Jump to content

Google (and other search engines) redirect infection


Recommended Posts

Hi there,

Our laptop became infected with what i believe is a rootkit virus that is redirecting all clicks on search engine queries (google, bing, etc.) to random pages. after trying a couple things unsuccessfully, i followed the instructions from the "i'm infected - what do i do now?" posting ... some of the logs are posted below. Thanks in advance for any help.

Prior to running the steps as outlined in the malware posting, i tried Hitman 3.5 and ComboFix. When i used Hitman it identified issues with my volsnap.sys driver, although i don't think it successfully repaired/replaced it. I also downloaded TDSSKiller from Kaspersky but have been unable to get it to run (tried renaming it to various name.exe and name.com combinations).

If it's helpful, the issues we are experiencing started around 6/2 or 6/3.

Here is the log from my DDS scan. Below are the logs from two Anti-malware scans, and i have attached the Attach.txt file from DDS and the Ark.txt file from GMER (zipped).

******

DDS (Ver_2011-06-11.01) - NTFSx86

Internet Explorer: 8.0.7600.16385

Run by PBAT at 15:39:42 on 2011-06-11

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1913.917 [GMT -7:00]

.

AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}

.

============== Running Processes ===============

.

C:\windows\system32\wininit.exe

C:\windows\system32\lsm.exe

C:\windows\system32\svchost.exe -k DcomLaunch

C:\windows\system32\svchost.exe -k RPCSS

C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\windows\system32\svchost.exe -k netsvcs

C:\windows\system32\svchost.exe -k LocalService

C:\windows\system32\svchost.exe -k NetworkService

C:\windows\system32\Dwm.exe

C:\windows\Explorer.EXE

C:\windows\System32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\windows\system32\taskeng.exe

C:\windows\system32\taskhost.exe

C:\windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\windows\system32\igfxsrvc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\TODDSrv.exe

C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\windows\system32\SearchIndexer.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\windows\system32\conhost.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\TOSHIBA\Utilities\KeNotify.exe

C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe

C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe

C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\windows\system32\taskeng.exe

C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\windows\System32\svchost.exe -k LocalServicePeerNet

C:\windows\system32\igfxext.exe

C:\windows\system32\wbem\wmiprvse.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe

C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\windows\system32\sppsvc.exe

C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe

C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe

C:\windows\System32\svchost.exe -k swprv

C:\windows\system32\NOTEPAD.EXE

C:\windows\servicing\TrustedInstaller.exe

C:\windows\system32\wuauclt.exe

C:\windows\system32\DllHost.exe

C:\windows\system32\DllHost.exe

C:\windows\system32\conhost.exe

C:\windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://my.yahoo.com/

mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe

mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRun: [sVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL

mRun: [HWSetup] "c:\program files\toshiba\utilities\HWSetup.exe" hwSetUP

mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe

mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE

mRun: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe

mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe

mRun: [ToshibaServiceStation] "c:\program files\toshiba\toshiba service station\ToshibaServiceStation.exe" /hide:60

mRun: [TosSENotify] c:\program files\toshiba\toshiba hdd ssd alert\TosWaitSrv.exe

mRun: [NortonOnlineBackupReminder] "c:\program files\toshiba\toshiba online backup\activation\TobuActivation.exe" UNATTENDED

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 68.87.69.146 68.87.85.98

TCP: Interfaces\{2B628043-564D-499C-B681-5AC04A3A786D} : DhcpNameServer = 100.100.0.103

TCP: Interfaces\{D9764B42-5967-4B96-B13D-4017F698D53C} : DhcpNameServer = 68.87.69.146 68.87.85.98

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Notify: igfxcui - igfxdev.dll

mASetup: {01250B8F-D947-4F8A-9408-FE8E3EE2EC92} - c:\program files\toshiba\my toshiba\MyToshiba.exe /SETUP

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\pbat\appdata\roaming\mozilla\firefox\profiles\bg97zk3n.default\

FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=

FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG(2178).dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - plugin: c:\users\pbat\appdata\local\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

.

============= SERVICES / DRIVERS ===============

.

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-6-11 136360]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-6-11 269480]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-6-11 61960]

R2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\toshiba\configfree\CFIWmxSvcs.exe [2009-8-10 185712]

R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2009-3-10 46448]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-11-14 167936]

R3 RTL8187B;Realtek RTL8187B Wireless 802.11bg 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2009-11-14 376320]

R3 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2009-11-14 51512]

R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\toshiba\toshiba hdd ssd alert\TosSmartSrv.exe [2009-9-17 111960]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-8 135664]

S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-11 366640]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-8 135664]

S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2011-6-10 17480]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-5 1343400]

.

=============== Created Last 30 ================

.

2011-06-11 16:05:14 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-06-11 16:05:13 -------- d-----w- c:\programdata\Avira

2011-06-11 16:05:13 -------- d-----w- c:\program files\Avira

2011-06-11 15:48:58 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-11 06:50:42 -------- d-----w- C:\$RECYCLE.BIN

2011-06-11 06:31:51 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-06-11 06:31:50 -------- d-----w- c:\program files\Hitman Pro 3.5

2011-06-11 06:22:30 -------- d--h--w- c:\windows\PIF

2011-06-11 06:12:24 6962000 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{7b1513f6-9533-47c2-838c-ab491caaffc0}\mpengine.dll

2011-06-11 06:11:58 98816 ----a-w- c:\windows\sed.exe

2011-06-11 06:11:58 518144 ----a-w- c:\windows\SWREG.exe

2011-06-11 06:11:58 256512 ----a-w- c:\windows\PEV.exe

2011-06-11 06:11:58 208896 ----a-w- c:\windows\MBR.exe

2011-06-11 03:54:55 -------- d-----w- c:\programdata\Hitman Pro

2011-06-04 20:49:28 -------- d-----w- c:\users\pbat\appdata\roaming\Malwarebytes

2011-06-04 20:49:21 -------- d-----w- c:\programdata\Malwarebytes

2011-06-04 20:49:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-06-04 20:24:58 -------- d-----w- C:\rei

2011-06-04 20:24:54 -------- d-----w- c:\program files\Reimage

2011-05-25 03:31:40 26496 ----a-w- c:\windows\system32\drivers\Diskdump.sys

2011-05-19 15:45:20 123904 ----a-w- c:\windows\system32\poqexec.exe

.

==================== Find3M ====================

.

2011-04-09 06:13:06 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-04-09 06:13:06 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-03-25 03:06:46 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys

2011-03-25 03:06:25 284160 ----a-w- c:\windows\system32\drivers\usbport.sys

2011-03-25 03:06:23 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2011-03-25 03:06:12 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys

2011-03-25 03:06:11 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys

2011-03-25 03:06:10 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys

2011-03-25 03:06:06 5888 ----a-w- c:\windows\system32\drivers\usbd.sys

.

============= FINISH: 15:40:04.03 ===============

HERE is the log from my most recent Malwarebytes Anti-Malware Scan (today):

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6835

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

6/11/2011 9:37:50 AM

mbam-log-2011-06-11 (09-37-50).txt

Scan type: Full scan (C:\|)

Objects scanned: 224150

Time elapsed: 27 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

AND HERE IS THE MBAM LOG FROM THE INITIAL SCAN BACK ON 6/4 WHEN WE FIRST EXPERIENCED THE PROBLEMS.

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6773

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

6/4/2011 2:24:55 PM

mbam-log-2011-06-04 (14-24-55).txt

Scan type: Quick scan

Objects scanned: 144269

Time elapsed: 5 minute(s), 12 second(s)

Memory Processes Infected: 2

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 7

Memory Processes Infected:

c:\programdata\kcgkxxpejyttjjy.exe (Trojan.FakeMS) -> 3212 -> Unloaded process successfully.

c:\programdata\27647736.exe (Trojan.Agent.GD) -> 3464 -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KcGKxXpEJYTtjJY (Trojan.FakeMS) -> Value: KcGKxXpEJYTtjJY -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\programdata\kcgkxxpejyttjjy.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.

c:\programdata\27647736.exe (Trojan.Agent.GD) -> Quarantined and deleted successfully.

c:\Users\PBAT\AppData\Local\Temp\01e7808b.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Users\PBAT\AppData\Local\Temp\jar_cache4652515797989586279.tmp (Trojan.FakeMS) -> Quarantined and deleted successfully.

c:\Users\PBAT\AppData\Local\Temp\jar_cache5152222616803756135.tmp (Trojan.FakeMS) -> Quarantined and deleted successfully.

c:\Users\PBAT\AppData\Local\Temp\tmpD10B.tmp (Trojan.FakeMS) -> Quarantined and deleted successfully.

c:\Users\PBAT\AppData\Local\Temp\tmpF369.tmp (Trojan.FakeMS) -> Quarantined and deleted successfully.

Link to post
Share on other sites

post-32477-1261866970.gif

Logs will be closed if you haven't replied within 3 days

Please do not attach the scan results from Combofx. Use copy/paste.

DO NOT use any TOOLS such as Combofix, or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

XP Users

Double-click My Computer.

Click the Tools menu, and then click Folder Options.

Click the View tab.

Uncheck "Hide file extensions for known file types."

Under the "Hidden files" folder, select "Show hidden files and folders."

Uncheck "Hide protected operating system files."

Click Apply, and then click OK.

Vista Users

To enable the viewing of hidden and protected system files in Windows Vista please follow these steps:

Close all programs so that you are at your desktop.

Click on the Start button. This is the small round button with the Windows flag in the lower left corner.

Click on the Control Panel menu option.

When the control panel opens you can either be in Classic View or Control Panel Home view:

If you are in the Classic View do the following:

Double-click on the Folder Options icon.

Click on the View tab.

If you are in the Control Panel Home view do the following:

Click on the Appearance and Personalization link.

Click on Show Hidden Files or Folders.

Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

Remove the checkmark from the checkbox labeled Hide extensions for known file types.

Remove the checkmark from the checkbox labeled Hide protected operating system files.

Please do not delete anything unless instructed to.

Next:

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites

Thanks for the instructions. I enabled the viewing of hidden/protected files, then ran ATF Cleaner, then ran CF. Log pasted here:

ComboFix 11-06-13.02 - PBAT 06/13/2011 19:50:03.4.1 - x86

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1913.1270 [GMT -7:00]

Running from: c:\users\PBAT\Desktop\ComboFix.exe

AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}

SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((( Files Created from 2011-05-14 to 2011-06-14 )))))))))))))))))))))))))))))))

.

.

2011-06-14 02:54 . 2011-06-14 02:54 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-06-13 13:36 . 2011-06-13 13:36 -------- d-----w- c:\users\PBAT\AppData\Roaming\Avira

2011-06-11 16:05 . 2011-04-02 00:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-06-11 16:05 . 2011-04-02 00:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-06-11 16:05 . 2011-06-11 16:05 -------- d-----w- c:\programdata\Avira

2011-06-11 16:05 . 2011-06-11 16:05 -------- d-----w- c:\program files\Avira

2011-06-11 15:48 . 2011-05-29 16:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-11 06:31 . 2011-06-13 14:12 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-06-11 06:31 . 2011-06-11 06:31 -------- d-----w- c:\program files\Hitman Pro 3.5

2011-06-11 06:22 . 2011-06-11 06:22 -------- d--h--w- c:\windows\PIF

2011-06-11 06:12 . 2011-05-09 20:46 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7B1513F6-9533-47C2-838C-AB491CAAFFC0}\mpengine.dll

2011-06-11 03:54 . 2011-06-11 06:36 -------- d-----w- c:\programdata\Hitman Pro

2011-06-04 20:49 . 2011-06-04 20:49 -------- d-----w- c:\users\PBAT\AppData\Roaming\Malwarebytes

2011-06-04 20:49 . 2011-06-04 20:49 -------- d-----w- c:\programdata\Malwarebytes

2011-06-04 20:49 . 2011-06-11 15:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-06-04 20:24 . 2011-06-11 07:07 -------- d-----w- C:\rei

2011-06-04 20:24 . 2011-06-04 20:24 -------- d-----w- c:\program files\Reimage

2011-05-25 03:31 . 2011-04-22 19:36 26496 ----a-w- c:\windows\system32\drivers\Diskdump.sys

2011-05-19 15:45 . 2011-04-09 05:56 123904 ----a-w- c:\windows\system32\poqexec.exe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-04-09 06:13 . 2011-05-11 14:27 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-04-09 06:13 . 2011-05-11 14:27 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-03-25 03:06 . 2011-05-11 14:27 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys

2011-03-25 03:06 . 2011-05-11 14:27 284160 ----a-w- c:\windows\system32\drivers\usbport.sys

2011-03-25 03:06 . 2011-05-11 14:27 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2011-03-25 03:06 . 2011-05-11 14:27 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys

2011-03-25 03:06 . 2011-05-11 14:27 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys

2011-03-25 03:06 . 2011-05-11 14:27 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys

2011-03-25 03:06 . 2011-05-11 14:27 5888 ----a-w- c:\windows\system32\drivers\usbd.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-03-28 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-02 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-02 174104]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-02 151064]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-29 7625248]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-21 1545512]

"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2009-07-10 352256]

"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2009-06-02 425984]

"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2009-01-14 34088]

"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2009-08-05 476512]

"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2009-07-28 460088]

"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2009-08-05 738616]

"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-08-17 1294136]

"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2009-09-17 611672]

"NortonOnlineBackupReminder"="c:\program files\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe" [2009-07-16 529256]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 135664]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-05-29 366640]

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 135664]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]

R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-05 1343400]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-03-28 136360]

S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [2009-08-11 185712]

S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-11 46448]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-23 167936]

S3 RTL8187B;Realtek RTL8187B Wireless 802.11bg 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2009-08-13 376320]

S3 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-08-17 51512]

S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-09-17 111960]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{01250B8F-D947-4F8A-9408-FE8E3EE2EC92}]

2009-08-06 16:15 264048 ----a-w- c:\program files\TOSHIBA\My Toshiba\MyToshiba.exe

.

Contents of the 'Scheduled Tasks' folder

.

2011-06-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 14:45]

.

2011-06-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 14:45]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.yahoo.com/

mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA

IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html

TCP: DhcpNameServer = 68.87.69.146 68.87.85.98

FF - ProfilePath - c:\users\PBAT\AppData\Roaming\Mozilla\Firefox\Profiles\bg97zk3n.default\

FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2011-06-13 19:56:52

ComboFix-quarantined-files.txt 2011-06-14 02:56

ComboFix2.txt 2011-06-13 13:46

ComboFix3.txt 2011-06-11 06:54

ComboFix4.txt 2011-06-11 06:20

ComboFix5.txt 2011-06-14 02:49

.

Pre-Run: 207,565,090,816 bytes free

Post-Run: 207,517,077,504 bytes free

.

- - End Of File - - 108A2AD2F3BD8D55046E2ABE9F341E28

Link to post
Share on other sites

Delete the TDSSKiller you have now.

Next:

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs from these scans, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1

Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • It doesn't take long to run, once it is finished move onto the next step

Next:

Note: if the Cure option is not there, please select 'Skip'.

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    TDSSKillermain.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

please post the contents of that log TDSSKiller log.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Hi,

I downloaded and ran Goored Fix. It ran very fast, then produced a log file, but i didn't see any windows offering any actions to perform. I have not copy/pasted the log here, but will do so if you like. the log was short and only seemed to reference firefox, nothing about IE.

i then deleted the tdsskiller file that i had previously downloaded and redownloaded/saved the zip file from the link you posted.

however, when i extracted, opened the folder, and double-clicked on the exe file, it asked me if i wanted to run the application, i clicked yes, and nothing happened. i got the hourglass on the mouse for a few seconds, and the disk drive was definitely spinning, but the application never launched. i rebooted and tried again but nothing happened.

in terms of how my computer is behaving otherwise, it seems fine. we've been trying to avoid using it, but it starts up quickly, and IE seems to be working fine if you directly type in URLs vs. using any search engine results. MS office also seems to be working. in looking at the task manager, there are 2 iexplore.exe processes running right after starting up (even if IE hasn't been opened yet) and one of thesm is consuming a lot of memory (constantly moving but around 100k). If i launch IE then there are 3 or 4 iexplores listed in processes.

Link to post
Share on other sites

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Now try TDSSKIller

Link to post
Share on other sites

I dropped the script onto ComboFix, which launched that program. it identified an infected driver (Volsnap.sys) which it said it replaced/repaired. it also rebooted my machine. Let me know if i should copy/paste that log file.

unfortunately, tdss still didn't run after CF ran. after i tried to get tdss to run, i got another antimalware window saying [openevent] failed to perform desired action. error code 2.

Link to post
Share on other sites

Here is the log from ComboFix...

thx for your help!

ComboFix 11-06-13.02 - PBAT 06/14/2011 6:17.5.1 - x86

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1913.1274 [GMT -7:00]

Running from: c:\users\PBAT\Desktop\ComboFix.exe

Command switches used :: c:\users\PBAT\Desktop\CFScript.txt

AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}

SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

Infected copy of c:\windows\system32\Drivers\Volsnap.sys was found and disinfected

Restored copy from - c:\windows\System32\DriverStore\FileRepository\volume.inf_x86_neutral_29364d30156a24ca\volsnap.sys

.

((((((((((((((((((((((((( Files Created from 2011-05-14 to 2011-06-14 )))))))))))))))))))))))))))))))

.

.

2011-06-14 13:22 . 2011-06-14 13:22 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-06-13 13:36 . 2011-06-13 13:36 -------- d-----w- c:\users\PBAT\AppData\Roaming\Avira

2011-06-11 16:05 . 2011-04-02 00:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-06-11 16:05 . 2011-04-02 00:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-06-11 16:05 . 2011-06-11 16:05 -------- d-----w- c:\programdata\Avira

2011-06-11 16:05 . 2011-06-11 16:05 -------- d-----w- c:\program files\Avira

2011-06-11 15:48 . 2011-05-29 16:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-11 06:31 . 2011-06-13 14:12 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-06-11 06:31 . 2011-06-11 06:31 -------- d-----w- c:\program files\Hitman Pro 3.5

2011-06-11 06:22 . 2011-06-11 06:22 -------- d--h--w- c:\windows\PIF

2011-06-11 06:12 . 2011-05-09 20:46 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7B1513F6-9533-47C2-838C-AB491CAAFFC0}\mpengine.dll

2011-06-11 03:54 . 2011-06-11 06:36 -------- d-----w- c:\programdata\Hitman Pro

2011-06-04 20:49 . 2011-06-04 20:49 -------- d-----w- c:\users\PBAT\AppData\Roaming\Malwarebytes

2011-06-04 20:49 . 2011-06-04 20:49 -------- d-----w- c:\programdata\Malwarebytes

2011-06-04 20:49 . 2011-06-11 15:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-06-04 20:24 . 2011-06-11 07:07 -------- d-----w- C:\rei

2011-06-04 20:24 . 2011-06-04 20:24 -------- d-----w- c:\program files\Reimage

2011-05-25 03:31 . 2011-04-22 19:36 26496 ----a-w- c:\windows\system32\drivers\Diskdump.sys

2011-05-19 15:45 . 2011-04-09 05:56 123904 ----a-w- c:\windows\system32\poqexec.exe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-04-09 06:13 . 2011-05-11 14:27 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-04-09 06:13 . 2011-05-11 14:27 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-03-25 03:06 . 2011-05-11 14:27 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys

2011-03-25 03:06 . 2011-05-11 14:27 284160 ----a-w- c:\windows\system32\drivers\usbport.sys

2011-03-25 03:06 . 2011-05-11 14:27 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2011-03-25 03:06 . 2011-05-11 14:27 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys

2011-03-25 03:06 . 2011-05-11 14:27 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys

2011-03-25 03:06 . 2011-05-11 14:27 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys

2011-03-25 03:06 . 2011-05-11 14:27 5888 ----a-w- c:\windows\system32\drivers\usbd.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-03-28 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-02 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-02 174104]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-02 151064]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-29 7625248]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-21 1545512]

"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2009-07-10 352256]

"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2009-06-02 425984]

"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2009-01-14 34088]

"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2009-08-05 476512]

"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2009-07-28 460088]

"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2009-08-05 738616]

"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-08-17 1294136]

"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2009-09-17 611672]

"NortonOnlineBackupReminder"="c:\program files\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe" [2009-07-16 529256]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 135664]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-05-29 366640]

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 135664]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]

R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-05 1343400]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-03-28 136360]

S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [2009-08-11 185712]

S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-11 46448]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-23 167936]

S3 RTL8187B;Realtek RTL8187B Wireless 802.11bg 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2009-08-13 376320]

S3 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-08-17 51512]

S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-09-17 111960]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{01250B8F-D947-4F8A-9408-FE8E3EE2EC92}]

2009-08-06 16:15 264048 ----a-w- c:\program files\TOSHIBA\My Toshiba\MyToshiba.exe

.

Contents of the 'Scheduled Tasks' folder

.

2011-06-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 14:45]

.

2011-06-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 14:45]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.yahoo.com/

mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA

IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html

TCP: DhcpNameServer = 68.87.69.146 68.87.85.98

FF - ProfilePath - c:\users\PBAT\AppData\Roaming\Mozilla\Firefox\Profiles\bg97zk3n.default\

FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\taskhost.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\windows\system32\TODDSrv.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\windows\system32\conhost.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe

c:\windows\system32\conhost.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Synaptics\SynTP\SynTPHelper.exe

c:\program files\TOSHIBA\ConfigFree\NDSTray.exe

c:\windows\system32\igfxext.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files\Google\Google Toolbar\GoogleToolbarUser_32.exe

c:\program files\TOSHIBA\ConfigFree\CFSwMgr.exe

c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe

c:\windows\system32\sppsvc.exe

c:\\?\c:\windows\system32\wbem\WMIADAP.EXE

.

**************************************************************************

.

Completion time: 2011-06-14 06:28:13 - machine was rebooted

ComboFix-quarantined-files.txt 2011-06-14 13:28

ComboFix2.txt 2011-06-14 02:56

ComboFix3.txt 2011-06-13 13:46

ComboFix4.txt 2011-06-11 06:54

ComboFix5.txt 2011-06-14 13:17

.

Pre-Run: 207,256,141,824 bytes free

Post-Run: 207,210,676,224 bytes free

.

- - End Of File - - B1A0E6A73F81B960626F9832E03284B2

Link to post
Share on other sites

Aargh... i turned off the auto-start on Malwarebytes (with windows) and restarted the computer... then tried to launch TDSS. it still didn't work. I opened IE and tried clicking on a search result link and it still got redirected, so whatever is causing that is still out there somewhere...

i had been doing all of the previous steps this morning before i left for work, then tried these last few things tonight. during the day my wife used the computer some for web browsing - not sure if that would have had an impact or not...

in addition to Malwarebytes' anti-malware, i also have Avira antivirus installed - let me know if i shoudl disable that as well...

thanks

Link to post
Share on other sites

Here's my combofix log from running it this morning. And yes, i am running a router - belkin wireless router on top of comcast cable modem. our other computer on the same network hasn't appeared to have any problems, though.

ComboFix 11-06-14.03 - PBAT 06/15/2011 6:02.6.1 - x86

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1913.1174 [GMT -7:00]

Running from: c:\users\PBAT\Desktop\ComboFix.exe

AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}

SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

Infected copy of c:\windows\system32\Drivers\Volsnap.sys was found and disinfected

Restored copy from - c:\windows\System32\DriverStore\FileRepository\volume.inf_x86_neutral_29364d30156a24ca\volsnap.sys

.

((((((((((((((((((((((((( Files Created from 2011-05-15 to 2011-06-15 )))))))))))))))))))))))))))))))

.

.

2011-06-15 13:07 . 2011-06-15 13:07 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-06-13 13:36 . 2011-06-13 13:36 -------- d-----w- c:\users\PBAT\AppData\Roaming\Avira

2011-06-11 16:05 . 2011-04-02 00:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-06-11 16:05 . 2011-04-02 00:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-06-11 16:05 . 2011-06-11 16:05 -------- d-----w- c:\programdata\Avira

2011-06-11 16:05 . 2011-06-11 16:05 -------- d-----w- c:\program files\Avira

2011-06-11 15:48 . 2011-05-29 16:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-11 06:31 . 2011-06-13 14:12 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-06-11 06:31 . 2011-06-11 06:31 -------- d-----w- c:\program files\Hitman Pro 3.5

2011-06-11 06:22 . 2011-06-11 06:22 -------- d--h--w- c:\windows\PIF

2011-06-11 06:12 . 2011-05-09 20:46 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7B1513F6-9533-47C2-838C-AB491CAAFFC0}\mpengine.dll

2011-06-11 03:54 . 2011-06-11 06:36 -------- d-----w- c:\programdata\Hitman Pro

2011-06-04 20:49 . 2011-06-04 20:49 -------- d-----w- c:\users\PBAT\AppData\Roaming\Malwarebytes

2011-06-04 20:49 . 2011-06-04 20:49 -------- d-----w- c:\programdata\Malwarebytes

2011-06-04 20:49 . 2011-06-11 15:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-06-04 20:24 . 2011-06-11 07:07 -------- d-----w- C:\rei

2011-06-04 20:24 . 2011-06-04 20:24 -------- d-----w- c:\program files\Reimage

2011-05-25 03:31 . 2011-04-22 19:36 26496 ----a-w- c:\windows\system32\drivers\Diskdump.sys

2011-05-19 15:45 . 2011-04-09 05:56 123904 ----a-w- c:\windows\system32\poqexec.exe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-04-09 06:13 . 2011-05-11 14:27 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-04-09 06:13 . 2011-05-11 14:27 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-03-25 03:06 . 2011-05-11 14:27 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys

2011-03-25 03:06 . 2011-05-11 14:27 284160 ----a-w- c:\windows\system32\drivers\usbport.sys

2011-03-25 03:06 . 2011-05-11 14:27 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2011-03-25 03:06 . 2011-05-11 14:27 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys

2011-03-25 03:06 . 2011-05-11 14:27 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys

2011-03-25 03:06 . 2011-05-11 14:27 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys

2011-03-25 03:06 . 2011-05-11 14:27 5888 ----a-w- c:\windows\system32\drivers\usbd.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-03-28 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-02 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-02 174104]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-02 151064]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-29 7625248]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-21 1545512]

"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2009-07-10 352256]

"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2009-06-02 425984]

"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2009-01-14 34088]

"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2009-08-05 476512]

"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2009-07-28 460088]

"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2009-08-05 738616]

"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-08-17 1294136]

"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2009-09-17 611672]

"NortonOnlineBackupReminder"="c:\program files\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe" [2009-07-16 529256]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 135664]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-05-29 366640]

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 135664]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]

R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-05 1343400]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-03-28 136360]

S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [2009-08-11 185712]

S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-11 46448]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-23 167936]

S3 RTL8187B;Realtek RTL8187B Wireless 802.11bg 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2009-08-13 376320]

S3 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-08-17 51512]

S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-09-17 111960]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{01250B8F-D947-4F8A-9408-FE8E3EE2EC92}]

2009-08-06 16:15 264048 ----a-w- c:\program files\TOSHIBA\My Toshiba\MyToshiba.exe

.

Contents of the 'Scheduled Tasks' folder

.

2011-06-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 14:45]

.

2011-06-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 14:45]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.yahoo.com/

mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA

IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html

TCP: DhcpNameServer = 68.87.69.146 68.87.85.98

FF - ProfilePath - c:\users\PBAT\AppData\Roaming\Mozilla\Firefox\Profiles\bg97zk3n.default\

FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\taskhost.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\windows\system32\TODDSrv.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\windows\system32\conhost.exe

c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe

c:\windows\system32\conhost.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\TOSHIBA\ConfigFree\NDSTray.exe

c:\program files\Synaptics\SynTP\SynTPHelper.exe

c:\windows\system32\igfxext.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\program files\Google\Google Toolbar\GoogleToolbarUser_32.exe

c:\program files\TOSHIBA\ConfigFree\CFSwMgr.exe

c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe

c:\windows\system32\sppsvc.exe

c:\\?\c:\windows\system32\wbem\WMIADAP.EXE

.

**************************************************************************

.

Completion time: 2011-06-15 06:13:09 - machine was rebooted

ComboFix-quarantined-files.txt 2011-06-15 13:13

ComboFix2.txt 2011-06-14 13:28

ComboFix3.txt 2011-06-14 02:56

ComboFix4.txt 2011-06-13 13:46

ComboFix5.txt 2011-06-15 13:01

.

Pre-Run: 207,434,113,024 bytes free

Post-Run: 207,389,655,040 bytes free

.

- - End Of File - - 7E010DB47B5A7E321EB0D29519978221

Link to post
Share on other sites

here it is ...

aswMBR version 0.9.6.399 Copyright© 2011 AVAST Software

Run date: 2011-06-15 06:26:47

-----------------------------

06:26:47.407 OS Version: Windows 6.1.7600

06:26:47.407 Number of processors: 1 586 0x170A

06:26:47.407 ComputerName: TOSHIBA-LAPTOP UserName: PBAT

06:26:58.499 Initialize success

06:27:08.233 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1

06:27:08.233 Disk 0 Vendor: WDC_WD25 12.0 Size: 238475MB BusType: 3

06:27:08.249 Disk 0 MBR read successfully

06:27:08.249 Disk 0 MBR scan

06:27:08.249 Disk 0 unknown MBR code

06:27:08.264 Disk 0 scanning sectors +488396800

06:27:08.296 Disk 0 scanning C:\windows\system32\drivers

06:27:12.024 Service scanning

06:27:12.898 Disk 0 trace - called modules:

06:27:12.944 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x868661ed]<<

06:27:12.944 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84dc2150]

06:27:12.944 3 CLASSPNP.SYS[8878a59e] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x856a3028]

06:27:12.960 \Driver\iaStor[0x856b49c8] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x868661ed

06:27:12.960 Scan finished successfully

06:27:27.952 Disk 0 MBR has been saved successfully to "C:\Users\PBAT\Desktop\MBR.dat"

06:27:27.952 The log file has been saved successfully to "C:\Users\PBAT\Desktop\aswMBR.txt"

Link to post
Share on other sites

Restarted computer and re-ran aswMBR. Log here:

aswMBR version 0.9.6.399 Copyright© 2011 AVAST Software

Run date: 2011-06-15 07:13:59

-----------------------------

07:13:59.715 OS Version: Windows 6.1.7600

07:13:59.715 Number of processors: 1 586 0x170A

07:13:59.715 ComputerName: TOSHIBA-LAPTOP UserName: PBAT

07:14:05.362 Initialize success

07:14:10.198 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1

07:14:10.198 Disk 0 Vendor: WDC_WD25 12.0 Size: 238475MB BusType: 3

07:14:10.214 Disk 0 MBR read successfully

07:14:10.214 Disk 0 MBR scan

07:14:10.214 Disk 0 unknown MBR code

07:14:10.229 Disk 0 scanning sectors +488396800

07:14:10.261 Disk 0 scanning C:\windows\system32\drivers

07:14:15.393 Service scanning

07:14:17.327 Disk 0 trace - called modules:

07:14:17.359 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8655b1ed]<<

07:14:17.359 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84dc2ac8]

07:14:17.359 3 CLASSPNP.SYS[88a0459e] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x856a1028]

07:14:17.359 \Driver\iaStor[0x856b89a0] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8655b1ed

07:14:17.374 Scan finished successfully

07:14:39.729 Disk 0 MBR has been saved successfully to "C:\Users\PBAT\Desktop\MBR.dat"

07:14:39.729 The log file has been saved successfully to "C:\Users\PBAT\Desktop\aswMBR2.txt"

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.