/08/27 08:45:11.0093 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/08/27 08:45:11.0140 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/08/27 08:45:11.0187 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/08/27 08:45:11.0234 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/08/27 08:45:11.0250 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/08/27 08:45:11.0296 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/08/27 08:45:11.0484 NETw4x32 (b57c3897952a5e327e62fb0f267e69a8) C:\WINDOWS\system32\DRIVERS\NETw4x32.sys

2010/08/27 08:45:11.0609 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/08/27 08:45:11.0656 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/08/27 08:45:11.0671 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/08/27 08:45:11.0765 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/08/27 08:45:11.0984 nv (f9cafb3a6e8fc12303663d1df654a687) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2010/08/27 08:45:12.0531 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/08/27 08:45:12.0593 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/08/27 08:45:12.0687 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/08/27 08:45:12.0812 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

2010/08/27 08:45:12.0875 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/08/27 08:45:12.0953 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/08/27 08:45:12.0984 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/08/27 08:45:13.0062 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/08/27 08:45:13.0140 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/08/27 08:45:13.0687 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/08/27 08:45:13.0734 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/08/27 08:45:13.0781 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/08/27 08:45:14.0093 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/08/27 08:45:14.0171 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/08/27 08:45:14.0218 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/08/27 08:45:14.0281 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/08/27 08:45:14.0343 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/08/27 08:45:14.0406 RDPCDD (ecbf6f13ec798af166412b8a485f0539) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/08/27 08:45:14.0421 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\RDPCDD.sys. Real md5: ecbf6f13ec798af166412b8a485f0539, Fake md5: 4912d5b403614ce99c28420f75353332

2010/08/27 08:45:14.0421 RDPCDD - detected Rootkit.Win32.TDSS.tdl3 (0)

2010/08/27 08:45:14.0500 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/08/27 08:45:14.0578 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/08/27 08:45:14.0671 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/08/27 08:45:14.0781 rimmptsk (355aac141b214bef1dbc1483afd9bd50) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys

2010/08/27 08:45:14.0859 rimsptsk (a4216c71dd4f60b26418ccfd99cd0815) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys

2010/08/27 08:45:14.0968 s24trans (eadfb87f911a7a75d1b80617f92901e8) C:\WINDOWS\system32\DRIVERS\s24trans.sys

2010/08/27 08:45:15.0078 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys

2010/08/27 08:45:15.0156 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/08/27 08:45:15.0234 Ser2pl (6ce397c482bede91a38e56a8c4a0dc6d) C:\WINDOWS\system32\DRIVERS\ser2pl.sys

2010/08/27 08:45:15.0296 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/08/27 08:45:15.0359 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys

2010/08/27 08:45:15.0406 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/08/27 08:45:15.0546 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2010/08/27 08:45:15.0656 smserial (63b3b77bdb67ee674771c0e6fb96da9e) C:\WINDOWS\system32\DRIVERS\smserial.sys

2010/08/27 08:45:16.0093 SNP2UVC (09795b55ab5c3e5d63a34d5189f65ba3) C:\WINDOWS\system32\DRIVERS\snp2uvc.sys

2010/08/27 08:45:16.0640 sonypvs1 (dfadfc2c86662f40759bf02add27d569) C:\WINDOWS\system32\DRIVERS\sonypvs1.sys

2010/08/27 08:45:16.0812 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/08/27 08:45:16.0906 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/08/27 08:45:16.0984 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/08/27 08:45:17.0093 ssmdrv (654dfea96bc82b4acda4f37e5e4a3bbf) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys

2010/08/27 08:45:17.0359 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2010/08/27 08:45:17.0578 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/08/27 08:45:17.0687 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/08/27 08:45:17.0953 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/08/27 08:45:18.0109 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/08/27 08:45:18.0218 TcUsb (5ca437a08509fb7ecf843480fc1232e2) C:\WINDOWS\system32\Drivers\tcusb.sys

2010/08/27 08:45:18.0296 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/08/27 08:45:18.0406 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/08/27 08:45:18.0468 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/08/27 08:45:18.0703 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/08/27 08:45:18.0906 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/08/27 08:45:18.0984 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

2010/08/27 08:45:19.0031 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/08/27 08:45:19.0093 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/08/27 08:45:19.0140 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/08/27 08:45:19.0203 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/08/27 08:45:19.0250 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/08/27 08:45:19.0296 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/08/27 08:45:19.0359 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/08/27 08:45:19.0421 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys

2010/08/27 08:45:19.0500 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/08/27 08:45:19.0609 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/08/27 08:45:19.0671 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/08/27 08:45:19.0734 wceusbsh (dc7f91b2ed24a738c807ea07f298928c) C:\WINDOWS\system32\DRIVERS\wceusbsh.sys

2010/08/27 08:45:19.0843 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys

2010/08/27 08:45:19.0984 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/08/27 08:45:20.0125 WmBEnum (38932c4649f8baad6ce1000ac6503d5b) C:\WINDOWS\system32\drivers\WmBEnum.sys

2010/08/27 08:45:20.0171 WmFilter (58b3adab903fa1a78c86e6a42b80fe76) C:\WINDOWS\system32\drivers\WmFilter.sys

2010/08/27 08:45:20.0312 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys

2010/08/27 08:45:20.0390 WmVirHid (e45f01f4014d7ab13b8a0c41ebf48a3d) C:\WINDOWS\system32\drivers\WmVirHid.sys

2010/08/27 08:45:20.0484 WmXlCore (0398265dd65aae2ece180fa9d1e7b5bb) C:\WINDOWS\system32\drivers\WmXlCore.sys

2010/08/27 08:45:20.0531 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

2010/08/27 08:45:20.0609 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2010/08/27 08:45:20.0734 ================================================================================

2010/08/27 08:45:20.0734 Scan finished

2010/08/27 08:45:20.0734 ================================================================================

2010/08/27 08:45:20.0765 Detected object count: 1

2010/08/27 08:47:22.0625 RDPCDD (ecbf6f13ec798af166412b8a485f0539) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/08/27 08:47:22.0625 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\RDPCDD.sys. Real md5: ecbf6f13ec798af166412b8a485f0539, Fake md5: 4912d5b403614ce99c28420f75353332

2010/08/27 08:47:24.0062 Backup copy found, using it..

2010/08/27 08:47:24.0062 C:\WINDOWS\system32\DRIVERS\RDPCDD.sys - will be cured after reboot

2010/08/27 08:47:24.0062 Rootkit.Win32.TDSS.tdl3(RDPCDD) - User select action: Cure

2010/08/27 08:48:04.0265 Deinitialize success

-----------------------------------------------

MBRCheck

-----------------------------------------------

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows XP Professional

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x0000001c

Kernel Drivers (total 141):

0x804D7000 \WINDOWS\system32\ntoskrnl.exe

0x806FF000 \WINDOWS\system32\hal.dll

0xF7987000 \WINDOWS\system32\KDCOM.DLL

0xF7897000 \WINDOWS\system32\BOOTVID.dll

0xF75F7000 klmdb.sys

0xF7508000 ACPI.sys

0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS

0xF74F7000 pci.sys

0xF7607000 isapnp.sys

0xF7617000 ohci1394.sys

0xF7627000 \WINDOWS\system32\DRIVERS\1394BUS.SYS

0xF789B000 compbatt.sys

0xF789F000 \WINDOWS\system32\DRIVERS\BATTC.SYS

0xF7A4F000 pciide.sys

0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

0xF7637000 MountMgr.sys

0xF74D8000 ftdisk.sys

0xF798B000 dmload.sys

0xF74B2000 dmio.sys

0xF78A3000 ACPIEC.sys

0xF7A50000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS

0xF770F000 PartMgr.sys

0xF7647000 VolSnap.sys

0xF749A000 atapi.sys

0xF7657000 disk.sys

0xF7667000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

0xF7867000 fltmgr.sys

0xF7855000 sr.sys

0xF783E000 KSecDD.sys

0xF7B52000 Ntfs.sys

0xF795A000 NDIS.sys

0xF7A35000 Mup.sys

0xF7677000 iomdisk.sys

0xBA929000 \SystemRoot\system32\DRIVERS\intelppm.sys

0xBAFC4000 \SystemRoot\system32\DRIVERS\wmiacpi.sys

0xB9E8C000 \SystemRoot\system32\DRIVERS\nv4_mini.sys

0xB9E78000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

0xF77D7000 \SystemRoot\system32\DRIVERS\usbuhci.sys

0xB9E54000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0xF77DF000 \SystemRoot\system32\DRIVERS\usbehci.sys

0xB9E2C000 \SystemRoot\system32\DRIVERS\HDAudBus.sys

0xB9E01000 \SystemRoot\system32\DRIVERS\b57xp32.sys

0xB9BE6000 \SystemRoot\system32\DRIVERS\NETw4x32.sys

0xBA919000 \SystemRoot\system32\DRIVERS\nic1394.sys

0xB9BD2000 \SystemRoot\system32\DRIVERS\sdbus.sys

0xBA909000 \SystemRoot\system32\DRIVERS\rimmptsk.sys

0xB9BBE000 \SystemRoot\system32\DRIVERS\rimsptsk.sys

0xBAFB8000 \SystemRoot\system32\DRIVERS\CmBatt.sys

0xF76B7000 \SystemRoot\system32\DRIVERS\i8042prt.sys

0xF77EF000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0xF77F7000 \SystemRoot\system32\DRIVERS\Ktp.sys

0xF77FF000 \SystemRoot\system32\DRIVERS\mouclass.sys

0xF76C7000 \SystemRoot\system32\DRIVERS\imapi.sys

0xF76D7000 \SystemRoot\system32\DRIVERS\cdrom.sys

0xF76E7000 \SystemRoot\system32\DRIVERS\redbook.sys

0xB9B9B000 \SystemRoot\system32\DRIVERS\ks.sys

0xF7807000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys

0xBAFB0000 \SystemRoot\system32\DRIVERS\EMSC.SYS

0xF76F7000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS

0xB9B20000 \SystemRoot\system32\DRIVERS\Wdf01000.sys

0xB9A18000 \SystemRoot\system32\DRIVERS\btkrnl.sys

0xBAA1F000 \SystemRoot\system32\DRIVERS\audstub.sys

0xF75C6000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0xBAF91000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0xB9A01000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0xF75B6000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0xF75A6000 \SystemRoot\system32\DRIVERS\raspptp.sys

0xF780F000 \SystemRoot\system32\DRIVERS\TDI.SYS

0xB99F0000 \SystemRoot\system32\DRIVERS\psched.sys

0xF7596000 \SystemRoot\system32\DRIVERS\msgpc.sys

0xF7817000 \SystemRoot\system32\DRIVERS\ptilink.sys

0xF781F000 \SystemRoot\system32\DRIVERS\raspti.sys

0xB99C0000 \SystemRoot\system32\DRIVERS\rdpdr.sys

0xF7586000 \SystemRoot\system32\DRIVERS\termdd.sys

0xF79AF000 \SystemRoot\system32\DRIVERS\swenum.sys

0xB9962000 \SystemRoot\system32\DRIVERS\update.sys

0xBAF79000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0xBAF75000 \SystemRoot\system32\drivers\WmBEnum.sys

0xF7576000 \SystemRoot\system32\drivers\WmXlCore.sys

0xB9913000 \SystemRoot\system32\drivers\btaudio.sys

0xB98EF000 \SystemRoot\system32\drivers\portcls.sys

0xF7566000 \SystemRoot\system32\drivers\drmk.sys

0xF7556000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xF7546000 \SystemRoot\system32\DRIVERS\usbhub.sys

0xF79B1000 \SystemRoot\system32\DRIVERS\USBD.SYS

0xB7798000 \SystemRoot\system32\drivers\RtkHDAud.sys

0xB76A7000 \SystemRoot\system32\DRIVERS\smserial.sys

0xBA5ED000 \SystemRoot\System32\Drivers\Modem.SYS

0xF79B9000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xB98C5000 \SystemRoot\System32\Drivers\Null.SYS

0xF79BB000 \SystemRoot\System32\Drivers\Beep.SYS

0xBA5CD000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS

0xBA5C5000 \SystemRoot\System32\drivers\vga.sys

0xF79BD000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xF79C1000 \SystemRoot\system32\drivers\tsk8.tmp

0xF744A000 \SystemRoot\System32\Drivers\tcusb.sys

0xBA5BD000 \SystemRoot\System32\Drivers\Msfs.SYS

0xBA5B5000 \SystemRoot\System32\Drivers\Npfs.SYS

0xBAFD4000 \SystemRoot\system32\DRIVERS\rasacd.sys

0xB757A000 \SystemRoot\system32\DRIVERS\ipsec.sys

0xB7521000 \SystemRoot\system32\DRIVERS\tcpip.sys

0xB74F9000 \SystemRoot\system32\DRIVERS\netbt.sys

0xB74D7000 \SystemRoot\System32\drivers\afd.sys

0xF743A000 \SystemRoot\system32\DRIVERS\netbios.sys

0xBA5AD000 \SystemRoot\system32\DRIVERS\ssmdrv.sys

0xB74AC000 \SystemRoot\system32\DRIVERS\rdbss.sys

0xB743C000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0xF742A000 \SystemRoot\System32\Drivers\Fips.SYS

0xB7416000 \SystemRoot\system32\DRIVERS\ipnat.sys

0xBA5A5000 \SystemRoot\system32\DRIVERS\usbccgp.sys

0xF741A000 \SystemRoot\system32\DRIVERS\wanarp.sys

0xF740A000 \SystemRoot\system32\DRIVERS\arp1394.sys

0xB73D2000 \SystemRoot\system32\DRIVERS\avipbb.sys

0xF79C5000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys

0xB6AAA000 \SystemRoot\system32\DRIVERS\snp2uvc.sys

0xF7687000 \SystemRoot\system32\DRIVERS\STREAM.SYS

0xF774F000 \SystemRoot\system32\DRIVERS\sncduvc.SYS

0xF7757000 \SystemRoot\System32\Drivers\CamFilter.sys

0xF76A7000 \SystemRoot\System32\Drivers\Cdfs.SYS

0xB6A42000 \SystemRoot\System32\Drivers\dump_atapi.sys

0xF79C9000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS

0xBF800000 \SystemRoot\System32\win32k.sys

0xB7693000 \SystemRoot\System32\drivers\Dxapi.sys

0xF776F000 \SystemRoot\System32\watchdog.sys

0xBF9C4000 \SystemRoot\System32\drivers\dxg.sys

0xB98C2000 \SystemRoot\System32\drivers\dxgthk.sys

0xBF9D6000 \SystemRoot\System32\nv4_disp.dll

0xBFFA0000 \SystemRoot\System32\ATMFD.DLL

0xB433A000 \SystemRoot\system32\DRIVERS\avgntflt.sys

0xF778F000 \SystemRoot\system32\DRIVERS\AegisP.sys

0xB4356000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0xB4336000 \SystemRoot\system32\DRIVERS\s24trans.sys

0xB3F4D000 \SystemRoot\system32\DRIVERS\mrxdav.sys

0xB767C000 \??\C:\WINDOWS\system32\Drivers\mchInjDrv.sys

0xB4914000 \SystemRoot\System32\Drivers\MASPINT.SYS

0xB3BFE000 \SystemRoot\system32\DRIVERS\srv.sys

0x9E4B1000 \SystemRoot\system32\drivers\wdmaud.sys

0xB4062000 \SystemRoot\system32\drivers\sysaudio.sys

0x9E351000 \SystemRoot\system32\drivers\kmixer.sys

0x9DD72000 \SystemRoot\System32\Drivers\HTTP.sys

0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 74):

0 System Idle Process

4 System

836 C:\WINDOWS\system32\smss.exe

912 C:\WINDOWS\system32\csrss.exe

944 C:\WINDOWS\system32\winlogon.exe

988 C:\WINDOWS\system32\services.exe

1000 C:\WINDOWS\system32\lsass.exe

1188 C:\WINDOWS\system32\svchost.exe

1256 C:\WINDOWS\system32\svchost.exe

1296 C:\WINDOWS\system32\svchost.exe

1320 C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

1420 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

1468 C:\WINDOWS\system32\svchost.exe

1520 C:\WINDOWS\system32\svchost.exe

1728 C:\WINDOWS\system32\spoolsv.exe

1892 C:\Program Files\Avira\AntiVir Desktop\sched.exe

1944 C:\WINDOWS\system32\svchost.exe

2024 C:\Program Files\Avira\AntiVir Desktop\avguard.exe

2036 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

176 C:\Program Files\Bonjour\mDNSResponder.exe

236 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

480 C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe

608 C:\PROGRA~1\Iomega\System32\AppServices.exe

620 C:\Program Files\Java\jre6\bin\jqs.exe

764 C:\WINDOWS\system32\nvsvc32.exe

812 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

868 C:\Program Files\CyberLink\Shared Files\RichVideo.exe

892 C:\Program Files\Compal Electronics, INC\Smart Watchdog\SWDsvc.exe

1216 C:\WINDOWS\system32\svchost.exe

1336 C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

1400 C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

1432 C:\WINDOWS\system32\wdfmgr.exe

1488 C:\Program Files\Viewpoint\Common\ViewpointService.exe

1576 C:\Program Files\Iomega\AutoDisk\ADService.exe

1696 C:\WINDOWS\system32\wuauclt.exe

2592 C:\WINDOWS\system32\alg.exe

2980 C:\WINDOWS\system32\wbem\wmiprvse.exe

3360 C:\WINDOWS\explorer.exe

3676 C:\Program Files\Compal\Wireless Select Switch\WLSS.exe

3784 C:\WINDOWS\vsnp2uvc.exe

3796 C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe

3812 C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe

3820 C:\Program Files\Compal\Wow Video&Audio\WVAMain.exe

3840 C:\Program Files\Compal\Smart Battery\SMBTray.exe

3952 C:\Program Files\Protector Suite QL\psqltray.exe

3964 C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

4052 C:\WINDOWS\RTHDCPL.exe

4088 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

232 C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

476 C:\Program Files\Iomega\DriveIcons\Imgicon.exe

2180 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

2260 C:\Program Files\Logitech\Gaming Software\LWEMon.exe

2188 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

2376 C:\Program Files\iTunes\iTunesHelper.exe

992 C:\Program Files\Common Files\Java\Java Update\jusched.exe

2668 C:\Program Files\Messenger\msmsgs.exe

568 C:\WINDOWS\system32\ctfmon.exe

2624 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

3120 C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe

3336 C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

3392 C:\Program Files\TiVo\Desktop\TiVoNotify.exe

3516 C:\Program Files\TiVo\Desktop\TiVoServer.exe

3532 C:\Program Files\Skype\Phone\Skype.exe

3352 C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe

3708 C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

3988 C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

3088 C:\Program Files\iPod\bin\iPodService.exe

3060 C:\Program Files\Internet Explorer\iexplore.exe

1964 C:\Program Files\Internet Explorer\iexplore.exe

3376 C:\Program Files\Skype\Plugin Manager\skypePM.exe

3596 C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe

3540 C:\WINDOWS\system32\wbem\wmiadap.exe

2388 C:\Program Files\Internet Explorer\iexplore.exe

2292 C:\Documents and Settings\Garrett\Local Settings\Temporary Internet Files\Content.IE5\EL2WLPCR\MBRCheck[1].exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

\\.\E: --> \\.\PhysicalDrive0 at offset 0x00000010`002a4400 (NTFS)

PhysicalDrive0 Model Number: ST9160823AS, Rev: 3.AAB

Size Device Name MBR Status

--------------------------------------------

149 GB \\.\PhysicalDrive0 Unknown MBR code

SHA1: 6C7C25672E81AF972795B06F11E2842DECE070E7

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Options:

[1] Dump the MBR of a physical disk to file.

[2] Restore the MBR of a physical disk with a standard boot code.

[3] Exit.

Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): 0Available MBR codes:

[ 0] Default (Windows XP)

[ 1] Windows XP

[ 2] Windows Server 2003

[ 3] Windows Vista

[ 4] Windows 2008

[ 5] Windows 7

[-1] Cancel

Please select the MBR code to write to this drive: 1

Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: YES

Successfully wrote new MBR code!

Please reboot your computer to complete the fix.

Done!

[Kenny94]

The search redirections should have stopped now.

1. Download ComboFix from below:
   Combofix download
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   You can get help on disabling your protection programs here
   
3. Double click on combofix.exe & follow the prompts.
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   The Recovery Console was successfully installed.
   
   Click on Yes, to continue scanning for malware.
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   ---------------------------------------------------------------------------------------------
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   ---------------------------------------------------------------------------------------------
   

[ect]

Hello,

I haven't seen any more search redirections. The ComboFix log is below.

Thanks,

Garrett

------------------------------------------

ComboFix log

------------------------------------------

ComboFix 10-08-26.04 - Garrett 08/27/2010 21:54:10.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1347 [GMT -7:00]

Running from: c:\documents and settings\Garrett\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: iolo AntiVirus

[Kenny94]

Hi

You ran ComboFix twice. I need to see the first run/report. It's in your C: Drive called ComboFix.txt

Can you post this log please. So I can see what was removed.

[ect]

Sorry about that--the first time I ran it I didn't have internet access. Here is the log from C:, although the date and time seems to be the same as the one I posted previously.

Also, when Avira antvirus alerts me that it has found a virus/rootkit, should I choose the default action and deny access, or delete the file?

Thanks,

Garrett

--------------------------------------------

ComboFix.txt

--------------------------------------------

ComboFix 10-08-26.04 - Garrett 08/27/2010 21:54:10.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1347 [GMT -7:00]

Running from: c:\documents and settings\Garrett\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: iolo AntiVirus

[ect]

I found a file called ComboFix2.txt in C:\Qoobox that looks like it's from my earlier scan. Posted below.

--------------------------------------------------------------

ComboFix2.txt

--------------------------------------------------------------

ComboFix 10-08-26.04 - Garrett 08/27/2010 13:34:22.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1327 [GMT -7:00]

Running from: c:\documents and settings\Garrett\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: iolo AntiVirus

[Kenny94]

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

• Please go here then click on:
  
• Select the option YES, I accept the Terms of Use then click on:
  
• When prompted allow the Add-On/Active X to install.
  
• Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  
• Now click on Advanced Settings and select the following:
  

• • Scan for potentially unwanted applications
    
  • Scan for potentially unsafe applications
    
  • Enable Anti-Stealth Technology
    

[*]Now click on:

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on:

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Next

Download Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

In your next reply, please include these log(s):

EsetOnlineScanner\log.txt

checkup.txt

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

[ect]

Hello,

Things are running fine now--I haven't had any problems while following your instructions, and I haven't seen any more random IE windows popping up. I have pasted the logs you requested below. ESET found two infections.

Thanks,

Garrett

-------------------------------------------------

EsetOnlineScanner

-------------------------------------------------

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=a13116c9d9458b4481b96fd2a453269b

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2010-08-29 05:52:10

# local_time=2010-08-29 10:52:10 (-0800, Pacific Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1797 16775141 100 94 0 55640161 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=120687

# found=2

# cleaned=0

# scan_time=3484

C:\Documents and Settings\Garrett\Application Data\Sun\Java\Deployment\cache\6.0\17\30c29111-6a388143 multiple threats 00000000000000000000000000000000 I

C:\WINDOWS\system32\drivers\rdpcdd.sys Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I

--------------------------------------------------------

Security Check

--------------------------------------------------------

Results of screen317's Security Check version 0.99.5

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

Avira AntiVir Personal - Free Antivirus

ESET Online Scanner v3

Antivirus up to date! (On Access scanning disabled!)

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 21

Java 6 Update 3

Java 6 Update 5

Java 6 Update 7

Out of date Java installed!

Adobe Flash Player

Adobe Reader 8.1.5

Out of date Adobe Reader installed!

````````````````````````````````

Process Check:

objlist.exe by Laurent

Avira Antivir avgnt.exe

Avira Antivir avguard.exe

iolo common lib ioloServiceManager.exe

````````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

[Kenny94]

Please look for the following Java folders and if found delete them.

C:\Program Files\Java

C:\Program Files\Common Files\Java

C:\Documents and Settings\All Users\Application Data\Java

C:\Documents and Settings\All Users\Application Data\Sun\Java

C:\Documents and Settings\username\Application Data\Java

C:\Documents and Settings\username\Application Data\Sun\Java

Next

There are some older versions of Java on your computer. These can be a source of infection.

[

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  
• Scroll down to where it says Java SE Runtime Environment (JRE) - JRE 6 Update 21 -
  
• Click the Download button to the right.
  
• Select the Windows platform from the dropdown menu.
  
• Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6u16 with JavaFX 1 License Agreement. Click on Continue.The page will refresh.
  
• Click on the link to download Windows Offline Installation and save the file to your desktop.
  
• Close any programs you may have running - especially your web browser.
  
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-6u121 -windows-i586-p.exe to install the newest version.
  

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
    
  • Next, click on the Delete Files button
    
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
      

    [*]Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

    [*]Click OK to leave the Temporary Files Window

    [*]Click OK to leave the Java Control Panel.

To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xml

When all is well, you should see Java Version: 1.6.0_21 from Sun Microsystems Inc.

-------------------------------------------------------------------

Your Computer is Clean

Some final items:

Follow these steps to uninstall Combofix and tools used in the removal of malware

• Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  
• Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)
  
  
• Please follow the prompts to uninstall Combofix.
  
• You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
  

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
  
• From within Internet Explorer click on the Tools menu and then click on Options.
  
• Click once on the Security tab
  
• Click once on the Internet icon so it becomes highlighted.
  
• Click once on the Custom Level button.
  
• Change the Download signed ActiveX controls to Prompt
  
• Change the Download unsigned ActiveX controls to Disable
  
• Change the Initialize and script ActiveX controls not marked as safe to Disable
  
• Change the Installation of desktop items to Prompt
  
• Change the Launching programs and files in an IFRAME to Prompt
  
• Change the Navigate sub-frames across different domains to Prompt
  
• When all these settings have been made, click on the OK button
  
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
  
• Next press the Apply button and then the OK to exit the Internet Properties page.
  

Additional Security Measures

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Secunia software inspector & update checker

Visit My Blog for Malware and Spyware Tips