Google redirect, random pages opening

[Sadi]

I got Malwarebytes mainly to deal with the following issue:

When I do a Google search, in Firefox OR Internet Explorer, I get search results as normal, but if I try to click any of them, they start to go to the correct page, then redirects to a seemingly random page; sometimes something that looks like Google News, sometimes a random add. Also, seemingly randomly a new tab will occasionally pop up with one of these pages as well, sometimes while I'm not even at my computer. I have it set up so new windows open in a new tab, so I'm guessing it's trying to open a whole new window. Sometimes it even causes the window to resize. Malwarebytes has blocked me from going to Google (or rather, fake Google, as that's what I get even if I type in the URL), but has also blocked anything related, such as GMail and GTalk, which were working fine. Help would be greatly appreciated, thanks!

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7697

Windows 6.0.6000

Internet Explorer 7.0.6000.17037

9/14/2011 8:41:54 AM

mbam-log-2011-09-14 (08-41-54).txt

Scan type: Quick scan

Objects scanned: 154638

Time elapsed: 8 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{70C6E9DE-F30E-4A40-8A6F-9572C2328320} (PUP.FCTPlugin) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 7.0.6000.17037 BrowserJavaVersion: 1.6.0_23

Run by Admin at 9:03:29 on 2011-09-14

Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.3325.683 [GMT -7:00]

.

.

============== Running Processes ===============

.

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG10\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\system32\svchost.exe -k hpdevmgmt

C:\Program Files\AVG\AVG10\avgnsx.exe

C:\Program Files\AVG\AVG10\avgemcx.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\System32\Drivers\WTSRV.EXE

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

C:\Windows\system32\WUDFHost.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\PROGRA~1\AVG\AVG10\avgrsx.exe

C:\Program Files\AVG\AVG10\avgcsrvx.exe

C:\Program Files\AVG\AVG10\avgscanx.exe

C:\Program Files\AVG\AVG10\avgcsrvx.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\sttray.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files\Winamp\winampa.exe

C:\Windows\System32\WTClient.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\AVG\AVG10\avgtray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Zune\ZuneLauncher.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe

C:\Windows\SYSTEM32\WISPTIS.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\System32\mobsync.exe

C:\Program Files\Fitbit\fitbit.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5070425

uWindow Title = Internet Explorer provided by Dell

uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5070425

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll

BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [AROReminder] c:\program files\advanced registry optimizer\aro.exe -rem

uRun: [Fitbit Service Monitor] c:\program files\fitbit\fitbit-tray.exe

uRunOnce: [spchecker] "c:\program files\avg\avg10\notification\SPCheckerTE.exe"

mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

mRun: [sigmatelSysTrayApp] sttray.exe

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [<NO NAME>]

mRun: [ECenter] c:\dell\e-center\EULALauncher.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"

mRun: [WTClient] WTClient.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

mRunOnce: [innoSetupRegFile.0000000001] "c:\windows\is-0N4MA.exe" /REG /REGSVRMODE

mRunOnce: [*WerKernelReporting] %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq

StartupFolder: c:\users\admin\appdata\roaming\micros~1\windows\startm~1\programs\startup\trillian.lnk - c:\program files\trillian\trillian.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.2.1.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{56E33D23-83FD-43BC-BE5B-1170FF271116} : DhcpNameServer = 168.94.0.15 168.94.0.14

TCP: Interfaces\{7EE79AEB-F8FB-4F18-8541-DC0DE852A505} : DhcpNameServer = 192.168.1.1

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

Hosts: 95.64.61.141 www.google.com

Hosts: 95.64.61.142 www.bing.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\admin\appdata\roaming\mozilla\firefox\profiles\zzw3eq56.default\

FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]

R2 Fitbit;Fitbit Data Uploader;c:\program files\fitbit\fitbit.exe [2011-7-28 786040]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-31 366640]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-8-8 235624]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134480]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 28624]

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2006-11-2 167936]

R3 dhdusb.NTx86;Dynex Enhanced Wireless G USB Network Adapter Service;c:\windows\system32\drivers\bcmusbdhdlh.sys [2008-9-22 241656]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-4 22712]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2011-2-5 105576]

R3 PTSimBus;PenTablet Bus Enumerator;c:\windows\system32\drivers\PTSimBus.sys [2007-6-7 18944]

R3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [2011-7-28 14848]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-8-4 41272]

S3 PTSimHid;PenTablet Simulated HID MiniDriver;c:\windows\system32\drivers\PTSimHid.sys [2007-4-23 10752]

S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-11-11 268528]

.

=============== Created Last 30 ================

.

2011-08-31 15:39:20 709968 ----a-w- c:\windows\is-0N4MA.exe

.

==================== Find3M ====================

.

2011-08-04 17:48:55 0 ----a-w- c:\programdata\yidx.exe

2011-08-04 17:48:55 0 ----a-w- c:\programdata\fpjw.exe

2011-08-04 17:48:55 0 ----a-w- c:\programdata\fikt.exe

2011-08-04 17:48:55 0 ----a-w- c:\programdata\caoj.exe

2011-07-28 01:11:20 0 ----a-w- c:\programdata\ylap.exe

2011-07-28 01:11:20 0 ----a-w- c:\programdata\ixty.exe

2011-07-28 01:11:20 0 ----a-w- c:\programdata\fmuq.exe

2011-07-28 01:11:20 0 ----a-w- c:\programdata\cpeh.exe

2011-07-07 02:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-07 02:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-19 16:43:26 2600 ----a-w- C:\xp_exe_fix.reg

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 6.0.6000 Disk: WDC_WD50 rev.12.0 -> Harddisk0\DR0 ->

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x87CCB4D0]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x87cd17d0]; MOV EAX, [0x87cd184c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x82C27F3B] -> \Device\Harddisk0\DR0[0x8761A730]

3 nt[0x82CB07E2] -> ntkrnlpa!IofCallDriver[0x82C27F3B] -> [0x881CA5E0]

\Driver\nvstor[0x87820A38] -> IRP_MJ_CREATE -> 0x87CCB4D0

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [bP+0x0], 0x0; }

detected disk devices:

\Device\0000004e -> \??\SCSI#Disk&Ven_WDC_WD50&Prod_00AAKS-75TMA#4&201f1e9&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 9:04:23.25 ===============

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit scan 2011-09-14 09:24:54

Windows 6.0.6000 Harddisk0\DR0 -> \Device\00000032 WDC_WD50 rev.12.0

Running: d6ec8953.exe; Driver: C:\Users\Admin\AppData\Local\Temp\fxrdypod.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0x8DC827A0]

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0x8DC82848]

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0x8DC828E4]

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0x8DC82980]

---- Kernel code sections - GMER 1.0.15 ----

PAGE CI.dll!CiInitialize + 3340 805EDBAA 1 Byte [C4]

PAGE CI.dll!CiInitialize + 3340 805EDBAA 3 Bytes [C4, 00, 00]

? C:\Users\Admin\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[312] ntdll.dll!NtProtectVirtualMemory 776CFD74 5 Bytes JMP 001B000A

.text C:\Windows\system32\svchost.exe[312] ntdll.dll!NtWriteVirtualMemory 776D06F4 5 Bytes JMP 002C000A

.text C:\Windows\system32\svchost.exe[312] ntdll.dll!KiUserExceptionDispatcher 776D0E88 5 Bytes JMP 001A000A

.text C:\Windows\Explorer.EXE[2660] ntdll.dll!NtProtectVirtualMemory 776CFD74 5 Bytes JMP 0130000A

.text C:\Windows\Explorer.EXE[2660] ntdll.dll!NtWriteVirtualMemory 776D06F4 5 Bytes JMP 0131000A

.text C:\Windows\Explorer.EXE[2660] ntdll.dll!KiUserExceptionDispatcher 776D0E88 5 Bytes JMP 00F2000A

.text C:\Program Files\Mozilla Firefox\firefox.exe[6952] ntdll.dll!NtProtectVirtualMemory 776CFD74 5 Bytes JMP 0018000A

.text C:\Program Files\Mozilla Firefox\firefox.exe[6952] ntdll.dll!NtWriteVirtualMemory 776D06F4 5 Bytes JMP 0019000A

.text C:\Program Files\Mozilla Firefox\firefox.exe[6952] ntdll.dll!KiUserExceptionDispatcher 776D0E88 5 Bytes JMP 0017000A

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[7856] USER32.dll!SetWindowLongA 767BB211 4 Bytes JMP 634E8DD9 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[7856] USER32.dll!GetWindowInfo 767C00DB 5 Bytes JMP 63317187 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[7856] USER32.dll!SetWindowLongW 767D244A 4 Bytes JMP 634E8D6B C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[7856] USER32.dll!TrackPopupMenu 767DCFF8 4 Bytes JMP 63317781 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

Device fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device cdfs.sys (CD-ROM File System Driver/Microsoft Corporation)

Device \Device\0000004e -> \??\SCSI#Disk&Ven_WDC_WD50&Prod_00AAKS-75TMA#4&201f1e9&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 MBR read error

Disk \Device\Harddisk0\DR0 MBR BIOS signature not found 0

---- EOF - GMER 1.0.15 ----

Attach.zip

[LDTate]

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs from these scans, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

• If you use Firefox browser
  Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

Click Exit on the Main menu to close the program.

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Next:

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1

Download Mirror #2

• Ensure all Firefox windows are closed.
  
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  
• When prompted to run the scan, click Yes.
  
• It doesn't take long to run, once it is finished move onto the next step
  

Next:

Note: if the Cure option is not there, please select 'Skip'.

Please read carefully and follow these steps.

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
  
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

please post the contents of that log TDSSKiller log.

Also please describe how your computer behaves at the moment.

[Sadi]

"Please download ATF Cleaner by Atribune."

I follow the link, but instead download PC Cleaner by PC HelpSoft, which Malwarebytes then identifies as malware and asks to quarantine. If I try to go to atribune.org, to try to get it direct, I get a 500 error page.

Just want to make sure this is actually the correct thing before I go through with it, since the names both do not match, and MB didn't like it. Thank you!

[LDTate]

For ATF Cleaner

http://forums.whatthetech.com/index.php?autocom=downloads&req=download&code=confirm_download&id=17

For TDDSKiller

http://support.kaspersky.com/downloads/utils/tdsskiller.zip

Right Click on the link and select Save As and save to your desktop

[Sadi]

Google seems to have stopped redirecting, though I'll have to give it a little bit to be sure, because even during the problem, once in a while it would work for a bit. Malwarebytes still blocks the Google page and Gmail, unless I turn off Website Blocking. Overall, computer may be acting just a touch slower, but that could be my imagination. No random tabs have popped up yet, but that was always random, so can't say if that means anything. Thanks for your continued help!

2011/09/15 16:19:47.0903 34456 TDSS rootkit removing tool 2.5.22.0 Sep 13 2011 15:55:17

2011/09/15 16:19:48.0257 34456 ================================================================================

2011/09/15 16:19:48.0257 34456 SystemInfo:

2011/09/15 16:19:48.0257 34456

2011/09/15 16:19:48.0257 34456 OS Version: 6.0.6000 ServicePack: 0.0

2011/09/15 16:19:48.0257 34456 Product type: Workstation

2011/09/15 16:19:48.0257 34456 ComputerName: SADI

2011/09/15 16:19:48.0257 34456 UserName: Admin

2011/09/15 16:19:48.0257 34456 Windows directory: C:\Windows

2011/09/15 16:19:48.0257 34456 System windows directory: C:\Windows

2011/09/15 16:19:48.0257 34456 Processor architecture: Intel x86

2011/09/15 16:19:48.0257 34456 Number of processors: 2

2011/09/15 16:19:48.0257 34456 Page size: 0x1000

2011/09/15 16:19:48.0257 34456 Boot type: Normal boot

2011/09/15 16:19:48.0257 34456 ================================================================================

2011/09/15 16:19:50.0378 34456 Initialize success

2011/09/15 16:19:52.0777 34460 ================================================================================

2011/09/15 16:19:52.0777 34460 Scan started

2011/09/15 16:19:52.0777 34460 Mode: Manual;

2011/09/15 16:19:52.0777 34460 ================================================================================

2011/09/15 16:19:54.0351 34460 ACPI (84fc6df81212d16be5c4f441682feccc) C:\Windows\system32\drivers\acpi.sys

2011/09/15 16:19:54.0433 34460 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys

2011/09/15 16:19:54.0493 34460 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys

2011/09/15 16:19:54.0808 34460 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys

2011/09/15 16:19:54.0846 34460 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys

2011/09/15 16:19:54.0922 34460 AFD (5d24caf8efd924a875698ff28384db8b) C:\Windows\system32\drivers\afd.sys

2011/09/15 16:19:54.0953 34460 agp440 (8b10ce1c1f9f1d47e4deb1a547a00cd4) C:\Windows\system32\drivers\agp440.sys

2011/09/15 16:19:54.0989 34460 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys

2011/09/15 16:19:55.0032 34460 aliide (5c42a992e68724d2cd3ddb4fc3b0409f) C:\Windows\system32\drivers\aliide.sys

2011/09/15 16:19:55.0056 34460 amdagp (848f27e5b27c1c253f6cefdc1a5d8f21) C:\Windows\system32\drivers\amdagp.sys

2011/09/15 16:19:55.0088 34460 amdide (849dfacdde533da5d1810f0caf84eb19) C:\Windows\system32\drivers\amdide.sys

2011/09/15 16:19:55.0130 34460 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys

2011/09/15 16:19:55.0153 34460 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys

2011/09/15 16:19:55.0209 34460 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys

2011/09/15 16:19:55.0245 34460 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys

2011/09/15 16:19:55.0345 34460 AsyncMac (e86cf7ce67d5de898f27ef884dc357d8) C:\Windows\system32\DRIVERS\asyncmac.sys

2011/09/15 16:19:55.0378 34460 atapi (e03e8c99d15d0381e02743c36afc7c6f) C:\Windows\system32\drivers\atapi.sys

2011/09/15 16:19:55.0493 34460 AVGIDSDriver (1c8d965bbcaa9ee5defdb54743437086) C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys

2011/09/15 16:19:55.0545 34460 AVGIDSEH (c59c9bc3f0612bd207ccdc5d8cb9ce39) C:\Windows\system32\DRIVERS\AVGIDSEH.Sys

2011/09/15 16:19:55.0574 34460 AVGIDSFilter (c5559de2ec66cede15a1664f6d183d8e) C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys

2011/09/15 16:19:55.0610 34460 AVGIDSShim (ae5e9667fa40206796d1bd5bd0427a8a) C:\Windows\system32\DRIVERS\AVGIDSShim.Sys

2011/09/15 16:19:55.0653 34460 Avgldx86 (4e796d3d2c3182b13b3e3b5a2ad4ef0a) C:\Windows\system32\DRIVERS\avgldx86.sys

2011/09/15 16:19:55.0685 34460 Avgmfx86 (5639de66b37d02bd22df4cf3155fba60) C:\Windows\system32\DRIVERS\avgmfx86.sys

2011/09/15 16:19:55.0722 34460 Avgrkx86 (d1baf652eda0ae70896276a1fb32c2d4) C:\Windows\system32\DRIVERS\avgrkx86.sys

2011/09/15 16:19:55.0778 34460 Avgtdix (aaf0ebcad95f2164cffb544e00392498) C:\Windows\system32\DRIVERS\avgtdix.sys

2011/09/15 16:19:55.0830 34460 b57nd60x (8e287eb3a52fd30c999482c576f4a61b) C:\Windows\system32\DRIVERS\b57nd60x.sys

2011/09/15 16:19:55.0882 34460 Beep (ac3dd1708b22761ebd7cbe14dcc3b5d7) C:\Windows\system32\drivers\Beep.sys

2011/09/15 16:19:55.0955 34460 bowser (913cd06fbe9105ce6077e90fd4418561) C:\Windows\system32\DRIVERS\bowser.sys

2011/09/15 16:19:55.0984 34460 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys

2011/09/15 16:19:56.0030 34460 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys

2011/09/15 16:19:56.0083 34460 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys

2011/09/15 16:19:56.0110 34460 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys

2011/09/15 16:19:56.0131 34460 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys

2011/09/15 16:19:56.0153 34460 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys

2011/09/15 16:19:56.0189 34460 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys

2011/09/15 16:19:56.0227 34460 cdfs (6c3a437fc873c6f6a4fc620b6888cb86) C:\Windows\system32\DRIVERS\cdfs.sys

2011/09/15 16:19:56.0248 34460 cdrom (8d1866e61af096ae8b582454f5e4d303) C:\Windows\system32\DRIVERS\cdrom.sys

2011/09/15 16:19:56.0288 34460 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys

2011/09/15 16:19:56.0335 34460 CLFS (1b84fd0937d3b99af9ba38ddff3daf54) C:\Windows\system32\CLFS.sys

2011/09/15 16:19:56.0365 34460 cmdide (de11a06e187756ecb86cfa82dac40ff7) C:\Windows\system32\drivers\cmdide.sys

2011/09/15 16:19:56.0389 34460 Compbatt (82b8c91d327cfecf76cb58716f7d4997) C:\Windows\system32\drivers\compbatt.sys

2011/09/15 16:19:56.0407 34460 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys

2011/09/15 16:19:56.0439 34460 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys

2011/09/15 16:19:56.0491 34460 DfsC (a7179de59ae269ab70345527894ccd7c) C:\Windows\system32\Drivers\dfsc.sys

2011/09/15 16:19:56.0565 34460 dhdusb.NTx86 (1ca43cc75ad0b3d8656caddd6720d4ae) C:\Windows\system32\DRIVERS\bcmusbdhdlh.sys

2011/09/15 16:19:56.0585 34460 disk (841af4c4d41d3e3b2f244e976b0f7963) C:\Windows\system32\drivers\disk.sys

2011/09/15 16:19:56.0642 34460 drmkaud (ee472cd2c01f6f8e8aa1fa06ffef61b6) C:\Windows\system32\drivers\drmkaud.sys

2011/09/15 16:19:56.0691 34460 DXGKrnl (334988883de69adb27e2cf9f9715bbdb) C:\Windows\System32\drivers\dxgkrnl.sys

2011/09/15 16:19:56.0802 34460 e1express (7505290504c8e2d172fa378cc0497bcc) C:\Windows\system32\DRIVERS\e1e6032.sys

2011/09/15 16:19:56.0887 34460 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys

2011/09/15 16:19:57.0036 34460 Ecache (0efc7531b936ee57fdb4e837664c509f) C:\Windows\system32\drivers\ecache.sys

2011/09/15 16:19:57.0105 34460 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys

2011/09/15 16:19:57.0183 34460 fastfat (84a317cb0b3954d3768cdcd018dbf670) C:\Windows\system32\drivers\fastfat.sys

2011/09/15 16:19:57.0244 34460 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys

2011/09/15 16:19:57.0266 34460 FileInfo (65773d6115c037ffd7ef8280ae85eb9d) C:\Windows\system32\drivers\fileinfo.sys

2011/09/15 16:19:57.0293 34460 Filetrace (c226dd0de060745f3e042f58dcf78402) C:\Windows\system32\drivers\filetrace.sys

2011/09/15 16:19:57.0334 34460 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys

2011/09/15 16:19:57.0369 34460 FltMgr (a6a8da7ae4d53394ab22ac3ab6d3f5d3) C:\Windows\system32\drivers\fltmgr.sys

2011/09/15 16:19:57.0411 34460 Fs_Rec (66a078591208baa210c7634b11eb392c) C:\Windows\system32\drivers\Fs_Rec.sys

2011/09/15 16:19:57.0450 34460 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys

2011/09/15 16:19:57.0479 34460 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys

2011/09/15 16:19:57.0539 34460 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys

2011/09/15 16:19:57.0573 34460 HDAudBus (0db613a7e427b5663563677796fd5258) C:\Windows\system32\DRIVERS\HDAudBus.sys

2011/09/15 16:19:57.0610 34460 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys

2011/09/15 16:19:57.0636 34460 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys

2011/09/15 16:19:57.0685 34460 HidUsb (3c64042b95e583b366ba4e5d2450235e) C:\Windows\system32\DRIVERS\hidusb.sys

2011/09/15 16:19:57.0724 34460 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys

2011/09/15 16:19:57.0824 34460 HTTP (ea24fe637d974a8a31bc650f478e3533) C:\Windows\system32\drivers\HTTP.sys

2011/09/15 16:19:57.0866 34460 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys

2011/09/15 16:19:57.0923 34460 i8042prt (1c9ee072baa3abb460b91d7ee9152660) C:\Windows\system32\DRIVERS\i8042prt.sys

2011/09/15 16:19:58.0017 34460 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys

2011/09/15 16:19:58.0076 34460 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys

2011/09/15 16:19:58.0112 34460 intelide (1b16626beae3a52e611fc681cd796f86) C:\Windows\system32\drivers\intelide.sys

2011/09/15 16:19:58.0136 34460 intelppm (ce44cc04262f28216dd4341e9e36a16f) C:\Windows\system32\DRIVERS\intelppm.sys

2011/09/15 16:19:58.0159 34460 IpFilterDriver (880c6f86cc3f551b8fea2c11141268c0) C:\Windows\system32\DRIVERS\ipfltdrv.sys

2011/09/15 16:19:58.0198 34460 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys

2011/09/15 16:19:58.0222 34460 IPNAT (10077c35845101548037df04fd1a420b) C:\Windows\system32\DRIVERS\ipnat.sys

2011/09/15 16:19:58.0271 34460 IRENUM (a82f328f4792304184642d6d397bb1e3) C:\Windows\system32\drivers\irenum.sys

2011/09/15 16:19:58.0296 34460 isapnp (2f8ece2699e7e2070545e9b0960a8ed2) C:\Windows\system32\drivers\isapnp.sys

2011/09/15 16:19:58.0324 34460 iScsiPrt (4dca456d4d5723f8fa9c6760d240b0df) C:\Windows\system32\DRIVERS\msiscsi.sys

2011/09/15 16:19:58.0348 34460 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys

2011/09/15 16:19:58.0373 34460 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys

2011/09/15 16:19:58.0396 34460 kbdclass (b076b2ab806b3f696dab21375389101c) C:\Windows\system32\DRIVERS\kbdclass.sys

2011/09/15 16:19:58.0464 34460 kbdhid (ed61dbc6603f612b7338283edbacbc4b) C:\Windows\system32\DRIVERS\kbdhid.sys

2011/09/15 16:19:58.0505 34460 KSecDD (0a829977b078dea11641fc2af87ceade) C:\Windows\system32\Drivers\ksecdd.sys

2011/09/15 16:19:58.0565 34460 lltdio (fd015b4f95daa2b712f0e372a116fbad) C:\Windows\system32\DRIVERS\lltdio.sys

2011/09/15 16:19:58.0609 34460 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys

2011/09/15 16:19:58.0651 34460 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys

2011/09/15 16:19:58.0682 34460 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys

2011/09/15 16:19:58.0718 34460 luafv (42885bb44b6e065b8575a8dd6c430c52) C:\Windows\system32\drivers\luafv.sys

2011/09/15 16:19:58.0781 34460 MBAMProtector (eca00eed9ab95489007b0ef84c7149de) C:\Windows\system32\drivers\mbam.sys

2011/09/15 16:19:58.0815 34460 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys

2011/09/15 16:19:58.0856 34460 Modem (21755967298a46fb6adfec9db6012211) C:\Windows\system32\drivers\modem.sys

2011/09/15 16:19:58.0973 34460 monitor (7446e104a5fe5987ca9e4983fbac4f97) C:\Windows\system32\DRIVERS\monitor.sys

2011/09/15 16:19:59.0005 34460 mouclass (5fba13c1a1841b0885d316ed3589489d) C:\Windows\system32\DRIVERS\mouclass.sys

2011/09/15 16:19:59.0023 34460 mouhid (b569b5c5d3bde545df3a6af512cccdba) C:\Windows\system32\DRIVERS\mouhid.sys

2011/09/15 16:19:59.0048 34460 MountMgr (01f1e5a3e4877c931cbb31613fec16a6) C:\Windows\system32\drivers\mountmgr.sys

2011/09/15 16:19:59.0094 34460 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys

2011/09/15 16:19:59.0147 34460 mpsdrv (6e7a7f0c1193ee5648443fe2d4b789ec) C:\Windows\system32\drivers\mpsdrv.sys

2011/09/15 16:19:59.0184 34460 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys

2011/09/15 16:19:59.0217 34460 MRxDAV (1d8828b98ee309d65e006f0829e280e5) C:\Windows\system32\drivers\mrxdav.sys

2011/09/15 16:19:59.0273 34460 mrxsmb (8af705ce1bb907932157fab821170f27) C:\Windows\system32\DRIVERS\mrxsmb.sys

2011/09/15 16:19:59.0295 34460 mrxsmb10 (47e13ab23371be3279eef22bbfa2c1be) C:\Windows\system32\DRIVERS\mrxsmb10.sys

2011/09/15 16:19:59.0377 34460 mrxsmb20 (90b3fc7bd6b3d7ee7635debba2187f66) C:\Windows\system32\DRIVERS\mrxsmb20.sys

2011/09/15 16:19:59.0405 34460 msahci (0d1c042188ffe61a702a9df5944de5ba) C:\Windows\system32\drivers\msahci.sys

2011/09/15 16:19:59.0444 34460 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys

2011/09/15 16:19:59.0488 34460 Msfs (729eafefd4e7417165f353a18dbe947d) C:\Windows\system32\drivers\Msfs.sys

2011/09/15 16:19:59.0522 34460 msisadrv (207df26dbb2537c20276da0e15892274) C:\Windows\system32\drivers\msisadrv.sys

2011/09/15 16:19:59.0561 34460 MSKSSRV (892cedefa7e0ffe7be8da651b651d047) C:\Windows\system32\drivers\MSKSSRV.sys

2011/09/15 16:19:59.0597 34460 MSPCLOCK (ae2cb1da69b2676b4cee2a501af5871c) C:\Windows\system32\drivers\MSPCLOCK.sys

2011/09/15 16:19:59.0645 34460 MSPQM (f910da84fa90c44a3addb7cd874463fd) C:\Windows\system32\drivers\MSPQM.sys

2011/09/15 16:19:59.0688 34460 MsRPC (84571c0ae07647ba38d493f5f0015df7) C:\Windows\system32\drivers\MsRPC.sys

2011/09/15 16:19:59.0719 34460 mssmbios (7dbaa028f625aa46b95dda4fbe4b602b) C:\Windows\system32\DRIVERS\mssmbios.sys

2011/09/15 16:19:59.0762 34460 MSTEE (c826dd1373f38afd9ca46ec3c436a14e) C:\Windows\system32\drivers\MSTEE.sys

2011/09/15 16:19:59.0777 34460 Mup (fa7aa70050cf5e2d15de00941e5665e5) C:\Windows\system32\Drivers\mup.sys

2011/09/15 16:19:59.0840 34460 NativeWifiP (6da4a0fc7c0e83df0cb3cfd0a514c3bc) C:\Windows\system32\DRIVERS\nwifi.sys

2011/09/15 16:19:59.0886 34460 NDIS (227c11e1e7cf6ef8afb2a238d209760c) C:\Windows\system32\drivers\ndis.sys

2011/09/15 16:19:59.0935 34460 NdisTapi (81659cdcbd0f9a9e07e6878ad8c78d3f) C:\Windows\system32\DRIVERS\ndistapi.sys

2011/09/15 16:19:59.0960 34460 Ndisuio (5de5ee546bf40838ebe0e01cb629df64) C:\Windows\system32\DRIVERS\ndisuio.sys

2011/09/15 16:19:59.0985 34460 NdisWan (397402adcbb8946223a1950101f6cd94) C:\Windows\system32\DRIVERS\ndiswan.sys

2011/09/15 16:20:00.0008 34460 NDProxy (1b24fa907af283199a81b3bb37e5e526) C:\Windows\system32\drivers\NDProxy.sys

2011/09/15 16:20:00.0030 34460 NetBIOS (356dbb9f98e8dc1028dd3092fceeb877) C:\Windows\system32\DRIVERS\netbios.sys

2011/09/15 16:20:00.0059 34460 netbt (e3a168912e7eefc3bd3b814720d68b41) C:\Windows\system32\DRIVERS\netbt.sys

2011/09/15 16:20:00.0101 34460 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys

2011/09/15 16:20:00.0127 34460 Npfs (4f9832beb9fafd8ceb0e541f1323b26e) C:\Windows\system32\drivers\Npfs.sys

2011/09/15 16:20:00.0164 34460 nsiproxy (b488dfec274de1fc9d653870ef2587be) C:\Windows\system32\drivers\nsiproxy.sys

2011/09/15 16:20:00.0236 34460 Ntfs (37430aa7a66d7a63407adc2c0d05e9f6) C:\Windows\system32\drivers\Ntfs.sys

2011/09/15 16:20:00.0289 34460 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys

2011/09/15 16:20:00.0315 34460 Null (ec5efb3c60f1b624648344a328bce596) C:\Windows\system32\drivers\Null.sys

2011/09/15 16:20:00.0387 34460 NVHDA (b4f70fac4ea61cf150823aa063a39ff9) C:\Windows\system32\drivers\nvhda32v.sys

2011/09/15 16:20:01.0031 34460 nvlddmkm (27742b94d0244bbeb9ce1c332a2577a3) C:\Windows\system32\DRIVERS\nvlddmkm.sys

2011/09/15 16:20:01.0328 34460 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys

2011/09/15 16:20:01.0363 34460 nvstor (4a5fcab82d9bf6af8a023a66802fe9e9) C:\Windows\system32\drivers\nvstor.sys

2011/09/15 16:20:01.0409 34460 nv_agp (055081fd5076401c1ee1bcab08d81911) C:\Windows\system32\drivers\nv_agp.sys

2011/09/15 16:20:01.0473 34460 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\DRIVERS\ohci1394.sys

2011/09/15 16:20:01.0525 34460 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys

2011/09/15 16:20:01.0579 34460 partmgr (84be786f33fdbd8765e05df3b7f5b9e6) C:\Windows\system32\drivers\partmgr.sys

2011/09/15 16:20:01.0613 34460 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys

2011/09/15 16:20:01.0691 34460 pci (bdd96f9cf34d58958aff1be6ef4c8020) C:\Windows\system32\drivers\pci.sys

2011/09/15 16:20:01.0738 34460 pciide (b2fc76090ef1003463ccb07cabb35cff) C:\Windows\system32\drivers\pciide.sys

2011/09/15 16:20:01.0793 34460 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys

2011/09/15 16:20:01.0860 34460 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys

2011/09/15 16:20:01.0935 34460 PptpMiniport (c04dec5ace67c5247b150c4223970bb7) C:\Windows\system32\DRIVERS\raspptp.sys

2011/09/15 16:20:01.0974 34460 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys

2011/09/15 16:20:02.0050 34460 PSched (2c8bae55247c4e09352e870292e4d1ab) C:\Windows\system32\DRIVERS\pacer.sys

2011/09/15 16:20:02.0328 34460 PTSimBus (688983e03c0d82b2efa1db89792c4c6c) C:\Windows\system32\DRIVERS\PTSimBus.sys

2011/09/15 16:20:02.0370 34460 PTSimHid (fdc1a2e536b5cbce1c2245cd5ad910eb) C:\Windows\system32\DRIVERS\PTSimHid.sys

2011/09/15 16:20:02.0418 34460 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\Windows\system32\Drivers\PxHelp20.sys

2011/09/15 16:20:02.0480 34460 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys

2011/09/15 16:20:02.0537 34460 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys

2011/09/15 16:20:02.0581 34460 QWAVEdrv (d2b3e2b7426dc23e185fbc73c8936c12) C:\Windows\system32\drivers\qwavedrv.sys

2011/09/15 16:20:02.0665 34460 R300 (e642b131fb74caf4bb8a014f31113142) C:\Windows\system32\DRIVERS\atikmdag.sys

2011/09/15 16:20:02.0734 34460 RasAcd (bd7b30f55b3649506dd8b3d38f571d2a) C:\Windows\system32\DRIVERS\rasacd.sys

2011/09/15 16:20:02.0783 34460 Rasl2tp (68b0019fee429ec49d29017af937e482) C:\Windows\system32\DRIVERS\rasl2tp.sys

2011/09/15 16:20:02.0806 34460 RasPppoe (ccf4e9c6cbbac81437f88cb2ae0b6c96) C:\Windows\system32\DRIVERS\raspppoe.sys

2011/09/15 16:20:02.0827 34460 rdbss (54129c5d9581bbec8bd1ebd3ba813f47) C:\Windows\system32\DRIVERS\rdbss.sys

2011/09/15 16:20:02.0845 34460 RDPCDD (794585276b5d7fca9f3fc15543f9f0b9) C:\Windows\system32\DRIVERS\RDPCDD.sys

2011/09/15 16:20:02.0898 34460 rdpdr (0245418224cfa77bf4b41c2fe0622258) C:\Windows\system32\drivers\rdpdr.sys

2011/09/15 16:20:02.0919 34460 RDPENCDD (980b56e2e273e19d3a9d72d5c420f008) C:\Windows\system32\drivers\rdpencdd.sys

2011/09/15 16:20:02.0987 34460 RDPWD (8830e790a74a96605faba74f9665bb3c) C:\Windows\system32\drivers\RDPWD.sys

2011/09/15 16:20:03.0071 34460 rspndr (97e939d2128fec5d5a3e6e79b290a2f4) C:\Windows\system32\DRIVERS\rspndr.sys

2011/09/15 16:20:03.0120 34460 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys

2011/09/15 16:20:03.0249 34460 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys

2011/09/15 16:20:03.0468 34460 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\DRIVERS\serenum.sys

2011/09/15 16:20:04.0031 34460 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\DRIVERS\serial.sys

2011/09/15 16:20:04.0171 34460 sermouse (450accd77ec5cea720c1cdb9e26b953b) C:\Windows\system32\drivers\sermouse.sys

2011/09/15 16:20:04.0251 34460 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys

2011/09/15 16:20:04.0364 34460 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys

2011/09/15 16:20:04.0409 34460 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys

2011/09/15 16:20:04.0454 34460 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys

2011/09/15 16:20:04.0488 34460 sisagp (08072b2fb92477fc813271a84b3a8698) C:\Windows\system32\drivers\sisagp.sys

2011/09/15 16:20:04.0534 34460 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys

2011/09/15 16:20:04.0556 34460 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys

2011/09/15 16:20:04.0620 34460 SIUSBXP (bc9c2ef22ee0320c079e3ff9b4d29951) C:\Windows\system32\drivers\SiUSBXp.sys

2011/09/15 16:20:04.0662 34460 Smb (ac0d90738adb51a6fd12ff00874a2162) C:\Windows\system32\DRIVERS\smb.sys

2011/09/15 16:20:04.0688 34460 spldr (426f9b029aa9162ceccf65369457d046) C:\Windows\system32\drivers\spldr.sys

2011/09/15 16:20:04.0773 34460 srv (038579c35f7cad4a4bbf735dbf83277d) C:\Windows\system32\DRIVERS\srv.sys

2011/09/15 16:20:04.0834 34460 srv2 (6971a757af8cb5e2cbcbb76cc530db6c) C:\Windows\system32\DRIVERS\srv2.sys

2011/09/15 16:20:04.0900 34460 srvnet (9e1a4603b874eebce0298113951abefb) C:\Windows\system32\DRIVERS\srvnet.sys

2011/09/15 16:20:05.0062 34460 STHDA (9cea131b5eb0ea653f6b3ea80b54956d) C:\Windows\system32\drivers\stwrt.sys

2011/09/15 16:20:05.0117 34460 swenum (3b80b4383c9bce13279c8482734b32b2) C:\Windows\system32\DRIVERS\swenum.sys

2011/09/15 16:20:05.0164 34460 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys

2011/09/15 16:20:05.0207 34460 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys

2011/09/15 16:20:05.0258 34460 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys

2011/09/15 16:20:05.0338 34460 TClass2k (1b3c28d36e669deeb39331255a3feeeb) C:\Windows\system32\DRIVERS\TClass2k.sys

2011/09/15 16:20:05.0455 34460 Tcpip (4a82fa8f0df67aa354580c3faaf8bde3) C:\Windows\system32\drivers\tcpip.sys

2011/09/15 16:20:05.0568 34460 Tcpip6 (4a82fa8f0df67aa354580c3faaf8bde3) C:\Windows\system32\DRIVERS\tcpip.sys

2011/09/15 16:20:05.0606 34460 tcpipreg (5ce0c4a7b12d0067dad527d72b68c726) C:\Windows\system32\drivers\tcpipreg.sys

2011/09/15 16:20:05.0647 34460 TDPIPE (964248aef49c31fa6a93201a73ffaf50) C:\Windows\system32\drivers\tdpipe.sys

2011/09/15 16:20:05.0679 34460 TDTCP (7d2c1ae1648a60fce4aa0f7982e419d3) C:\Windows\system32\drivers\tdtcp.sys

2011/09/15 16:20:05.0708 34460 tdx (ab4fde8af4a0270a46a001c08cbce1c2) C:\Windows\system32\DRIVERS\tdx.sys

2011/09/15 16:20:05.0730 34460 TermDD (849ed71967d45f15c3e0abfc633fdf2a) C:\Windows\system32\DRIVERS\termdd.sys

2011/09/15 16:20:05.0789 34460 tssecsrv (29f0eca726f0d51f7e048bdb0b372f29) C:\Windows\system32\DRIVERS\tssecsrv.sys

2011/09/15 16:20:05.0895 34460 tunmp (65e953bc0084d44498b51f59784d2a82) C:\Windows\system32\DRIVERS\tunmp.sys

2011/09/15 16:20:05.0965 34460 tunnel (4a39bda5e0fd30bdf4884f9d33ae6105) C:\Windows\system32\DRIVERS\tunnel.sys

2011/09/15 16:20:05.0999 34460 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys

2011/09/15 16:20:06.0086 34460 UCTblHid (adfa2e999bd2ddf89187dcbf0e3dd404) C:\Windows\system32\DRIVERS\UCTblHid.sys

2011/09/15 16:20:06.0116 34460 udfs (6348da98707ceda8a0dfb05820e17732) C:\Windows\system32\DRIVERS\udfs.sys

2011/09/15 16:20:06.0185 34460 uliagpkx (6d72ef05921abdf59fc45c7ebfe7e8dd) C:\Windows\system32\drivers\uliagpkx.sys

2011/09/15 16:20:06.0306 34460 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys

2011/09/15 16:20:06.0376 34460 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys

2011/09/15 16:20:06.0421 34460 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys

2011/09/15 16:20:06.0443 34460 umbus (3fb78f1d1dd86d87bececd9dffa24dd9) C:\Windows\system32\DRIVERS\umbus.sys

2011/09/15 16:20:06.0513 34460 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\Windows\system32\Drivers\usbaapl.sys

2011/09/15 16:20:06.0581 34460 usbaudio (f6bf998ae33e3fb6c7d27f0560f1173f) C:\Windows\system32\drivers\usbaudio.sys

2011/09/15 16:20:06.0632 34460 usbccgp (b0ba9caffe9b0555ec0317f30cb79cd2) C:\Windows\system32\DRIVERS\usbccgp.sys

2011/09/15 16:20:06.0672 34460 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys

2011/09/15 16:20:06.0720 34460 usbehci (c9fcd05b0a80ea08c2768e5a279b14de) C:\Windows\system32\DRIVERS\usbehci.sys

2011/09/15 16:20:06.0769 34460 usbhub (5e44f7d957f7560da06bfe6b84b58a35) C:\Windows\system32\DRIVERS\usbhub.sys

2011/09/15 16:20:06.0817 34460 usbohci (9333e482a173938788cbde8f81ec52fb) C:\Windows\system32\DRIVERS\usbohci.sys

2011/09/15 16:20:06.0848 34460 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\DRIVERS\usbprint.sys

2011/09/15 16:20:06.0884 34460 USBSTOR (7887ce56934e7f104e98c975f47353c5) C:\Windows\system32\DRIVERS\USBSTOR.SYS

2011/09/15 16:20:06.0925 34460 usbuhci (325dbbacb8a36af9988ccf40eac228cc) C:\Windows\system32\DRIVERS\usbuhci.sys

2011/09/15 16:20:06.0995 34460 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys

2011/09/15 16:20:07.0022 34460 VgaSave (17a8f877314e4067f8c8172cc6d9101c) C:\Windows\System32\drivers\vga.sys

2011/09/15 16:20:07.0058 34460 viaagp (d5929a28bdff4367a12caf06af901971) C:\Windows\system32\drivers\viaagp.sys

2011/09/15 16:20:07.0082 34460 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys

2011/09/15 16:20:07.0106 34460 viaide (c0ace9d0f5a5ee0b00f58345947a57fc) C:\Windows\system32\drivers\viaide.sys

2011/09/15 16:20:07.0136 34460 volmgr (fd16fac15f9f165ac19a618e7b391f5c) C:\Windows\system32\drivers\volmgr.sys

2011/09/15 16:20:07.0163 34460 volmgrx (294da8d3f965f6a8db934a83c7b461ff) C:\Windows\system32\drivers\volmgrx.sys

2011/09/15 16:20:07.0213 34460 volsnap (80dc0c9bcb579ed9815001a4d37cbfd5) C:\Windows\system32\drivers\volsnap.sys

2011/09/15 16:20:07.0250 34460 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys

2011/09/15 16:20:07.0304 34460 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys

2011/09/15 16:20:07.0373 34460 Wanarp (6798c1209a53b5a0ded8d437c45145ff) C:\Windows\system32\DRIVERS\wanarp.sys

2011/09/15 16:20:07.0440 34460 Wanarpv6 (6798c1209a53b5a0ded8d437c45145ff) C:\Windows\system32\DRIVERS\wanarp.sys

2011/09/15 16:20:07.0475 34460 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys

2011/09/15 16:20:07.0526 34460 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys

2011/09/15 16:20:07.0654 34460 WinUSB (086d2e78eecd6195667282adc6ca109f) C:\Windows\system32\DRIVERS\WinUSB.sys

2011/09/15 16:20:07.0691 34460 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys

2011/09/15 16:20:07.0790 34460 WpdUsb (2d27171b16a577ef14c1273668753485) C:\Windows\system32\DRIVERS\wpdusb.sys

2011/09/15 16:20:07.0820 34460 ws2ifsl (84620aecdcfd2a7a14e6263927d8c0ed) C:\Windows\system32\drivers\ws2ifsl.sys

2011/09/15 16:20:07.0871 34460 WudfPf (6f9b6c0c93232cff47d0f72d6db1d21e) C:\Windows\system32\drivers\WudfPf.sys

2011/09/15 16:20:07.0908 34460 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\Windows\system32\DRIVERS\WUDFRd.sys

2011/09/15 16:20:07.0949 34460 MBR (0x1B8) (04d4350ae5fb6fc2ad3e7c26b1323c68) \Device\Harddisk0\DR0

2011/09/15 16:20:07.0957 34460 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)

2011/09/15 16:20:07.0974 34460 Boot (0x1200) (43e1a9d45ca44e482f342015e2f0256c) \Device\Harddisk0\DR0\Partition0

2011/09/15 16:20:07.0993 34460 Boot (0x1200) (d91c7e717f283995fdecbae33d2153ae) \Device\Harddisk0\DR0\Partition1

2011/09/15 16:20:07.0997 34460 ================================================================================

2011/09/15 16:20:07.0997 34460 Scan finished

2011/09/15 16:20:07.0997 34460 ================================================================================

2011/09/15 16:20:08.0005 33592 Detected object count: 1

2011/09/15 16:20:08.0005 33592 Actual detected object count: 1

2011/09/15 16:20:13.0114 33592 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot

2011/09/15 16:20:13.0114 33592 \Device\Harddisk0\DR0 - ok

2011/09/15 16:20:13.0151 33592 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure

2011/09/15 16:20:20.0878 34772 Deinitialize success

[LDTate]

Please do not attach the scan results from Combofx. Use copy/paste.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  
• Double click on ComboFix.exe & follow the prompts.
  Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
  Note: If you have XP SP3, use the XP SP2 package.
  If Vista or Windows 7, skip the Recovery Console part
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

[Sadi]

Google and Gmail are no longer blocked by Malwarebytes. Seems to be working normally, though like I said the popups were random so hard to say that's gone for sure. Maybe even a bit faster. Looks all better from my end though! Hope it looks as clean to you. Thanks!

ComboFix 11-09-15.05 - Admin 09/15/2011 16:55:43.1.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.3325.1774 [GMT -7:00]

Running from: c:\users\Greta\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Greta\AppData\Local\aimc.exe

c:\users\Greta\AppData\Local\foyl.exe

c:\users\Greta\AppData\Local\hkjg.exe

c:\users\Greta\AppData\Local\nfdi.exe

c:\users\Greta\AppData\Local\qawm.exe

c:\users\Greta\AppData\Local\ugtt.exe

c:\users\Greta\AppData\Local\wguj.exe

c:\users\Greta\AppData\Local\ysyo.exe

c:\users\Greta\AppData\Roaming\31CA.2A4

c:\users\Greta\wrar371.exe

c:\windows\system32\comct332.ocx

.

.

((((((((((((((((((((((((( Files Created from 2011-08-16 to 2011-09-16 )))))))))))))))))))))))))))))))

.

.

2011-09-16 00:02 . 2011-09-16 00:03 -------- d-----w- c:\users\Admin\AppData\Local\temp

2011-09-16 00:02 . 2011-09-16 00:02 -------- d-----w- c:\users\Eric\AppData\Local\temp

2011-09-16 00:02 . 2011-09-16 00:02 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-08-31 15:39 . 2011-08-31 15:39 709968 ----a-w- c:\windows\is-0N4MA.exe

2011-08-31 01:09 . 2011-08-31 01:09 -------- d-----w- c:\users\Eric\AppData\Roaming\Malwarebytes

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-08-04 17:48 . 2011-08-04 17:48 0 ----a-w- c:\programdata\yidx.exe

2011-08-04 17:48 . 2011-08-04 17:48 0 ----a-w- c:\programdata\fpjw.exe

2011-08-04 17:48 . 2011-08-04 17:48 0 ----a-w- c:\programdata\fikt.exe

2011-08-04 17:48 . 2011-08-04 17:48 0 ----a-w- c:\programdata\caoj.exe

2011-07-28 01:11 . 2011-07-28 01:11 0 ----a-w- c:\programdata\ylap.exe

2011-07-28 01:11 . 2011-07-28 01:11 0 ----a-w- c:\programdata\ixty.exe

2011-07-28 01:11 . 2011-07-28 01:11 0 ----a-w- c:\programdata\fmuq.exe

2011-07-28 01:11 . 2011-07-28 01:11 0 ----a-w- c:\programdata\cpeh.exe

2011-07-07 02:52 . 2011-08-04 19:30 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-07 02:52 . 2011-08-04 19:30 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-19 16:43 . 2011-06-19 16:43 2600 ----a-w- C:\xp_exe_fix.reg

2011-04-14 16:26 . 2011-06-15 01:30 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-10 1232896]

"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 2159104]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 1415824]

"Fitbit Service Monitor"="c:\program files\Fitbit\fitbit-tray.exe" [2011-07-11 2162296]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SigmatelSysTrayApp"="sttray.exe" [2007-02-08 303104]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2006-11-17 17920]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-10-10 36352]

"WTClient"="WTClient.exe" [2007-04-11 40960]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-09-10 2338656]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]

"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-11-11 159472]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-07 1047656]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-07 449584]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-07 449584]

"InnoSetupRegFile.0000000001"="c:\windows\is-0N4MA.exe" [2011-08-31 709968]

"*WerKernelReporting"="c:\windows\SYSTEM32\WerFault.exe" [2006-11-02 216064]

.

c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Trillian.lnk - c:\program files\Trillian\trillian.exe [2007-7-19 1873280]

.

c:\users\Greta\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [N/A]

OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]

OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

@="Service"

.

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2011-08-18 7390560]

R3 PTSimHid;PenTablet Simulated HID MiniDriver;c:\windows\system32\DRIVERS\PTSimHid.sys [2007-04-23 10752]

R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-11-11 268528]

S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-02-22 22992]

S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2011-03-16 32592]

S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2011-01-07 248656]

S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2011-04-05 297168]

S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2011-02-08 269520]

S2 Fitbit;Fitbit Data Uploader;c:\program files\Fitbit\fitbit.exe [2011-07-11 786040]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-07 366640]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-08-09 235624]

S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-05-28 134480]

S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-02-10 24144]

S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [2011-02-10 28624]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 167936]

S3 dhdusb.NTx86;Dynex Enhanced Wireless G USB Network Adapter Service;c:\windows\system32\DRIVERS\bcmusbdhdlh.sys [2007-09-20 241656]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-07 22712]

S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-06-21 105576]

S3 PTSimBus;PenTablet Bus Enumerator;c:\windows\system32\DRIVERS\PTSimBus.sys [2007-06-07 18944]

S3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [2011-04-30 14848]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

2011-09-15 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-05-21 04:19]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5070425

uInternet Settings,ProxyOverride = *.local

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zzw3eq56.default\

FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-AROReminder - c:\program files\Advanced Registry Optimizer\aro.exe

SafeBoot-WudfPf

SafeBoot-WudfRd

AddRemove-FITBIT&10C4&84C4 - c:\windows\system32\Silabs\DriverUninstaller.exe USBXpress\FITBIT&10C4&84C4

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-15 17:03

Windows 6.0.6000 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\a4e35ee8]

"imagepath"="\??\c:\windows\TEMP\A11A.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-478687933-808470084-128191163-1000\Software\SecuROM\License information*]

"datasecu"=hex:01,f7,aa,3f,12,98,a0,20,91,f4,00,b6,fb,e9,5d,ff,9a,ab,ec,a5,e7,

42,da,2a,5c,be,3d,b9,63,7a,11,38,c4,7a,9b,e7,89,ec,7e,7c,99,bc,1d,14,52,9c,\

"rkeysecu"=hex:e2,25,d7,02,ad,58,c1,fe,cf,f6,22,67,27,6b,87,2d

.

Completion time: 2011-09-15 17:04:52

ComboFix-quarantined-files.txt 2011-09-16 00:04

.

Pre-Run: 104,658,739,200 bytes free

Post-Run: 116,258,471,936 bytes free

.

- - End Of File - - F0CF919E2F42A154BA222234F31A901F

[LDTate]

Please go to http://www.virustotal.com/, click on Browse, and upload the following file for analysis:

c:\windows\is-0N4MA.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If virustotal is too busy you can try these.

http://virusscan.jotti.org

http://www.kaspersky.com/scanforvirus.html

[Sadi]

Won't have a chance to do this until tomorrow due to work, but will do so then. Thanks.

[LDTate]

OK

[Sadi]

File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:

MD5: d35094e97b0622d4758ad80cec5458f6

Date first seen: 2011-07-14 23:46:32 (UTC)

Date last seen: 2011-09-17 16:04:34 (UTC)

Detection ratio: 0/44

[LDTate]

How's it been running?

[Sadi]

It has been running well. No signs of the old problems so far. Definitely a bit faster, if not fast as new. Thanks.

[LDTate]

Let's do this and I'll leave your topic open for 3 days.

Good job

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

• Click START run
  
• Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.
  

For Vista / Windows 7

• Click START Search
  
• Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.
  

If you used DeFogger

To re-enable your Emulation drivers, double click DeFogger to run the tool.

• The application window will appear
  
• Click the Re-enable button to re-enable your CD Emulation drivers
  
• Click Yes to continue
  
• A 'Finished!' message will appear
  
• Click OK
  
• DeFogger will now ask to reboot the machine - click OK
  

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
  1. From within Internet Explorer click on the Tools menu and then click on Options.
     
  2. Click once on the Security tab
     
  3. Click once on the Internet icon so it becomes highlighted.
     
  4. Click once on the Custom Level button.
     
  5. Change the Download signed ActiveX controls to Prompt
     
  6. Change the Download unsigned ActiveX controls to Disable
     
  7. Change the Initialize and script ActiveX controls not marked as safe to Disable
     
  8. Change the Installation of desktop items to Prompt
     
  9. Change the Launching programs and files in an IFRAME to Prompt
     
  10. Change the Navigate sub-frames across different domains to Prompt
      
  11. When all these settings have been made, click on the OK button.
      
  12. If it prompts you as to whether or not you want to save the settings, press the Yes button.
      
  13. Next press the Apply button and then the OK to exit the Internet Properties page.
      

  [*]Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week

  (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.

  Without a firewall your computer is succeptible to being hacked and taken over.

  I am very serious about this and see it happen almost every day with my clients.

  Simply using a Firewall in its default configuration can lower your risk greatly.

  [*]Using a secure browser plugin M86 SecureBrowsing makes it safe to search, surf and socialize online. This free browser plug-in displays security icons next to links on search engines and social networking sites like Facebook, Twitter and LinkedIn, so you'll know which pages are safe and which ones to avoid.

  •Free browser plug-in for Internet Explorer and Firefox

  •Real-time safety ratings

  •Ideal for Facebook, Twitter and LinkedIn

  [*] JAVA Click this link and click on the Free JAVA Download

  [*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.

  This will ensure your computer has always the latest security updates available installed on your computer.

  If there are new updates to install, install them immediately, reboot your computer, and revisit the site

  until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

The full version of Malwarebytes' Anti-Malware could have helped protect your computer against this threat.

We use different ways of protecting your computer(s):

• Dynamically Blocks Malware Sites & Servers
  
• Malware Execution Prevention
  

Save yourself the hassle and get protected.

[Sadi]

When I try to search for ComboFix /Uninstall, I'm told 'No items match your search.' I know where the file was saved, would deleting that do the same thing?

[joeyangel]

If I may ask what is probably a naive question, what necessitates the removal of ComboFix after it has served its purpose?

[LDTate]

When I try to search for ComboFix /Uninstall, I'm told 'No items match your search.' I know where the file was saved, would deleting that do the same thing?

You can remove these leftover files and folders if listed:

C:\ComboFix

C:\QooBox

C:\combofix.txt

C:\combofix-quarantine-files.txt

[Sadi]

Got all of them except C:\QooBox. When I try to delete that, it asks for my password as usual, acts like it is working, then says 'You need permission to perform this action.'

[LDTate]

Don't worry about it then.

[Sadi]

Ok, thanks.

[LDTate]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.