Redirect assistance needed.

Theodoric · June 8, 2011

After running MBAM full scan, it cleaned 5 items. I did not save or back up the program folder and upon sys restore, lost the log file. I can run it again if necessary, it did not repair the redirect issue.

.

DDS (Ver_2011-06-03.01) - NTFSx86

Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.5.0_22

Run by Derrick Hedstrom at 14:56:07 on 2011-06-08

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.1535.860 [GMT -4:00]

.

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

C:\Program Files\Java\jre1.5.0_22\bin\jusched.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Users\Derrick Hedstrom\AppData\Roaming\Dropbox\bin\Dropbox.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

C:\Windows\system32\sppsvc.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_22\bin\ssv.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

mRun: [intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup

mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s

mRun: [bCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices

mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin

mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"

mRun: [<NO NAME>]

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre1.5.0_22\bin\jusched.exe"

StartupFolder: c:\users\derric~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\derrick hedstrom\appdata\roaming\dropbox\bin\Dropbox.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0022-ABCDEFFEDCBC} - c:\progra~1\java\jre15~1.0_2\bin\ssv.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://www.nuemd.com/java/jre-1_5_0_22-windows-i586-p-iftw.exe

DPF: {CAFEEFAC-0015-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_22-windows-i586.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{2CA5AAF4-0DED-407A-B9DE-605B3484DA8A} : DhcpNameServer = 192.168.1.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\derrick hedstrom\appdata\roaming\mozilla\firefox\profiles\yqgsz9bx.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL

FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL

.

============= SERVICES / DRIVERS ===============

.

R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-4-20 15872]

S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-4-20 52224]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-4-25 1343400]

.

=============== Created Last 30 ================

.

2011-06-07 20:29:09 -------- d-----w- c:\users\derrick hedstrom\appdata\roaming\Malwarebytes

2011-06-07 20:28:58 -------- d-----w- c:\programdata\Malwarebytes

2011-06-07 20:28:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-06-01 15:31:43 49265 ----a-w- c:\windows\system32\jpicpl32.cpl

2011-06-01 15:08:52 -------- d-----w- c:\windows\system32\appmgmt

2011-05-17 10:23:50 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

==================== Find3M ====================

.

2011-04-28 15:00:06 110456 ----a-w- c:\users\derrick hedstrom\g2ax_customer_downloadhelper_win32_x86.exe

2011-04-27 21:10:08 716800 ----a-w- c:\windows\iun6002.exe

2011-04-25 12:27:22 409088 ----a-w- c:\windows\system32\systemcpl.dll

2011-04-25 12:27:22 13824 ----a-w- c:\windows\system32\slwga.dll

2011-04-25 12:27:20 811520 ----a-w- c:\windows\system32\user32.dll

2011-04-25 12:07:48 152576 ----a-w- c:\windows\system32\msclmd.dll

2011-04-19 12:51:07 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-04-18 21:55:14 446258 ----a-w- c:\windows\AutoKMS.exe

2011-03-11 05:33:59 1164288 ----a-w- c:\windows\system32\mfc42u.dll

2011-03-11 05:33:59 1137664 ----a-w- c:\windows\system32\mfc42.dll

.

============= FINISH: 14:56:40.93 ===============

attach_ark.rar

Kenny94 · June 8, 2011

Hi Theodoric and Welcome to Malwarebytes!

Looking over your log it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect cleans and erase harmful virus files on a computer

Web server or network. Unchecked virus files can unintentionally be forwarded to others including trading partners and thereby spreading infection. Because new viruses regularly emerge anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present and will clean delete (or quarantine) infected files or directories. Please download Avira AntiVir Free.

Avira AntiVir Personal - Free anti-virus software for Windows. Detects and removes more than 50000 viruses. Free support.

Perform a full scan with Avira and let it delete everything it is finding.

Then reboot.

After reboot, open your Avira and select "reports".

There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply

Theodoric · June 9, 2011

Thank you for your attention. You are correct, I did not have any AV software. I did; however, run trendmicro housecall which handled six threats. On your advice, I installed Avira, full scanned, it cleaned 12 items. And regrettably, I didn't think to uncheck the exterior drive so that took some time. Log file below.

Thank you again.

I should also note that this pc did have the "recovery" virus as well. It replaced my recycle bin shortcut with a system restore shortcut. trendmicro seemed to handle that; however, I did have to manually delete the shortcut.

Avira AntiVir Personal

Report file date: Thursday, June 09, 2011 07:23

Scanning for 2746143 virus strains and unwanted programs.

The program is running as an unrestricted full version.

Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows 7

Windows version : (Service Pack 1) [6.1.7601]

Boot mode : Normally booted

Username : SYSTEM

Computer name : TREASURY

Version information:

BUILD.DAT : 10.0.0.648 31823 Bytes 4/1/2011 18:36:00

AVSCAN.EXE : 10.0.4.2 442024 Bytes 4/1/2011 21:07:43

AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2011 21:07:57

LUKE.DLL : 10.0.3.2 104296 Bytes 4/1/2011 21:07:53

LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 04:40:49

VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 14:05:36

VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 20:15:47

VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 20:15:47

VBASE003.VDF : 7.11.5.225 1980416 Bytes 4/7/2011 11:04:33

VBASE004.VDF : 7.11.8.178 2354176 Bytes 5/31/2011 11:04:42

VBASE005.VDF : 7.11.8.179 2048 Bytes 5/31/2011 11:04:42

VBASE006.VDF : 7.11.8.180 2048 Bytes 5/31/2011 11:04:42

VBASE007.VDF : 7.11.8.181 2048 Bytes 5/31/2011 11:04:42

VBASE008.VDF : 7.11.8.182 2048 Bytes 5/31/2011 11:04:42

VBASE009.VDF : 7.11.8.183 2048 Bytes 5/31/2011 11:04:43

VBASE010.VDF : 7.11.8.184 2048 Bytes 5/31/2011 11:04:43

VBASE011.VDF : 7.11.8.185 2048 Bytes 5/31/2011 11:04:43

VBASE012.VDF : 7.11.8.186 2048 Bytes 5/31/2011 11:04:43

VBASE013.VDF : 7.11.8.222 121856 Bytes 6/2/2011 11:04:45

VBASE014.VDF : 7.11.9.7 134656 Bytes 6/4/2011 11:04:46

VBASE015.VDF : 7.11.9.42 136192 Bytes 6/6/2011 11:04:47

VBASE016.VDF : 7.11.9.72 117248 Bytes 6/7/2011 11:04:48

VBASE017.VDF : 7.11.9.107 130560 Bytes 6/9/2011 11:04:49

VBASE018.VDF : 7.11.9.108 2048 Bytes 6/9/2011 11:04:49

VBASE019.VDF : 7.11.9.109 2048 Bytes 6/9/2011 11:04:49

VBASE020.VDF : 7.11.9.110 2048 Bytes 6/9/2011 11:04:50

VBASE021.VDF : 7.11.9.111 2048 Bytes 6/9/2011 11:04:50

VBASE022.VDF : 7.11.9.112 2048 Bytes 6/9/2011 11:04:50

VBASE023.VDF : 7.11.9.113 2048 Bytes 6/9/2011 11:04:50

VBASE024.VDF : 7.11.9.114 2048 Bytes 6/9/2011 11:04:50

VBASE025.VDF : 7.11.9.115 2048 Bytes 6/9/2011 11:04:50

VBASE026.VDF : 7.11.9.116 2048 Bytes 6/9/2011 11:04:50

VBASE027.VDF : 7.11.9.117 2048 Bytes 6/9/2011 11:04:51

VBASE028.VDF : 7.11.9.118 2048 Bytes 6/9/2011 11:04:51

VBASE029.VDF : 7.11.9.119 2048 Bytes 6/9/2011 11:04:51

VBASE030.VDF : 7.11.9.120 2048 Bytes 6/9/2011 11:04:51

VBASE031.VDF : 7.11.9.126 53248 Bytes 6/9/2011 11:04:52

Engineversion : 8.2.5.12

AEVDF.DLL : 8.1.2.1 106868 Bytes 3/28/2011 20:15:27

AESCRIPT.DLL : 8.1.3.65 1606010 Bytes 6/9/2011 11:05:07

AESCN.DLL : 8.1.7.2 127349 Bytes 3/28/2011 20:15:27

AESBX.DLL : 8.2.1.34 323957 Bytes 6/9/2011 11:05:08

AERDL.DLL : 8.1.9.9 639347 Bytes 3/25/2011 16:21:38

AEPACK.DLL : 8.2.6.8 557430 Bytes 6/9/2011 11:05:05

AEOFFICE.DLL : 8.1.1.25 205178 Bytes 6/9/2011 11:05:03

AEHEUR.DLL : 8.1.2.123 3502456 Bytes 6/9/2011 11:05:03

AEHELP.DLL : 8.1.17.2 246135 Bytes 6/9/2011 11:04:56

AEGEN.DLL : 8.1.5.6 401780 Bytes 6/9/2011 11:04:55

AEEMU.DLL : 8.1.3.0 393589 Bytes 3/28/2011 20:15:19

AECORE.DLL : 8.1.21.1 196983 Bytes 6/9/2011 11:04:54

AEBB.DLL : 8.1.1.0 53618 Bytes 3/28/2011 20:15:19

AVWINLL.DLL : 10.0.0.0 19304 Bytes 3/28/2011 20:15:31

AVPREF.DLL : 10.0.0.0 44904 Bytes 4/1/2011 21:07:42

AVREP.DLL : 10.0.0.10 174120 Bytes 6/9/2011 11:05:09

AVREG.DLL : 10.0.3.2 53096 Bytes 4/1/2011 21:07:42

AVSCPLR.DLL : 10.0.4.2 84840 Bytes 4/1/2011 21:07:43

AVARKT.DLL : 10.0.22.6 231784 Bytes 4/1/2011 21:07:38

AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 4/1/2011 21:07:41

SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 19:27:22

AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/28/2011 20:15:30

NETNT.DLL : 10.0.0.0 11624 Bytes 3/28/2011 20:15:39

RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 4/1/2011 21:07:58

RCTEXT.DLL : 10.0.58.0 97128 Bytes 3/28/2011 20:15:52

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:, E:, G:, H:,

Process scan........................: on

Extended process scan...............: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Start of the scan: Thursday, June 09, 2011 07:23

Starting search for hidden objects.

The scan of running processes will be started

Scan process 'plugin-container.exe' - '71' Module(s) have been scanned

Scan process 'firefox.exe' - '103' Module(s) have been scanned

Scan process 'svchost.exe' - '28' Module(s) have been scanned

Scan process 'vssvc.exe' - '47' Module(s) have been scanned

Scan process 'avscan.exe' - '83' Module(s) have been scanned

Scan process 'avscan.exe' - '28' Module(s) have been scanned

Scan process 'avcenter.exe' - '84' Module(s) have been scanned

Scan process 'AUDIODG.EXE' - '37' Module(s) have been scanned

Scan process 'avgnt.exe' - '55' Module(s) have been scanned

Scan process 'sched.exe' - '50' Module(s) have been scanned

Scan process 'conhost.exe' - '14' Module(s) have been scanned

Scan process 'avshadow.exe' - '31' Module(s) have been scanned

Scan process 'avguard.exe' - '64' Module(s) have been scanned

Scan process 'wmpnetwk.exe' - '55' Module(s) have been scanned

Scan process 'iexplore.exe' - '115' Module(s) have been scanned

Scan process 'iexplore.exe' - '92' Module(s) have been scanned

Scan process 'Dropbox.exe' - '66' Module(s) have been scanned

Scan process 'qbupdate.exe' - '95' Module(s) have been scanned

Scan process 'jusched.exe' - '25' Module(s) have been scanned

Scan process 'acrotray.exe' - '25' Module(s) have been scanned

Scan process 'VCDDaemon.exe' - '28' Module(s) have been scanned

Scan process 'Explorer.EXE' - '178' Module(s) have been scanned

Scan process 'Dwm.exe' - '28' Module(s) have been scanned

Scan process 'svchost.exe' - '37' Module(s) have been scanned

Scan process 'OSPPSVC.EXE' - '34' Module(s) have been scanned

Scan process 'taskhost.exe' - '52' Module(s) have been scanned

Scan process 'svchost.exe' - '32' Module(s) have been scanned

Scan process 'QBCFMonitorService.exe' - '39' Module(s) have been scanned

Scan process 'svchost.exe' - '55' Module(s) have been scanned

Scan process 'svchost.exe' - '63' Module(s) have been scanned

Scan process 'spoolsv.exe' - '91' Module(s) have been scanned

Scan process 'svchost.exe' - '69' Module(s) have been scanned

Scan process 'svchost.exe' - '58' Module(s) have been scanned

Scan process 'svchost.exe' - '138' Module(s) have been scanned

Scan process 'svchost.exe' - '94' Module(s) have been scanned

Scan process 'svchost.exe' - '82' Module(s) have been scanned

Scan process 'svchost.exe' - '42' Module(s) have been scanned

Scan process 'svchost.exe' - '61' Module(s) have been scanned

Scan process 'lsm.exe' - '16' Module(s) have been scanned

Scan process 'lsass.exe' - '62' Module(s) have been scanned

Scan process 'services.exe' - '55' Module(s) have been scanned

Scan process 'winlogon.exe' - '39' Module(s) have been scanned

Scan process 'csrss.exe' - '16' Module(s) have been scanned

Scan process 'wininit.exe' - '26' Module(s) have been scanned

Scan process 'csrss.exe' - '16' Module(s) have been scanned

Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'E:\'

[iNFO] No virus was found!

Boot sector 'G:\'

[iNFO] No virus was found!

Boot sector 'H:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '956' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\$Recycle.Bin\S-1-5-21-4217141809-3760335584-1917686362-1000\$RA8AHN3\adobe-master-cs4-keygen.exe

[DETECTION] Is the TR/Trash.Gen Trojan

C:\Users\Derrick Hedstrom\AppData\Local\Temp\1A83.tmp

[DETECTION] Is the TR/Kazy.25792.11 Trojan

C:\Users\Derrick Hedstrom\AppData\Local\Temp\tmpF5E1.tmp

[DETECTION] Is the TR/Kazy.25880.4 Trojan

C:\Users\Derrick Hedstrom\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\37db3fe2-3c58661b

[DETECTION] Contains recognition pattern of the JAVA/Dldr.Scuds.A Java virus

C:\Users\Derrick Hedstrom\Desktop\Adobe Creative Suite\cs4mc.part10.rar

[0] Archive type: RAR

[DETECTION] Is the TR/Dldr.BZW Trojan

--> cs4mc\adobe-master-cs4-keygen.exe

[DETECTION] Is the TR/Dldr.BZW Trojan

C:\Users\Derrick Hedstrom\Desktop\Adobe Creative Suite\cs4mc\adobe-master-cs4-keygen.exe

[DETECTION] Is the TR/Trash.Gen Trojan

Begin scan in 'E:\' <Elements>

Begin scan in 'G:\' <HMPT>

G:\Microsoft.Office.2007.Keygen.Pack\Msoft.Office.2007.Keygen.Pack\M$oFt OfFiCE 2OO7 KEy GeNeR4Tor.exe

[DETECTION] Is the TR/Vundo.45056 Trojan

G:\System Volume Information\_restore{1668D6A1-ABE3-4109-A8F1-CFF42BD76CDC}\RP1\A0000019.exe

[DETECTION] Is the TR/Agent.156672 Trojan

--> Object

[DETECTION] Is the TR/Agent.156672 Trojan

G:\System Volume Information\_restore{B59B5018-B8F9-4C5E-BE6B-8961919B4977}\RP104\A0008950.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

Begin scan in 'H:\' <Theodoric>

H:\Adobe Creative Suite\cs4mc.part10.rar

[0] Archive type: RAR

[DETECTION] Is the TR/Dldr.BZW Trojan

--> cs4mc\adobe-master-cs4-keygen.exe

[DETECTION] Is the TR/Dldr.BZW Trojan

H:\Adobe Creative Suite\illustrator.rar

[0] Archive type: RAR

[DETECTION] Is the TR/Dldr.BZW Trojan

--> CollectionKeyFinal\adobe-master-cs4-keygen.exe

[DETECTION] Is the TR/Dldr.BZW Trojan

--> CollectionKeyFinal\CS4MCLG.EXE

[DETECTION] Is the TR/Agent.469268.A Trojan

Beginning disinfection:

H:\Adobe Creative Suite\illustrator.rar

[DETECTION] Is the TR/Agent.469268.A Trojan

[NOTE] The file was moved to the quarantine directory under the name '52815507.qua'.

H:\Adobe Creative Suite\cs4mc.part10.rar

[DETECTION] Is the TR/Dldr.BZW Trojan

[NOTE] The file was moved to the quarantine directory under the name '00a604e9.qua'.

G:\System Volume Information\_restore{B59B5018-B8F9-4C5E-BE6B-8961919B4977}\RP104\A0008950.exe

[DETECTION] Is the TR/Dropper.Gen Trojan

[NOTE] The file was moved to the quarantine directory under the name '66954afb.qua'.

G:\System Volume Information\_restore{1668D6A1-ABE3-4109-A8F1-CFF42BD76CDC}\RP1\A0000019.exe

[DETECTION] Is the TR/Agent.156672 Trojan

[NOTE] The file was moved to the quarantine directory under the name '231167c5.qua'.

G:\Microsoft.Office.2007.Keygen.Pack\Msoft.Office.2007.Keygen.Pack\M$oFt OfFiCE 2OO7 KEy GeNeR4Tor.exe

[DETECTION] Is the TR/Vundo.45056 Trojan

[NOTE] The file was moved to the quarantine directory under the name '5c7555b8.qua'.

C:\Users\Derrick Hedstrom\Desktop\Adobe Creative Suite\cs4mc\adobe-master-cs4-keygen.exe

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to the quarantine directory under the name '10cd7832.qua'.

C:\Users\Derrick Hedstrom\Desktop\Adobe Creative Suite\cs4mc.part10.rar

[DETECTION] Is the TR/Dldr.BZW Trojan

[NOTE] The file was moved to the quarantine directory under the name '6cae3873.qua'.

C:\Users\Derrick Hedstrom\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\37db3fe2-3c58661b

[DETECTION] Contains recognition pattern of the JAVA/Dldr.Scuds.A Java virus

[NOTE] The file was moved to the quarantine directory under the name '418416d2.qua'.

C:\Users\Derrick Hedstrom\AppData\Local\Temp\tmpF5E1.tmp

[DETECTION] Is the TR/Kazy.25880.4 Trojan

[NOTE] The file was moved to the quarantine directory under the name '58d82c96.qua'.

C:\Users\Derrick Hedstrom\AppData\Local\Temp\1A83.tmp

[DETECTION] Is the TR/Kazy.25792.11 Trojan

[NOTE] The file was moved to the quarantine directory under the name '34cc0172.qua'.

C:\$Recycle.Bin\S-1-5-21-4217141809-3760335584-1917686362-1000\$RA8AHN3\adobe-master-cs4-keygen.exe

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to the quarantine directory under the name '45023938.qua'.

End of the scan: Thursday, June 09, 2011 10:12

Used time: 2:10:18 Hour(s)

The scan has been done completely.

20664 Scanned directories

1288546 Files were scanned

12 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

11 Files were moved to quarantine

0 Files were renamed

0 Files cannot be scanned

1288534 Files not concerned

4911 Archives were scanned

0 Warnings

11 Notes

440615 Objects were scanned with rootkit scan

0 Hidden objects were found

Kenny94 · June 9, 2011

Download ComboFix from below:
Combofix download
* IMPORTANT !!! Place combofix.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
You can get help on disabling your protection programs here
Double click on combofix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
The Recovery Console was successfully installed.

Click on Yes, to continue scanning for malware.
Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log (C:\ComboFix.txt) in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
---------------------------------------------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled.
---------------------------------------------------------------------------------------------

Theodoric · June 9, 2011

Download ComboFix from below:
Combofix download
* IMPORTANT !!! Place combofix.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
You can get help on disabling your protection programs here
Double click on combofix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
The Recovery Console was successfully installed.

Click on Yes, to continue scanning for malware.
Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log (C:\ComboFix.txt) in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
---------------------------------------------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled.
---------------------------------------------------------------------------------------------

HERE IT IS!

ComboFix 11-06-09.01 - Derrick Hedstrom 06/09/2011 12:39:21.1.2 - x86

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.1535.883 [GMT -4:00]

Running from: c:\users\Derrick Hedstrom\Desktop\ComboFix.exe

AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}

SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\users\Derrick Hedstrom\AppData\Local\Microsoft\Windows\Temporary Internet Files\mootools.svn.js

c:\users\Derrick Hedstrom\AppData\Local\Microsoft\Windows\Temporary Internet Files\pffcenter.html

c:\users\Derrick Hedstrom\AppData\Local\Microsoft\Windows\Temporary Internet Files\pffCenter.js

c:\users\Derrick Hedstrom\AppData\Local\Microsoft\Windows\Temporary Internet Files\reviewDialog.html

c:\users\Derrick Hedstrom\AppData\Local\Microsoft\Windows\Temporary Internet Files\reviewNotesPopUp.html

c:\users\Derrick Hedstrom\AppData\Local\Microsoft\Windows\Temporary Internet Files\taskNotesDialog.html

c:\users\Derrick Hedstrom\g2ax_customer_downloadhelper_win32_x86.exe

.

((((((((((((((((((((((((( Files Created from 2011-05-09 to 2011-06-09 )))))))))))))))))))))))))))))))

.

2011-06-09 16:48 . 2011-06-09 16:48 -------- d-----w- c:\users\Derrick Hedstrom\AppData\Local\temp

2011-06-09 16:48 . 2011-06-09 16:48 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-06-09 14:10 . 2011-06-09 14:10 411368 ----a-w- c:\windows\system32\deploytk.dll

2011-06-09 11:23 . 2011-06-09 11:23 -------- d-----w- c:\users\Derrick Hedstrom\AppData\Roaming\Avira

2011-06-09 11:02 . 2011-04-01 21:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-06-09 11:02 . 2011-04-01 21:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-06-09 11:02 . 2011-06-09 11:02 -------- d-----w- c:\programdata\Avira

2011-06-09 11:02 . 2011-06-09 11:02 -------- d-----w- c:\program files\Avira

2011-06-08 17:27 . 2011-06-08 17:27 -------- d-----w- c:\users\Derrick Hedstrom\AppData\Local\Mozilla

2011-06-07 20:29 . 2011-06-07 20:29 -------- d-----w- c:\users\Derrick Hedstrom\AppData\Roaming\Malwarebytes

2011-06-07 20:28 . 2011-06-08 13:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-06-07 20:28 . 2011-06-07 20:28 -------- d-----w- c:\programdata\Malwarebytes

2011-06-01 15:34 . 2011-06-01 15:34 -------- d-----w- c:\windows\Sun

2011-06-01 15:31 . 2011-06-08 13:04 -------- d-----w- c:\program files\Java

2011-06-01 15:30 . 2011-06-01 15:30 -------- d-----w- c:\program files\Common Files\Java

2011-05-17 10:23 . 2011-05-17 10:23 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-04-27 21:10 . 2011-04-19 12:08 716800 ----a-w- c:\windows\iun6002.exe

2011-04-25 12:27 . 2011-04-20 13:17 409088 ----a-w- c:\windows\system32\systemcpl.dll

2011-04-25 12:27 . 2011-04-20 13:17 13824 ----a-w- c:\windows\system32\slwga.dll

2011-04-25 12:27 . 2011-04-20 13:18 811520 ----a-w- c:\windows\system32\user32.dll

2011-04-25 12:07 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll

2011-04-19 12:51 . 2011-04-19 12:51 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-04-18 21:55 . 2011-04-18 21:55 446258 ----a-w- c:\windows\AutoKMS.exe

2011-04-11 07:04 . 2011-04-19 17:02 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F64A9A75-9733-401D-8E24-B984FDF4E3F8}\mpengine.dll

2011-04-14 16:26 . 2011-06-08 17:27 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2011-04-25 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7601.17514] . . c:\windows\System32\user32.dll

[7] 2010-11-20 . F1DD3ACAEE5E6B4BBC69BC6DF75CEF66 . 811520 . . [6.1.7601.17514] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll

[7] 2009-07-14 . 34B7E222E81FAFA885F0C5F2CFA56861 . 811520 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\users\Derrick Hedstrom\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\users\Derrick Hedstrom\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\users\Derrick Hedstrom\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-10-19 1439496]

"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]

"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_22\bin\jusched.exe" [2009-10-09 75648]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]

.

c:\users\Derrick Hedstrom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dropbox.lnk - c:\users\Derrick Hedstrom\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-4-5 1149440]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-04-25 1343400]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-03-28 136360]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll

FF - ProfilePath - c:\users\Derrick Hedstrom\AppData\Roaming\Mozilla\Firefox\Profiles\yqgsz9bx.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: network.proxy.type - 0

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(520)

c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

.

Completion time: 2011-06-09 12:55:42

ComboFix-quarantined-files.txt 2011-06-09 16:55

.

Pre-Run: 445,621,219,328 bytes free

Post-Run: 446,536,167,424 bytes free

.

- - End Of File - - C2D39AFF9EB655FB6DDDFFA4F89200BE

Kenny94 · June 9, 2011

Update Run Malwarebytes

Launch Malwarebytes' Anti-Malware
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Theodoric · June 9, 2011

Here it is..

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 6820

Windows 6.1.7601 Service Pack 1

Internet Explorer 8.0.7601.17514

6/9/2011 3:11:56 PM

mbam-log-2011-06-09 (15-11-56).txt

Scan type: Quick scan

Objects scanned: 157444

Time elapsed: 6 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\AutoKMS.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.

Theodoric · June 9, 2011

Sorry about the repost.

I wanted to add that I am not using ie at all and I've got iexplorer.exe running (the W7 2nd one is there as well) in my task manager.

The redirect is still occurring but you probably already know that.

Derrick

Kenny94 · June 9, 2011

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
Vista/Windows 7 users right-click and select Run As Administrator.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.

Theodoric · June 10, 2011

Hi Kenny,

So I'm back at work. I followed the instructions and the TDSKiller will not run. W7 asks if I want to allow it to make changes to this computer, I click ok and then it blinks the screen, then nothing, it never opens. Advice?

Kenny94 · June 10, 2011

Right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (Example: puppy.com). If you do not see the file extension, please refer to: How to change the file extension.

Then run TDSKiller.

Theodoric · June 10, 2011

I changed it to Puppy.com and it still does the same thing.

In watching task manager. Two processes start when I attempt to run TDSSKiller... both are "dllhost.exe's " Com Surrogate (description). I've never seen that before.

Derrick

Theodoric · June 10, 2011

I changed it to Puppy.com and it still does the same thing.

In watching task manager. Two processes start when I attempt to run TDSSKiller... both are "dllhost.exe's " Com Surrogate (description). I've never seen that before.

Derrick

Kenny94 · June 10, 2011

Please click here to download Kaspersky Virus Removal Tool.

Double click on the file you just downloaded and let it install.
It will install to your desktop.
After that leave what is selected and put a check next to My Computer.
Click on the option that says Threat Detection and change it to Disinfect,delete if disinfection fails.
Then click on Start Scan.
Before it is done it may prompt for action regardless of the setting so choose delete if prompted.
When the scan is done no log will be produced.
Click on the bottom where it says Report to open the report.
Then highlight of of the items found by using ctrl + a on your keyboard to select all or use your mouse to select all then right click and choose copy.
This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
You can save this on the desktop.
Post the contents of the document in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

Theodoric · June 10, 2011

Here we are.

Autoscan: stopped 7 minutes ago (events: 7, objects: 6204, time: 00:14:17)

6/10/2011 10:26:56 AM Task started

6/10/2011 10:26:57 AM Detected: MEM:Rootkit.Win32.Sst.a Unknown application

6/10/2011 10:28:38 AM Cannot be backed up: MEM:Rootkit.Win32.Sst.a Unknown application

6/10/2011 10:33:32 AM Detected: Virus.Win32.TDSS.e c:\Windows\System32\drivers\volsnap.sys

6/10/2011 10:33:46 AM Will be deleted on system restart: Virus.Win32.TDSS.e c:\Windows\System32\drivers\volsnap.sys

6/10/2011 10:39:46 AM Detected: MEM:Rootkit.Win32.Sst.a System Memory

6/10/2011 10:41:13 AM Task stopped

Disinfect active threats: completed 4 minutes ago (events: 6, objects: 4554, time: 00:02:45)

6/10/2011 10:41:13 AM Task started

6/10/2011 10:41:14 AM Detected: MEM:Rootkit.Win32.Sst.a System Memory

6/10/2011 10:41:14 AM Disinfected: MEM:Rootkit.Win32.Sst.a System Memory

6/10/2011 10:42:38 AM Detected: Virus.Win32.TDSS.e C:\Windows\system32\drivers\volsnap.sys

6/10/2011 10:43:58 AM Task completed

Kenny94 · June 10, 2011

Just seen that you running a outdated version of Malwarebytes. Also, we need to deal with Win32.TDSS.e C:\Windows\system32\drivers\volsnap.sys. That causing the search redirections.

Step 1:

Uninstall Malwarebytes' Anti-Malware from Add/Remove Programs in the Control Panel
Restart your computer very important
Download and run mbam-clean.exe from here
It will ask to restart your computer, please allow it to do so very important

Next

Please download Malwarebytes Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Theodoric · June 13, 2011

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6832

Windows 6.1.7601 Service Pack 1

Internet Explorer 8.0.7601.17514

6/10/2011 7:23:57 PM

mbam-log-2011-06-10 (19-23-57).txt

Scan type: Quick scan

Objects scanned: 159888

Time elapsed: 3 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Kenny94 · June 13, 2011

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
```
:filefind 
Volsnap*
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Please download aswMBR from here

Save aswMBR.exe to your Desktop
Double click aswMBR.exe to run it
Click the Scan button to start the scan as illustrated below

Note: Do not take action against any **Rootkit** entries until I have reviewed the log.

Once the scan finishes click Save log to save the log to your Desktop
Copy and paste the contents of aswMBR.txt back here for review

Theodoric · June 13, 2011

SystemLook 04.09.10 by jpshortstuff

Log created at 10:27 on 13/06/2011 by Derrick Hedstrom

Administrator - Elevation successful

========== filefind ==========

Searching for "Volsnap*"

C:\Windows\inf\volsnap.inf --a---- 1666 bytes [04:51 14/07/2009] [04:51 14/07/2009] 0513FB1D99C3313A55B8C7F378AB5714

C:\Windows\inf\volsnap.PNF --a---- 5096 bytes [04:38 14/07/2009] [19:31 18/04/2011] EE7FB84D064F2EA30F260BD3F25A39DF

C:\Windows\System32\drivers\volsnap.sys --a---- 245632 bytes [01:47 11/06/2011] [12:30 20/11/2010] F497F67932C6FA693D7DE2780631CFE7

C:\Windows\System32\drivers\en-US\volsnap.sys.mui --a---- 23552 bytes [04:55 14/07/2009] [02:03 14/07/2009] 747EC73A2F1046431763323C1E26F017

C:\Windows\System32\DriverStore\en-US\volsnap.inf_loc --a---- 198 bytes [04:55 14/07/2009] [02:04 14/07/2009] F040058B592FE682204B2FC15DDEAC0D

C:\Windows\System32\DriverStore\FileRepository\volsnap.inf_x86_neutral_42f862e05fcb0306\volsnap.inf --a---- 1666 bytes [20:21 13/07/2009] [20:21 13/07/2009] 0513FB1D99C3313A55B8C7F378AB5714

C:\Windows\System32\DriverStore\FileRepository\volsnap.inf_x86_neutral_42f862e05fcb0306\volsnap.PNF --a---- 5096 bytes [04:51 14/07/2009] [19:31 18/04/2011] DF2A743FD96AE6B44FDB877FD7CCF5A8

C:\Windows\System32\DriverStore\FileRepository\volume.inf_x86_neutral_6dee0205881d1a1d\volsnap.sys --a---- 245632 bytes [13:18 20/04/2011] [12:30 20/11/2010] F497F67932C6FA693D7DE2780631CFE7

C:\Windows\winsxs\x86_volsnap.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_13398118e291963b\volsnap.inf_loc --a---- 198 bytes [04:55 14/07/2009] [02:04 14/07/2009] F040058B592FE682204B2FC15DDEAC0D

C:\Windows\winsxs\x86_volsnap.inf_31bf3856ad364e35_6.1.7600.16385_none_6d76054c9136060d\volsnap.inf --a---- 1666 bytes [20:21 13/07/2009] [20:21 13/07/2009] 0513FB1D99C3313A55B8C7F378AB5714

C:\Windows\winsxs\x86_volume.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7afca05c2148f2a6\volsnap.sys.mui --a---- 23552 bytes [04:55 14/07/2009] [02:03 14/07/2009] 747EC73A2F1046431763323C1E26F017

C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.1.7600.16385_none_158d0da45d68903e\volsnap.sys --a---- 245328 bytes [23:11 13/07/2009] [01:19 14/07/2009] 58DF9D2481A56EDDE167E51B334D44FD

C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.1.7601.17514_none_17be216c5a5713d8\volsnap.sys --a---- 245632 bytes [13:18 20/04/2011] [12:30 20/11/2010] F497F67932C6FA693D7DE2780631CFE7

C:\Windows.old\Windows\$NtServicePackUninstall$\volsnap.sys --a--c- 49152 bytes [18:24 18/04/2011] [12:00 31/03/2003] 6FDC9523EF81617CF5028F47FCAF0FBE

C:\Windows.old\Windows\inf\volsnap.inf --a---- 1095 bytes [12:00 31/03/2003] [12:00 31/03/2003] 1C43F4D998567C9D2463E18669F33A3C

C:\Windows.old\Windows\inf\volsnap.PNF --a---- 4964 bytes [13:41 18/04/2011] [13:41 18/04/2011] 4A2A3407610708B1353A1BE2673029F3

C:\Windows.old\Windows\ServicePackFiles\i386\volsnap.sys --a---- 52352 bytes [18:27 18/04/2011] [04:11 14/04/2008] 4C8FCB5CC53AAB716D810740FE59D025

C:\Windows.old\Windows\system32\drivers\volsnap.sys --a---- 52352 bytes [12:00 31/03/2003] [04:11 14/04/2008] 4C8FCB5CC53AAB716D810740FE59D025

-= EOF =-

Run date: 2011-06-13 10:29:08

-----------------------------

10:29:08.749 OS Version: Windows 6.1.7601 Service Pack 1

10:29:08.749 Number of processors: 2 586 0x304

10:29:08.752 ComputerName: TREASURY UserName:

10:29:10.754 Initialize success

10:29:25.250 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1

10:29:25.256 Disk 0 Vendor: WDC_WD5000AAKX-001CA0 15.01H15 Size: 476940MB BusType: 3

10:29:27.271 Disk 0 MBR read successfully

10:29:27.277 Disk 0 MBR scan

10:29:27.283 Disk 0 Windows 7 default MBR code

10:29:29.291 Disk 0 scanning sectors +976752000

10:29:29.324 Disk 0 scanning C:\Windows\system32\drivers

10:29:40.533 Service scanning

10:29:41.405 Disk 0 trace - called modules:

10:29:41.419 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS halmacpi.dll intelide.sys PCIIDEX.SYS atapi.sys

10:29:41.420 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8532d860]

10:29:41.420 3 CLASSPNP.SYS[8866b59e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0x8525b908]

10:29:41.421 Scan finished successfully

10:29:58.528 Disk 0 MBR has been saved successfully to "C:\Users\Derrick Hedstrom\Desktop\MBR.dat"

10:29:58.550 The log file has been saved successfully to "C:\Users\Derrick Hedstrom\Desktop\aswMBR.txt"

Kenny94 · June 13, 2011

Run CFScript

Close any open browsers.
Open Notepad by click start
Click Run
Type notepad into the box and click enter
Notepad will open
Copy and Paste everything from the Code box into Notepad:

KILLALL::
TDL::
c:\windows\system32\drivers\volsnap.sys

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Theodoric · June 13, 2011

ComboFix 11-06-13.01 - Derrick Hedstrom 06/13/2011 13:03:39.3.2 - x86

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.1535.897 [GMT -4:00]

Running from: c:\users\Derrick Hedstrom\Desktop\ComboFix.exe

Command switches used :: c:\users\Derrick Hedstrom\Desktop\CFScript.txt

AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}

SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((( Files Created from 2011-05-13 to 2011-06-13 )))))))))))))))))))))))))))))))

.

2011-06-13 17:11 . 2011-06-13 17:11 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-06-13 17:11 . 2011-06-13 17:11 -------- d-----w- c:\users\Administrator\AppData\Local\temp

2011-06-11 01:47 . 2010-11-20 12:30 245632 ----a-w- c:\windows\system32\drivers\volsnap.sys

2011-06-10 23:18 . 2011-06-10 23:18 -------- d-----w- c:\users\Derrick Hedstrom\AppData\Roaming\Malwarebytes

2011-06-10 23:18 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-10 23:18 . 2011-06-10 23:18 -------- d-----w- c:\programdata\Malwarebytes

2011-06-10 23:18 . 2011-06-10 23:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-06-10 23:18 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-10 14:26 . 2011-06-10 23:15 -------- d-----w- c:\programdata\Kaspersky Lab

2011-06-10 13:28 . 2011-06-10 13:28 -------- d-----w- c:\program files\ESET

2011-06-09 19:08 . 2011-06-09 19:08 33 ----a-w- c:\windows\MTPPA.BIN

2011-06-09 16:55 . 2011-06-13 17:15 -------- d-----w- c:\users\Derrick Hedstrom\AppData\Local\temp