Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

url redirects plus some other spurious behavior

This is a discussion on url redirects plus some other spurious behavior within the Resolved HJT Threads forums, part of the Tech Support Forum category. Was unable to complete an Amazon transaction yesterday -- checkout pages wouldn't load without repeated attempts. Then found that search


 
 
Thread Tools Search this Thread
Old 04-06-2011, 09:58 AM   #1
Registered Member
 
Join Date: Apr 2011
Posts: 8
OS: winXP SP3



Was unable to complete an Amazon transaction yesterday -- checkout pages wouldn't load without repeated attempts. Then found that search engine results were being redirected. Tried System Restore to several different known-clean restore points -- all failed. Have also noticed these intermittent behaviors: an unwanted tab included in my home set of tabs, Control Panel not loading the program list for "Add or Remove Programs", and slow loading of the desktop on bootup.

System is XP SP 3. Firefox 3.6.14 browser. I have a Dell XP SP2 reinstallation CD.

Attach.txt and ark.txt are in the attached zip file. DDS.txt follows below.

I will appreciate any help getting these issues resolved.
Attached Files
File Type: zip attach.zip (5.8 KB, 34 views)
tooleyweeds is offline  
Sponsored Links
Advertisement
 
Old 04-06-2011, 10:23 AM   #2
Security Team
Analyst
 
Join Date: Aug 2008
Location: Sweden
Posts: 562
OS: WinXP SP3 32bit, W7HP 64bit



Welcome to TSF!

DDS.txt is missing.

Please post the content of it in a reply.
heir is offline  
Old 04-06-2011, 02:03 PM   #3
Registered Member
 
Join Date: Apr 2011
Posts: 8
OS: winXP SP3



My apologies for the missing DDS.txt. There were too many distractions taking my attention away from my posting.

It is pasted in below.

I have also attached a replacement zip file for attach.txt and ark.txt. In the attachment to my original post, I failed to turn off Notepad's wordwrap.

Thank you for taking a look at this for me.

Regards.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Owner at 9:38:05.59 on Wed 04/06/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.199 [GMT -6:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\NLSSRV32.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\MDM.EXE
C:\Program Files\Windows Media Player\setup_wm.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\My Documents\download\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/* Yahoo! SearchBar Home Page
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/* Yahoo!
uURLSearchHooks: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &PixVue: {b28b4479-d9c2-41d1-b74d-74a1827037cd} - c:\program files\pixvue.com\pixvue\bin\PixVue.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunServices: [RegisterDropHandler] c:\progra~1\textbr~1.0\bin\REGIST~1.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Subscribe in RSS Bandit - c:\documents and settings\owner\application data\rssbandit\iecontext_subscribebandit.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1283378869671
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
Notify: PixVue - c:\program files\pixvue.com\pixvue\bin\WinLogon.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\dkxinc5z.default\
FF - prefs.js: browser.startup.homepage - hxxps://mail.google.com/mail/?shva=1#inbox| https://www.facebook.com/?ref=home|https://www.facebook.com/group.php?gid=142183850424&ref=ts|https://forecast.weather.gov/MapClick.php?CityName=Buena+Vista&state=CO&site=PUB&textField1=38.8327&textField2=-106.141&e=0|https://pajamasmedia.com/instapundit/|https://jeffersoncityjays1967.com/wp-login.php?redirect_to=http%3A%2F%2Fjeffersoncityjays1967.com%2Fwp-admin%2F&reauth=1|https://jeffersoncityjays1967.com/wp-login.php?redirect_to=http%3A%2F%2Fjeffersoncityjays1967.com%2F|https://www.radioreference.com/apps/audio/?ctid=248
FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
FF - plugin: c:\documents and settings\owner\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol308.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Advertising Cookie Opt-out: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Google Gears: {000a9d1c-beef-4f90-9363-039d445309b8} - c:\program files\google\google gears\Firefox
.
============= SERVICES / DRIVERS ===============
.
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [2011-1-31 68928]
S2 gupdate1c9c3696778bf5e;Google Update Service (gupdate1c9c3696778bf5e);c:\program files\google\update\GoogleUpdate.exe [2009-4-22 133104]
S3 PixVue;PixVue;"c:\program files\pixvue.com\pixvue\bin\daemon.exe" --> c:\program files\pixvue.com\pixvue\bin\Daemon.exe [?]
.
=============== Created Last 30 ================
.
2011-04-06 01:43:11 -------- d-s---w- C:\ComboFix
2011-04-06 01:42:53 389120 ----a-w- c:\windows\system32\CF17858.exe
2011-04-06 01:41:11 389120 ----a-w- c:\windows\system32\cmd.execf
2011-04-05 22:04:25 102400 ----a-w- c:\windows\RegBootClean.exe
2011-04-05 21:20:14 64512 ---ha-w- c:\windows\system32\dxdiecab.dll
2011-03-21 22:21:01 516784 ----a-r- c:\windows\system32\XceedCry.dll
2011-03-21 22:21:01 44544 ----a-w- c:\windows\system32\Gif89.dll
2011-03-21 22:21:01 28672 ----a-w- c:\windows\system32\DartWeb.oca
2011-03-21 22:21:01 217088 ----a-w- c:\windows\system32\DartSock.dll
2011-03-21 22:21:01 118784 ----a-w- c:\windows\system32\DartWeb.dll
2011-03-21 22:21:01 -------- d-----w- c:\program files\Convar
2011-03-21 22:20:33 692224 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iKernel.dll
2011-03-21 22:20:33 57344 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\ctor.dll
2011-03-21 22:20:33 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\DotNetInstaller.exe
2011-03-21 22:20:33 237568 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iscript.dll
2011-03-21 22:20:33 155648 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iuser.dll
2011-03-21 22:20:31 282756 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\setup.dll
2011-03-21 22:20:31 163972 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iGdi.dll
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ------w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ------w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ------w- c:\windows\system32\mstscax.dll
2011-01-31 19:01:28 68928 ----a-w- c:\windows\system32\NLSSRV32.EXE
2011-01-31 18:59:24 17728 ----a-w- c:\windows\system32\nitrolocalui.dll
2011-01-31 18:59:22 26432 ----a-w- c:\windows\system32\nitrolocalmon.dll
2011-01-27 11:57:06 677888 ------w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ------w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover
Windows 5.1.2600 Disk: WDC_WD1600JB-75GVC0 rev.08.02D08 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86F3D439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86f437d0]; MOV EAX, [0x86f4384c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x86FC8AB8]
3 CLASSPNP[0xF7697FD7] -> nt!IofCallDriver[0x804E13B9] -> [0x86F690F0]
\Driver\atapi[0x86F97A08] -> IRP_MJ_CREATE -> 0x86F3D439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD1600JB-75GVC0_____________________08.02D08#5&2713bb34&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86F3D27F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 9:50:53.53 ===============
Attached Files
File Type: zip ark.zip (5.8 KB, 34 views)
tooleyweeds is offline  
Sponsored Links
Advertisement
 
Old 04-06-2011, 02:22 PM   #4
Security Team
Analyst
 
Join Date: Aug 2008
Location: Sweden
Posts: 562
OS: WinXP SP3 32bit, W7HP 64bit



I can see that you've tried to run ComboFix.

Please don't do that as stated here

Did ComboFix complete its run?

If so please post the content of C:\ComboFix.txt


-------------------------------

You've caught a rootkit.

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.




  • If an infected file is detected, the default action will be Cure, click on Continue.




  • If a suspicious file is detected, the default action will be Skip, click on Continue.




  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.




  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
heir is offline  
Old 04-06-2011, 02:41 PM   #5
Registered Member
 
Join Date: Apr 2011
Posts: 8
OS: winXP SP3



Thanks, heir. Yes, I tried to run combofix. I heard about it from my ISP's tech support, and attempted to run it before I thought about submitting my problem to Tech Support Forum. The combofix run did not complete. I got what appeared to be a command line window, and no further activity, so I closed the window.

Should I attempt to run combofix again before I proceed with TDSSKiller?

Regards.
tooleyweeds is offline  
Old 04-06-2011, 03:42 PM   #6
Registered Member
 
Join Date: Apr 2011
Posts: 8
OS: winXP SP3



I answered my own question about running combofix before running TDSS. Because you recommended running TDSS without seeing combofix results, I concluded that I should go ahead with TDSS. Here is the report.

Regards.

2011/04/06 16:28:59.0687 3052 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/06 16:29:00.0171 3052 ================================================================================
2011/04/06 16:29:00.0171 3052 SystemInfo:
2011/04/06 16:29:00.0171 3052
2011/04/06 16:29:00.0171 3052 OS Version: 5.1.2600 ServicePack: 3.0
2011/04/06 16:29:00.0171 3052 Product type: Workstation
2011/04/06 16:29:00.0171 3052 ComputerName: D3000
2011/04/06 16:29:00.0203 3052 UserName: Owner
2011/04/06 16:29:00.0203 3052 Windows directory: C:\WINDOWS
2011/04/06 16:29:00.0203 3052 System windows directory: C:\WINDOWS
2011/04/06 16:29:00.0203 3052 Processor architecture: Intel x86
2011/04/06 16:29:00.0203 3052 Number of processors: 2
2011/04/06 16:29:00.0203 3052 Page size: 0x1000
2011/04/06 16:29:00.0203 3052 Boot type: Normal boot
2011/04/06 16:29:00.0203 3052 ================================================================================
2011/04/06 16:29:04.0406 3052 Initialize success
2011/04/06 16:29:12.0031 3216 ================================================================================
2011/04/06 16:29:12.0031 3216 Scan started
2011/04/06 16:29:12.0031 3216 Mode: Manual;
2011/04/06 16:29:12.0031 3216 ================================================================================
2011/04/06 16:29:16.0859 3216 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/04/06 16:29:16.0968 3216 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/04/06 16:29:17.0031 3216 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/04/06 16:29:17.0093 3216 Afc (fe3ea6e9afc1a78e6edca121e006afb7) C:\WINDOWS\system32\drivers\Afc.sys
2011/04/06 16:29:17.0156 3216 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/04/06 16:29:17.0343 3216 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/04/06 16:29:17.0375 3216 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/06 16:29:17.0437 3216 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/04/06 16:29:17.0500 3216 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/04/06 16:29:17.0562 3216 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/04/06 16:29:17.0640 3216 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/04/06 16:29:17.0718 3216 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/04/06 16:29:17.0750 3216 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/04/06 16:29:17.0859 3216 Cdralw2k (2c41cd49d82d5fd85c72d57b6ca25471) C:\WINDOWS\system32\drivers\Cdralw2k.sys
2011/04/06 16:29:17.0875 3216 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/04/06 16:29:18.0031 3216 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/04/06 16:29:18.0093 3216 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/04/06 16:29:18.0171 3216 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/04/06 16:29:18.0203 3216 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/04/06 16:29:18.0234 3216 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/04/06 16:29:18.0312 3216 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/04/06 16:29:18.0359 3216 drvmcdb (b15f9e526ba511a48b1b1b8537815740) C:\WINDOWS\system32\drivers\drvmcdb.sys
2011/04/06 16:29:18.0375 3216 drvnddm (fa4670cae95ae2bb857c68e535661145) C:\WINDOWS\system32\drivers\drvnddm.sys
2011/04/06 16:29:18.0437 3216 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/04/06 16:29:18.0468 3216 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/04/06 16:29:18.0515 3216 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/04/06 16:29:18.0546 3216 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/04/06 16:29:18.0562 3216 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/04/06 16:29:18.0578 3216 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/04/06 16:29:18.0609 3216 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/04/06 16:29:18.0625 3216 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/04/06 16:29:18.0656 3216 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/04/06 16:29:18.0703 3216 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/04/06 16:29:18.0828 3216 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/04/06 16:29:18.0890 3216 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/04/06 16:29:18.0984 3216 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/04/06 16:29:19.0062 3216 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/04/06 16:29:19.0109 3216 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/04/06 16:29:19.0140 3216 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/04/06 16:29:19.0156 3216 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/04/06 16:29:19.0203 3216 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/04/06 16:29:19.0234 3216 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/04/06 16:29:19.0265 3216 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/04/06 16:29:19.0296 3216 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/04/06 16:29:19.0312 3216 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/04/06 16:29:19.0343 3216 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/06 16:29:19.0375 3216 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/04/06 16:29:19.0421 3216 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/04/06 16:29:19.0468 3216 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/04/06 16:29:19.0578 3216 mbmiodrvr (290fb01f7f51eff0960599404a09f8d6) C:\WINDOWS\system32\mbmiodrvr.sys
2011/04/06 16:29:19.0750 3216 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/04/06 16:29:19.0828 3216 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/04/06 16:29:19.0859 3216 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/04/06 16:29:19.0921 3216 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/04/06 16:29:19.0953 3216 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/04/06 16:29:20.0078 3216 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/04/06 16:29:20.0203 3216 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/04/06 16:29:20.0281 3216 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/04/06 16:29:20.0343 3216 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/04/06 16:29:20.0359 3216 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/04/06 16:29:20.0390 3216 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/04/06 16:29:20.0484 3216 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/04/06 16:29:20.0500 3216 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/04/06 16:29:20.0609 3216 Nbf (c087dd7fa47c4a43683df764fbfa30a7) C:\WINDOWS\system32\DRIVERS\nbf.sys
2011/04/06 16:29:20.0625 3216 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/04/06 16:29:20.0656 3216 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/04/06 16:29:20.0671 3216 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/04/06 16:29:20.0734 3216 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/04/06 16:29:20.0781 3216 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/04/06 16:29:20.0828 3216 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/04/06 16:29:20.0875 3216 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/04/06 16:29:20.0937 3216 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/04/06 16:29:20.0984 3216 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/04/06 16:29:21.0062 3216 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/04/06 16:29:21.0125 3216 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/04/06 16:29:21.0140 3216 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/04/06 16:29:21.0203 3216 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
2011/04/06 16:29:21.0265 3216 PalmUSBD (240c0d4049a833b16b63b636acf01672) C:\WINDOWS\system32\drivers\PalmUSBD.sys
2011/04/06 16:29:21.0296 3216 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/04/06 16:29:21.0312 3216 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/04/06 16:29:21.0328 3216 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/04/06 16:29:21.0359 3216 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/04/06 16:29:21.0437 3216 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2011/04/06 16:29:21.0484 3216 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/04/06 16:29:21.0656 3216 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/04/06 16:29:21.0687 3216 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/04/06 16:29:21.0718 3216 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/04/06 16:29:21.0765 3216 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/04/06 16:29:21.0906 3216 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/06 16:29:21.0937 3216 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/04/06 16:29:21.0968 3216 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/04/06 16:29:21.0984 3216 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/04/06 16:29:22.0015 3216 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/04/06 16:29:22.0031 3216 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/06 16:29:22.0078 3216 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/04/06 16:29:22.0093 3216 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/04/06 16:29:22.0171 3216 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/04/06 16:29:22.0250 3216 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
2011/04/06 16:29:22.0343 3216 Ser2pl (2ec41a96d0dc98bd119bf325e0b9f392) C:\WINDOWS\system32\DRIVERS\ser2pl.sys
2011/04/06 16:29:22.0375 3216 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/04/06 16:29:22.0437 3216 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/04/06 16:29:22.0468 3216 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/04/06 16:29:22.0546 3216 SIODRV (20f6649d168567a66c25662171bf4fe8) C:\WINDOWS\system32\drivers\SIODRV.SYS
2011/04/06 16:29:22.0578 3216 SMBios (d72a21424ca66c7a745bd995eca6a710) C:\WINDOWS\system32\DRIVERS\SMBios.sys
2011/04/06 16:29:22.0640 3216 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
2011/04/06 16:29:22.0718 3216 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/04/06 16:29:22.0734 3216 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/04/06 16:29:22.0796 3216 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/04/06 16:29:22.0906 3216 sscdbhk5 (d7968049be0adbb6a57cee3960320911) C:\WINDOWS\system32\drivers\sscdbhk5.sys
2011/04/06 16:29:22.0937 3216 ssrtln (c3ffd65abfb6441e7606cf74f1155273) C:\WINDOWS\system32\drivers\ssrtln.sys
2011/04/06 16:29:22.0968 3216 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/04/06 16:29:22.0984 3216 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/04/06 16:29:23.0093 3216 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/04/06 16:29:23.0171 3216 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/04/06 16:29:23.0203 3216 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/04/06 16:29:23.0218 3216 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/04/06 16:29:23.0250 3216 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/04/06 16:29:23.0312 3216 tfsnboio (1d265cd2fb1673a0873bf8cec19ddc7f) C:\WINDOWS\system32\dla\tfsnboio.sys
2011/04/06 16:29:23.0343 3216 tfsncofs (62e4901295e0467cac78e5b4b131ae5c) C:\WINDOWS\system32\dla\tfsncofs.sys
2011/04/06 16:29:23.0359 3216 tfsndrct (a2f380f9252ab3464c859adf91eead9c) C:\WINDOWS\system32\dla\tfsndrct.sys
2011/04/06 16:29:23.0390 3216 tfsndres (eee79bbefe9c6a2a3ce6c8753cfea950) C:\WINDOWS\system32\dla\tfsndres.sys
2011/04/06 16:29:23.0437 3216 tfsnifs (9d644eb11fec9487450c4cfcd63a5df4) C:\WINDOWS\system32\dla\tfsnifs.sys
2011/04/06 16:29:23.0484 3216 tfsnopio (e656af05c67edb7c0e9230a5df71ed1b) C:\WINDOWS\system32\dla\tfsnopio.sys
2011/04/06 16:29:23.0500 3216 tfsnpool (64fccb9cce703ca507dffc3cebf6b2cb) C:\WINDOWS\system32\dla\tfsnpool.sys
2011/04/06 16:29:23.0531 3216 tfsnudf (48bc9d8ab4e4b9bff70fb18e55cec3d6) C:\WINDOWS\system32\dla\tfsnudf.sys
2011/04/06 16:29:23.0578 3216 tfsnudfa (79f60822224256b49bfc855da8d651d5) C:\WINDOWS\system32\dla\tfsnudfa.sys
2011/04/06 16:29:23.0640 3216 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/04/06 16:29:23.0734 3216 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/04/06 16:29:23.0812 3216 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/04/06 16:29:23.0828 3216 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/04/06 16:29:23.0890 3216 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/04/06 16:29:23.0906 3216 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/04/06 16:29:23.0937 3216 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/04/06 16:29:23.0953 3216 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/04/06 16:29:23.0984 3216 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/04/06 16:29:24.0000 3216 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/04/06 16:29:24.0015 3216 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/04/06 16:29:24.0062 3216 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/04/06 16:29:24.0093 3216 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/04/06 16:29:24.0140 3216 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/04/06 16:29:24.0218 3216 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/04/06 16:29:24.0234 3216 ================================================================================
2011/04/06 16:29:24.0234 3216 Scan finished
2011/04/06 16:29:24.0234 3216 ================================================================================
2011/04/06 16:29:24.0250 1840 Detected object count: 1
2011/04/06 16:30:18.0859 1840 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/04/06 16:30:18.0859 1840 \HardDisk0 - ok
2011/04/06 16:30:18.0859 1840 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/04/06 16:31:11.0765 1964 Deinitialize success
tooleyweeds is offline  
Old 04-07-2011, 12:10 AM   #7
Security Team
Analyst
 
Join Date: Aug 2008
Location: Sweden
Posts: 562
OS: WinXP SP3 32bit, W7HP 64bit



Quote:
Thanks, heir. Yes, I tried to run combofix. I heard about it from my ISP's tech support, and attempted to run it before I thought about submitting my problem to Tech Support Forum. The combofix run did not complete. I got what appeared to be a command line window, and no further activity, so I closed the window.
It is a command line tool. What do you mean with no further activity?
Here is a tutorial on how it should be used. How long did it run?

Let's do a check.

Please download BootCheck.exe to your desktop.

* Double click BootCheck.exe to run the check
* When complete, a Notepad window will open with a report
* Please copy and paste the contents of this report in your next reply
heir is offline  
Old 04-07-2011, 06:05 AM   #8
Registered Member
 
Join Date: Apr 2011
Posts: 8
OS: winXP SP3



Quote:
Originally Posted by heir View Post
It is a command line tool. What do you mean with no further activity?
Here is a tutorial on how it should be used. How long did it run?
After the combofix command window opened, I detected no hard drive activity. It seemed to me that combofix was waiting for some command from me. I didn't know what command to give it, so I closed the window. The window had been open probably no more than two minutes. While the window was open, I never observed the initial "Please wait" screen that is mentioned in the tutorial that you linked in your most recent reply.

The report from bootcheck.exe is pasted in below.

Regards.

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !

Contents of C:\boot.ini:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
tooleyweeds is offline  
Old 04-07-2011, 06:34 AM   #9
Security Team
Analyst
 
Join Date: Aug 2008
Location: Sweden
Posts: 562
OS: WinXP SP3 32bit, W7HP 64bit



It's time to run ComboFix now.

Please delete your current copy of ComboFix.exe

Follow the tutorial on how to run it.
Post the log C:\ComboFix.txt in your reply

.
heir is offline  
Old 04-07-2011, 07:28 AM   #10
Registered Member
 
Join Date: Apr 2011
Posts: 8
OS: winXP SP3



I deleted the old combofix.exe, which dated back to August 2009.

I downloaded a new copy of combofix.exe. It saved into C:\Documents and Settings\Owner\My Documents\download folder. I dragged it to my Desktop. That's the same procedure I have used on DDS, gmer, TDSSKiller, and bootcheck. But when I did that for combofix, all I got on the Desktop was a shortcut. I double-clicked on the shortcut without thinking that combofix would not be running from the desktop. That is why the report pasted in below shows combofix running out of C:\Documents and Settings\Owner\My Documents\download.

Regards.

ComboFix 11-04-06.03 - Owner 04/07/2011 7:59.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.682 [GMT -6:00]
Running from: c:\documents and settings\Owner\My Documents\download\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Doug\WINDOWS
c:\documents and settings\Owner\WINDOWS
C:\drvrtmp
c:\program files\Internet Explorer\dmlconf.dat
c:\windows\System32\BSTIeprintctl1.dll
c:\windows\system32\regobj.dll
c:\windows\system32\service
c:\windows\system32\service\05042011_TIS17_SfFniAU.log
c:\windows\system32\service\08082010_TIS17_SfFniAU.log
c:\windows\system32\service\09082010_TIS17_SfFniAU.log
c:\windows\system32\service\11082010_TIS17_SfFniAU.log
c:\windows\system32\service\12092010_TIS17_SfFniAU.log
c:\windows\system32\service\26092010_TIS17_SfFniAU.log
c:\windows\system32\service\31072010_TIS17_SfFniAU.log
c:\windows\system32\tmp.reg
c:\windows\system32\twain.dll
F:\autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-03-07 to 2011-04-07 )))))))))))))))))))))))))))))))
.
.
2011-04-06 01:42 . 2011-04-06 01:41 389120 ----a-w- c:\windows\system32\CF17858.exe
2011-04-06 01:41 . 2011-04-06 01:41 389120 ----a-w- c:\windows\system32\cmd.execf
2011-04-05 22:04 . 2011-04-05 22:04 102400 ----a-w- c:\windows\RegBootClean.exe
2011-04-05 21:20 . 2011-04-05 21:20 64512 ---ha-w- c:\windows\system32\dxdiecab.dll
2011-04-05 16:22 . 2011-04-05 16:22 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-03-21 22:21 . 2011-03-21 22:21 -------- d-----w- c:\program files\Convar
2011-03-21 22:21 . 2003-07-18 19:58 516784 ----a-r- c:\windows\system32\XceedCry.dll
2011-03-21 22:21 . 2002-04-12 19:19 28672 ----a-w- c:\windows\system32\DartWeb.oca
2011-03-21 22:21 . 2002-02-28 15:46 217088 ----a-w- c:\windows\system32\DartSock.dll
2011-03-21 22:21 . 2002-02-21 16:12 118784 ----a-w- c:\windows\system32\DartWeb.dll
2011-03-21 22:21 . 1998-06-14 04:53 44544 ----a-w- c:\windows\system32\Gif89.dll
2011-03-21 22:20 . 2002-12-05 20:12 692224 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKernel.dll
2011-03-21 22:20 . 2002-12-05 20:10 155648 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iuser.dll
2011-03-21 22:20 . 2002-12-02 21:22 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe
2011-03-21 22:20 . 2002-12-02 19:33 57344 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll
2011-03-21 22:20 . 2002-12-02 19:33 237568 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iscript.dll
2011-03-21 22:20 . 2011-03-21 22:20 282756 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\setup.dll
2011-03-21 22:20 . 2011-03-21 22:20 163972 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iGdi.dll
2011-03-11 13:43 . 2011-03-11 13:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-12 14:04 270848 ------w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-12 13:57 186880 ------w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2006-08-30 03:57 2067456 ------w- c:\windows\system32\mstscax.dll
2011-01-31 19:01 . 2011-01-31 19:01 68928 ----a-w- c:\windows\system32\NLSSRV32.EXE
2011-01-31 18:59 . 2011-02-14 20:25 17728 ----a-w- c:\windows\system32\nitrolocalui.dll
2011-01-31 18:59 . 2011-02-14 20:25 26432 ----a-w- c:\windows\system32\nitrolocalmon.dll
2011-01-27 11:57 . 2006-08-30 03:57 677888 ------w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-12 14:05 439296 ------w- c:\windows\system32\shimgvw.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
.
c:\documents and settings\Doug\Start Menu\Programs\Startup\
Mozilla Firefox.lnk - c:\program files\Mozilla Firefox\firefox.exe [2011-3-4 912344]
Palm Registration.lnk - c:\palm\register.exe [2006-8-31 2494464]
Shortcut to MSOFFICE.lnk - c:\program files\Microsoft Office\Office\1033\MSOFFICE.EXE [1999-2-1 405560]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=c:\windows\pss\Exif Launcher.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Palm Registration.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Palm Registration.lnk
backup=c:\windows\pss\Palm Registration.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2010-03-18 17:19 207360 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-04-11 16:43 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2006-01-14 00:36 196608 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-09-20 13:32 77824 ------w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-09-20 13:36 114688 ------w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-09-20 13:35 94208 ------w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InstantAccess]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
2003-05-08 16:00 49152 ----a-w- c:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
2006-01-30 09:00 98304 ----a-r- c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPWebCap]
2000-03-01 13:37 48128 ----a-w- c:\progra~1\ScanSoft\PAPERP~1\PPWEBCAP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 19:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegisterDropHandler]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
2001-07-25 18:04 57344 ----a-w- c:\program files\REGSHAVE\Regshave.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 19:42 1404928 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 17:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2004-01-07 06:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Abacast\\Abaclient.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2078:TCP"= 2078:TCP:Website: port 2078
"2077:TCP"= 2077:TCP:Website: port 2077
.
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [1/31/2011 1:01 PM 68928]
S2 gupdate1c9c3696778bf5e;Google Update Service (gupdate1c9c3696778bf5e);c:\program files\Google\Update\GoogleUpdate.exe [4/22/2009 10:42 AM 133104]
S3 PixVue;PixVue;"c:\program files\PixVue.Com\PixVue\bin\Daemon.exe" --> c:\program files\PixVue.Com\PixVue\bin\Daemon.exe [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-05 03:38]
.
2011-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-22 16:42]
.
2011-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-22 16:42]
.
2011-03-03 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2011-02-28 04:28]
.
2011-02-28 c:\windows\Tasks\wavepadSevenDays.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2011-02-28 04:29]
.
2011-03-03 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2011-02-28 04:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*Yahoo!
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Subscribe in RSS Bandit - c:\documents and settings\Owner\Application Data\RssBandit\iecontext_subscribebandit.htm
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\dkxinc5z.default\
FF - prefs.js: browser.startup.homepage - hxxps://mail.google.com/mail/?shva=1#inbox|https://www.facebook.com/?ref=home|h...udio/?ctid=248
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Advertising Cookie Opt-out: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Google Gears: {000a9d1c-beef-4f90-9363-039d445309b8} - c:\program files\Google\Google Gears\Firefox
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{3E57A8B6-849B-476E-A3E9-CFCE49E3662A} - c:\program files\PixVue.Com\PixVue\bin\PixVue.dll
ShellIconOverlayIdentifiers-{E3F36090-0540-418f-8136-074D5B255B59} - c:\program files\PixVue.Com\PixVue\bin\PixVue.dll
ShellIconOverlayIdentifiers-{E1C1BE26-35A8-4999-A3A6-235CB7BD558B} - c:\program files\PixVue.Com\PixVue\bin\PixVue.dll
ShellIconOverlayIdentifiers-{2E9BD3CA-A57F-450b-B1BA-A6A58C0C1D51} - c:\program files\PixVue.Com\PixVue\bin\PixVue.dll
ShellIconOverlayIdentifiers-{BCA5FB3A-9FC1-4465-ACE3-8C2072449164} - c:\program files\PixVue.Com\PixVue\bin\PixVue.dll
ShellIconOverlayIdentifiers-{F0C13C81-FB8D-464e-873F-F8FF999E3EEC} - c:\program files\PixVue.Com\PixVue\bin\PixVue.dll
ShellIconOverlayIdentifiers-{0117FFFB-91FD-414E-AC34-A00531032006} - c:\program files\PixVue.Com\PixVue\bin\PixVue.dll
Notify-PixVue - c:\program files\PixVue.Com\PixVue\bin\WinLogon.DLL
SafeBoot-MCODS
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-UfSeAgnt - c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe
AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-04-07 08:09
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\giffile\shell\Open\ddeexec]
@DACL=(02 0000)
@="\"file:%1\",,-1,,,,,"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\WININET.dll
.
Completion time: 2011-04-07 08:12:49
ComboFix-quarantined-files.txt 2011-04-07 14:12
.
Pre-Run: 94,179,328,000 bytes free
Post-Run: 95,573,864,448 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 5A8125E1D9A4098FA64E7BB9818D6672
tooleyweeds is offline  
Old 04-09-2011, 08:08 AM   #11
Security Team
Analyst
 
Join Date: Aug 2008
Location: Sweden
Posts: 562
OS: WinXP SP3 32bit, W7HP 64bit



Something I should point out, regarding CCleaner,Glary Utilities, TuneUp Utilities and similar products

It's not recommended to use of registry cleaners. These often cause more problems than they fix. One of the Experts here at TSF, miekiemoes has an excellent writeup here
Another excellent article by Bill Castner is located here.

Are the redirections and the other issues gone?

Let's follow up with a couple of scans.

Step 1.
MBAM:
  • Launch Malwarebytes' Anti-Malware
  • Update Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step 2.
Online Scanner:

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Step 3.
Things I would like to see in your reply:
  1. The answer to the question in the beginning of this post.
  2. The content of the log from MBAM in step 1.
  3. The content of the log from ESET Online Scanner in step 2.
heir is offline  
Old 04-09-2011, 02:14 PM   #12
Registered Member
 
Join Date: Apr 2011
Posts: 8
OS: winXP SP3



Thanks for the latest instructions, heir, and also for the recommendation against the registry cleaners.

Did I compromise the effectiveness of combofix by running it from a desktop shortcut rather than from the desktop directly?

1. Symptom status: After TDSSKiller executed, the redirections stopped and have not recurred. I have not had any further instances of unwanted tabs being included with my set of home tabs. The Control Panel "Add or Remove Programs" list appears to be loading normally. The desktop is loading normally. I am very happy with those results. I have not attempted to place another order with Amazon (trouble with that was my first clue that I had a problem). I have not attempted a System Restore, so I do not know whether that feature is working again.

2. The MBAM log follows:
Malwarebytes' Anti-Malware 1.50.1.1100
Malwarebytes

Database version: 6319

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/9/2011 9:28:10 AM
mbam-log-2011-04-09 (09-28-10).txt

Scan type: Quick scan
Objects scanned: 178284
Time elapsed: 3 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\dxdiecab.dll (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

3. The ESET log follows:
[email protected] as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=22b047960c5952439a407a18cfd7dc4a
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-04-09 05:44:09
# local_time=2011-04-09 11:44:09 (-0700, Mountain Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=313204
# found=207
# cleaned=207
# scan_time=7676
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\33\6e2f3da1-7694ad82 a variant of Win32/Kryptik.MKB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\34\b571a2-69dec783 a variant of Win32/Kryptik.MGC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Owner\My Documents\XMAS\2001\old_xmas.exe Win32/Adware.Gator.Trickler application (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1123\A0097290.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1123\A0097291.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1123\A0097301.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1123\A0097302.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1124\A0097343.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1124\A0097344.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1125\A0097355.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1125\A0097356.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1125\A0097374.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1125\A0097375.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1126\A0097425.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1126\A0097426.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1127\A0097500.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1127\A0097501.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1128\A0097639.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1128\A0097640.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1128\A0097660.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1128\A0097661.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1129\A0097753.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1129\A0097754.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1130\A0097768.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1130\A0097769.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1130\A0097837.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1130\A0097838.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1131\A0097988.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1131\A0097989.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1132\A0098024.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1132\A0098025.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1132\A0098051.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1132\A0098052.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1133\A0098090.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1133\A0098091.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1133\A0098105.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1133\A0098106.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1135\A0098336.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1135\A0098337.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1135\A0098369.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1135\A0098370.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1135\A0098450.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1135\A0098451.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1136\A0098559.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1136\A0098560.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1136\A0098570.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1136\A0098571.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1136\A0098581.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1136\A0098582.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1137\A0098616.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1137\A0098617.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1137\A0098643.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1137\A0098644.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1138\A0098682.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1138\A0098683.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1140\A0098730.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1140\A0098731.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1140\A0098751.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1140\A0098752.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1141\A0098784.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1141\A0098785.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1141\A0098820.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1141\A0098821.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1143\A0099060.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1143\A0099061.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1143\A0099107.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1143\A0099108.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1144\A0099133.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1144\A0099134.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1144\A0099152.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1144\A0099153.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1146\A0099290.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1146\A0099291.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1147\A0099382.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1147\A0099383.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1148\A0099456.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1148\A0099457.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1148\A0099494.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1148\A0099495.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1149\A0099539.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1149\A0099540.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1149\A0099551.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1149\A0099552.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1149\A0099566.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1149\A0099567.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1150\A0099601.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1150\A0099602.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1150\A0099679.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1150\A0099680.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1151\A0099741.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1151\A0099742.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1152\A0099788.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1152\A0099789.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1153\A0099866.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1153\A0099867.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1154\A0099930.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1154\A0099931.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1155\A0100066.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1155\A0100067.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1156\A0100097.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1156\A0100098.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1156\A0100128.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1156\A0100129.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1156\A0100194.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1156\A0100195.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1157\A0100240.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1157\A0100241.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1157\A0100315.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1157\A0100316.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1158\A0100361.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1158\A0100362.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1158\A0100378.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1158\A0100379.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1159\A0100423.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1159\A0100424.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1160\A0100490.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1160\A0100492.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1160\A0100521.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1160\A0100522.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1161\A0100563.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1161\A0100564.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1163\A0100670.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1163\A0100671.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1164\A0100838.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1164\A0100839.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1164\A0100849.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1164\A0100850.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1165\A0100961.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1165\A0100962.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1166\A0101028.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1166\A0101029.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1167\A0101078.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1167\A0101079.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1167\A0101115.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1167\A0101116.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1167\A0101123.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1167\A0101124.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1168\A0101134.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1168\A0101135.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1169\A0101154.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1169\A0101155.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1169\A0101196.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1169\A0101197.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1170\A0101350.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1170\A0101351.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1171\A0101469.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1171\A0101470.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1171\A0101513.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1171\A0101514.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1172\A0101546.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1172\A0101547.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1172\A0101570.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1172\A0101571.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1172\A0101578.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1172\A0101579.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1173\A0101605.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1173\A0101606.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1173\A0101618.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1173\A0101619.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1175\A0101664.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1175\A0101665.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1176\A0101682.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1176\A0101683.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1176\A0101703.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1176\A0101704.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1177\A0102703.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1177\A0102704.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1177\A0102722.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1177\A0102723.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1178\A0102748.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1178\A0102749.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1179\A0102766.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1179\A0102767.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1180\A0102835.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1180\A0102836.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1181\A0102888.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1181\A0102889.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1182\A0102955.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1182\A0102956.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1182\A0102967.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1182\A0102968.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1182\A0103022.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1182\A0103023.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1182\A0103149.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1182\A0103150.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1183\A0103189.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1183\A0103190.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1184\A0103221.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1184\A0103222.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1184\A0103231.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1184\A0103232.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1185\A0103248.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1185\A0103249.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1187\A0105415.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1187\A0106414.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1187\A0106415.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1188\A0106453.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1188\A0106454.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1188\A0106597.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1188\A0106599.exe a variant of Win32/Kryptik.KDG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
F:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1119\A0096356.exe Win32/Adware.Gator.Trickler application (deleted - quarantined) 00000000000000000000000000000000 C
F:\System Volume Information\_restore{579E900E-397D-4B64-AEB7-8B7439FD6479}\RP1120\A0096920.exe Win32/Adware.Gator.Trickler application (deleted - quarantined) 00000000000000000000000000000000 C
F:\Doug's backup 20101128\XMAS\2001\old_xmas.exe Win32/Adware.Gator.Trickler application (deleted - quarantined) 00000000000000000000000000000000 C
F:\Doug's backup 20101223\XMAS\2001\old_xmas.exe Win32/Adware.Gator.Trickler application (deleted - quarantined) 00000000000000000000000000000000 C
F:\Doug's backup 20110124\XMAS\2001\old_xmas.exe Win32/Adware.Gator.Trickler application (deleted - quarantined) 00000000000000000000000000000000 C
F:\Doug's backup 20110306\XMAS\2001\old_xmas.exe Win32/Adware.Gator.Trickler application (deleted - quarantined) 00000000000000000000000000000000 C
F:\Doug's backup 20110323\XMAS\2001\old_xmas.exe Win32/Adware.Gator.Trickler application (deleted - quarantined) 00000000000000000000000000000000 C


Regards.
tooleyweeds is offline  
Old 04-10-2011, 04:03 AM   #13
Security Team
Analyst
 
Join Date: Aug 2008
Location: Sweden
Posts: 562
OS: WinXP SP3 32bit, W7HP 64bit



There were a bad file that you had backed up that got removed. Ther were also a lot of files in system restore. System restore will be cleared in this post, giving you a new fresh starting point.


Hey there, tooleyweeds !

OK! Well done, your log is clean again!

Time for some housekeeping.

Step 1.
Clean up:

We need to do is to remove all the tools that you have used. This is so that should you ever be re-infected, you will download updated versions. It will also remove the quarantined Malware from your computer.

First:
  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

Second:
  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Now delete any tools/logs that is left over after you ran OTC.


Step 2.
Prevention:

OK, lets carry out a few preventative steps to make sure you reduce the risk of further infections.

First:
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java :
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 24 .
  • Click the JDK 6 Update 24 (JDK or JRE) "Download JRE" button to the right.
  • Select your Platform, Register and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation ( jre-6u24-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u24-windows-i586.exe and select "Run as an Administrator.")


Second:
One of the essentials is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vunerable. It is best if you have these set to download automatically.

Automatic Updates for Windows
  • Click Start.
  • Select Settings and then Control Panel.
  • Select Automatic Updates.
  • Click Automatic (recommended)
  • Choose a day and a time when you know the computer will be on and connected to the Internet.
  • Click Apply then OK.


Third:
Now lets download some preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. I would advise getting a couple of them at least, and running each at least once a month.

Anti Spyware
  • SpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
  • SpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.
.
Note: If you find your system slows down after installing any of these, just uninstall it, or disable it from running at startup.


Fourth:
Next lets look at Firewalls. These help to prevent unauthorized access both to and from the Internet or your local network. A firewall is considered a first line of defense in protecting private information. Below are two free firewalls to choose from, if you do not already have one. Note: You only need one firewall one your system.

Personal Firewalls
Fifth:
On to personal Anti Virus programs.

One AV is a must have! But never more than one, as this can and will cause conflicts and false readings. I have listed three free AV's below which are as good as any paid subscription AV, as long as you allow them to update themselves.

Anti Virus Programs
Sixth:
Nearly done! If you like to use chat, MSN and Yahoo have vulnerabilities that can leave you open to infections. There are however a couple of very good, Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN):

Instant Messengers
Lastly:
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.


I will keep this log open for the next couple of days, so if you have any further problems post another reply here.

OK, all the best, and stay safe!
heir is offline  
Old 04-10-2011, 11:59 AM   #14
Registered Member
 
Join Date: Apr 2011
Posts: 8
OS: winXP SP3



Thank you, heir. Your help has been indispensable.

Current status:

ComboFix uninstalled.

OTC executed. I manually deleted a few remaining items.

Existing Java files have been deleted, and JRE 6 Update 24 installed.

Confirmed that I have Windows Update set to Automatic.

SpywareBlaster and SpywareGuard installed and configured.

Comodo Firewall installed. (I had been using the firewall in Trend Micro.)

avast! anti-virus installed. (I had been using Trend Micro, but uninstalled it before my first post back on April 6, when I was trying to make System Restore work.)

I don't use chat, so I'll just file those recommendations for future reference.

And, I just read Tony Klein's article.

Regards,
tooleyweeds
tooleyweeds is offline  
Old 04-13-2011, 11:42 AM   #15
TSF-Emeritus
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 15,384
OS: XP Win7 Win 8.1 Ubuntu 10.10



Since this issue appears resolved, this topic will now be archived. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum
amateur is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Browser automatically redirecting to unknown URL
Hi, Before I begin, I would like to thank everyone in this forum for showing great interest to help distressed users like me. Also, I would like to point out that a problem similar to mine has already been discussed here:...
asp_ts Resolved HJT Threads 10 04-13-2011 05:36 AM
Check my post for jimdowin, please [user abandoned]
Link to post : here I am having trouble with Browser redirects. For some reason I can't cut and paste the DDS.txt file in here. Whenever I do the page fails to submit. So I attached all 3 files in a zip. Can someome please review and help me? DDS (Ver_10-12-12.02) - NTFSx86 Run by...
Vick Resolved Back Me Up Threads 12 02-15-2011 12:18 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 03:51 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts