Computer under Attack

[patrick]

Hello, I am new to ComputerForum but was directed here to you experts, especially to Johnb35, as I have not been able to resolve a computer issue. I have a Compaq dc7800c that has performed flawlessly for 2 years. However, recently I downloaded a free copy of the Angry Birds game and found out that the program was downloading a lot of other stuff. I thought I had removed the program and all of what it downloaded. However, since this event my PC has slowed down significantly and there is a lot of unaccounted for traffic on the internet.

When I go to my Trend Micro security program, it indicates that there incoming threats at about 100 per hour. It found one cookie that it got rid of. I called my internet provider where staff had me cleanse my two browers--Firebox and Google Chrome. But the problem persists and Trend Micros Tech Support is not available until Monday and I could not get information from its online service.

Another action I've taken is to disconnect the Cisco wi-fi router in case this was the source of threats which are still coming in but not at such a high rate. Another disturbing problem is the computer refuses to log off and I have to disconnect the power.

Once again the system is a Compaq dc7800c using Windows XP Professional, service pack 3 or 4. Anti-virus software is Trend Micro Titanium Maximum Security 2012 which is fully up to date. A friend advised that I try AVG, but the system would not download it. I would very much appreciate your assistance.

 

[johnb35]

Hi,

The first thing you want to do is do the following procedures.

1.

Please download and run TDSSkiller

When the program opens, click on the start scan button.

TDSSKiller will now scan your computer for the TDSS infection. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.

To remove the infection simply click on the Continue button and TDSSKiller will attempt to clean the infection.

When it has finished cleaning the infection you will see a report stating whether or not it was successful as shown below.

If the log says will be cured after reboot, please reboot the system by pressing the reboot now button.

After running there will be a log that will be located at the root of your c:\ drive labeled tdsskiller with a series of numbers after it. Please open the log and copy and paste it back here.


2.

Please download Malwarebytes' Anti-Malware from here or here and save it to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version. Please keep updating until it says you have the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• A log will be saved automatically which you can access by clicking on the Logs tab within Malwarebytes' Anti-Malware

If for some reason Malwarebytes will not install or run please download and run Rkill.scr, Rkill.exe, or Rkill.com. If you are still having issues running rkill then try downloading these renamed versions of the same program.

EXPLORER.EXE
IEXPLORE.EXE
USERINIT.EXE
WINLOGON.EXE

But DO NOT reboot the system and then try installing or running Malwarebytes. If Rkill (which is a black box) appears and then disappears right away or you get a message saying rkill is infected, keep trying to run rkill until it over powers the infection and temporarily kills it. Once a log appears on the screen, you can try running malwarebytes or downloading other programs.



Download the HijackThis installer from here.
Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Click Do a system scan and save a logfile

Most of what HijackThis lists will be harmless or even essential, don't fix anything yet.

When the hijackthis log appears in a notepad file, click on the edit menu, click select all, then click on the edit menu again and click on copy. Come back to your reply and right click on your mouse and click on paste.

Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log

 

[patrick]

John, thanks so much for the quick reply and for being here on New Year's Eve. I will do as you advise and post the results.

Patrick

 

[johnb35]

I will be on here off and on for the rest of the day now that I am home from work, providing I don't fall asleep in order to stay up past the new year.

 

[patrick]

Hi again, initially, my Foxfire would not allow me to run TDSKiller. After changing to Google Chrome, I got it to run. But I don't get the Scan Results screen after scanning. I couldn't attach the screensaver but here is a text version of what appeared:

Threats detected

Locked file
Service: safeBoot

Rootkit.boot.pihar.b
......
malware object.high.

Options were to "skip" or "cure".

Should I just hit the continue button at bottom of the screen? Thanks.

 

[johnb35]

Maks sure you select cure. and then continue.

 

[patrick]

Appreciate the response as I probably would have proceeded without selecting "cure".

 

[patrick]

Okay, I hit continue and now I am to reboot.

 

[patrick]

Hi, the log file for TDSSKiller is below. Let me add that there is already improvement. This time the computer logged off normally. Should I wait for your response to the log file before going to Step 2. Download Malwarebytes' etc.?
---
13:43:40.0937 3556 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16
13:43:41.0484 3556 ============================================================
13:43:41.0484 3556 Current date / time: 2011/12/31 13:43:41.0484
13:43:41.0484 3556 SystemInfo:
13:43:41.0484 3556
13:43:41.0500 3556 OS Version: 5.1.2600 ServicePack: 3.0
13:43:41.0500 3556 Product type: Workstation
13:43:41.0500 3556 ComputerName: HP11005506461
13:43:41.0500 3556 UserName: Administrator
13:43:41.0500 3556 Windows directory: C:\WINDOWS
13:43:41.0500 3556 System windows directory: C:\WINDOWS
13:43:41.0500 3556 Processor architecture: Intel x86
13:43:41.0500 3556 Number of processors: 2
13:43:41.0500 3556 Page size: 0x1000
13:43:41.0500 3556 Boot type: Normal boot
13:43:41.0500 3556 ============================================================
13:43:43.0750 3556 Initialize success
13:43:51.0609 6076 ============================================================
13:43:51.0609 6076 Scan started
13:43:51.0609 6076 Mode: Manual;
13:43:51.0609 6076 ============================================================
13:43:54.0562 6076 Abiosdsk - ok
13:43:54.0578 6076 abp480n5 - ok
13:43:54.0625 6076 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
13:43:54.0625 6076 ac97intc - ok
13:43:54.0687 6076 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
13:43:54.0703 6076 ACPI - ok
13:43:54.0828 6076 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
13:43:54.0828 6076 ACPIEC - ok
13:43:54.0890 6076 ADIHdAudAddService (4e6e32df81005355056a76491d29d05c) C:\WINDOWS\system32\drivers\ADIHdAud.sys
13:43:54.0890 6076 ADIHdAudAddService - ok
13:43:54.0921 6076 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
13:43:54.0937 6076 adpu160m - ok
13:43:54.0937 6076 adpu320 (0ea9b1f0c6c90a509c8603775366adb7) C:\WINDOWS\system32\DRIVERS\adpu320.sys
13:43:55.0046 6076 adpu320 - ok
13:43:55.0203 6076 AEAudio (058cdc314672a28a90566a787d9876e7) C:\WINDOWS\system32\drivers\AEAudio.sys
13:43:55.0203 6076 AEAudio - ok
13:43:55.0281 6076 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
13:43:55.0281 6076 aec - ok
13:43:55.0328 6076 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
13:43:55.0328 6076 AFD - ok
13:43:55.0406 6076 Aha154x - ok
13:43:55.0468 6076 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
13:43:55.0468 6076 aic78u2 - ok
13:43:55.0484 6076 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
13:43:55.0484 6076 aic78xx - ok
13:43:55.0484 6076 AliIde - ok
13:43:55.0500 6076 amsint - ok
13:43:55.0515 6076 asc - ok
13:43:55.0531 6076 asc3350p - ok
13:43:55.0531 6076 asc3550 - ok
13:43:55.0578 6076 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
13:43:55.0578 6076 AsyncMac - ok
13:43:55.0703 6076 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
13:43:55.0703 6076 atapi - ok
13:43:55.0718 6076 Atdisk - ok
13:43:55.0750 6076 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
13:43:55.0750 6076 Atmarpc - ok
13:43:55.0812 6076 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
13:43:55.0812 6076 audstub - ok
13:43:55.0906 6076 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
13:43:55.0906 6076 Beep - ok
13:43:55.0937 6076 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
13:43:55.0937 6076 cbidf2k - ok
13:43:55.0953 6076 cd20xrnt - ok
13:43:55.0968 6076 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
13:43:55.0968 6076 Cdaudio - ok
13:43:56.0015 6076 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
13:43:56.0015 6076 Cdfs - ok
13:43:56.0031 6076 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
13:43:56.0031 6076 Cdrom - ok
13:43:56.0140 6076 Changer - ok
13:43:56.0156 6076 CmdIde - ok
13:43:56.0171 6076 Cpqarray - ok
13:43:56.0218 6076 dac2w2k - ok
13:43:56.0218 6076 dac960nt - ok
13:43:56.0265 6076 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
13:43:56.0281 6076 Disk - ok
13:43:56.0312 6076 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
13:43:56.0328 6076 dmboot - ok
13:43:56.0421 6076 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
13:43:56.0421 6076 dmio - ok
13:43:56.0437 6076 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
13:43:56.0437 6076 dmload - ok
13:43:56.0484 6076 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
13:43:56.0484 6076 DMusic - ok
13:43:56.0546 6076 dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
13:43:56.0546 6076 dot4 - ok
13:43:56.0656 6076 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
13:43:56.0656 6076 Dot4Print - ok
13:43:56.0671 6076 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys
13:43:56.0671 6076 dot4usb - ok
13:43:56.0687 6076 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
13:43:56.0687 6076 dpti2o - ok
13:43:56.0718 6076 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
13:43:56.0718 6076 drmkaud - ok
13:43:56.0734 6076 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
13:43:56.0734 6076 E100B - ok
13:43:56.0781 6076 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
13:43:56.0781 6076 e1express - ok
13:43:56.0937 6076 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
13:43:56.0937 6076 Fastfat - ok
13:43:56.0953 6076 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
13:43:56.0953 6076 Fdc - ok
13:43:56.0984 6076 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
13:43:56.0984 6076 Fips - ok
13:43:57.0015 6076 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
13:43:57.0015 6076 Flpydisk - ok
13:43:57.0156 6076 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
13:43:57.0156 6076 FltMgr - ok
13:43:57.0203 6076 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
13:43:57.0218 6076 Fs_Rec - ok
13:43:57.0265 6076 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
13:43:57.0265 6076 Ftdisk - ok
13:43:57.0312 6076 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
13:43:57.0312 6076 Gpc - ok
13:43:57.0437 6076 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
13:43:57.0437 6076 HDAudBus - ok
13:43:57.0531 6076 HECI (c865d1f6d03595df213dc3c67e4e4c58) C:\WINDOWS\system32\DRIVERS\HECI.sys
13:43:57.0531 6076 HECI - ok
13:43:57.0625 6076 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
13:43:57.0640 6076 HidUsb - ok
13:43:57.0734 6076 HPKBCCID (1ffda46b645473d56c72aae6e1002825) C:\WINDOWS\system32\DRIVERS\HPKBCCID.sys
13:43:57.0734 6076 HPKBCCID - ok
13:43:57.0750 6076 hpn - ok
13:43:57.0781 6076 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
13:43:57.0796 6076 HTTP - ok
13:43:57.0828 6076 i2omgmt - ok
13:43:57.0859 6076 i2omp - ok
13:43:57.0890 6076 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
13:43:57.0890 6076 i8042prt - ok
13:43:57.0984 6076 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
13:43:57.0984 6076 i81x - ok
13:43:58.0015 6076 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
13:43:58.0015 6076 iAimFP0 - ok
13:43:58.0031 6076 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
13:43:58.0031 6076 iAimFP1 - ok
13:43:58.0046 6076 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
13:43:58.0046 6076 iAimFP2 - ok
13:43:58.0093 6076 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
13:43:58.0093 6076 iAimFP3 - ok
13:43:58.0125 6076 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
13:43:58.0125 6076 iAimFP4 - ok
13:43:58.0156 6076 iAimFP5 (0308aef61941e4af478fa1a0f83812f5) C:\WINDOWS\system32\DRIVERS\wADV07nt.sys
13:43:58.0156 6076 iAimFP5 - ok
13:43:58.0156 6076 iAimFP6 (714038a8aa5de08e12062202cd7eaeb5) C:\WINDOWS\system32\DRIVERS\wADV08nt.sys
13:43:58.0156 6076 iAimFP6 - ok
13:43:58.0171 6076 iAimFP7 (7bb3aa595e4507a788de1cdc63f4c8c4) C:\WINDOWS\system32\DRIVERS\wADV09nt.sys
13:43:58.0171 6076 iAimFP7 - ok
13:43:58.0218 6076 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
13:43:58.0218 6076 iAimTV0 - ok
13:43:58.0250 6076 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
13:43:58.0250 6076 iAimTV1 - ok
13:43:58.0250 6076 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
13:43:58.0250 6076 iAimTV3 - ok
13:43:58.0281 6076 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
13:43:58.0281 6076 iAimTV4 - ok
13:43:58.0296 6076 iAimTV5 (791cc45de6e50445be72e8ad6401ff45) C:\WINDOWS\system32\DRIVERS\wATV10nt.sys
13:43:58.0296 6076 iAimTV5 - ok
13:43:58.0328 6076 iAimTV6 (352fa0e98bc461ce1ce5d41f64db558d) C:\WINDOWS\system32\DRIVERS\wATV06nt.sys
13:43:58.0328 6076 iAimTV6 - ok
13:43:58.0515 6076 ialm (12c7f8d581c4a9f126f5f8f5683a1c29) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
13:43:58.0656 6076 ialm - ok
13:43:58.0812 6076 iaStor (997e8f5939f2d12cd9f2e6b395724c16) C:\WINDOWS\system32\DRIVERS\iaStor.sys
13:43:58.0812 6076 iaStor - ok
13:43:58.0859 6076 IFXTPM (667cfdb801df771f47b7c39373c2d850) C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
13:43:58.0875 6076 IFXTPM - ok
13:43:58.0890 6076 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
13:43:58.0890 6076 Imapi - ok
13:43:59.0000 6076 ini910u - ok
13:43:59.0343 6076 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
13:43:59.0343 6076 IntelIde - ok
13:43:59.0406 6076 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
13:43:59.0421 6076 intelppm - ok
13:43:59.0531 6076 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
13:43:59.0562 6076 Ip6Fw - ok
13:43:59.0640 6076 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
13:43:59.0640 6076 IpFilterDriver - ok
13:43:59.0718 6076 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
13:43:59.0718 6076 IpInIp - ok
13:43:59.0750 6076 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
13:43:59.0750 6076 IpNat - ok
13:43:59.0781 6076 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
13:43:59.0781 6076 IPSec - ok
13:43:59.0812 6076 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
13:43:59.0812 6076 IRENUM - ok
13:43:59.0843 6076 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
13:43:59.0843 6076 isapnp - ok
13:43:59.0890 6076 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
13:43:59.0890 6076 Kbdclass - ok
13:43:59.0937 6076 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
13:43:59.0937 6076 kbdhid - ok
13:43:59.0968 6076 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
13:43:59.0968 6076 kmixer - ok
13:44:00.0000 6076 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
13:44:00.0000 6076 KSecDD - ok
13:44:00.0000 6076 lbrtfdc - ok
13:44:00.0046 6076 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
13:44:00.0046 6076 mnmdd - ok
13:44:00.0078 6076 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
13:44:00.0078 6076 Modem - ok
13:44:00.0125 6076 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
13:44:00.0125 6076 Mouclass - ok
13:44:00.0171 6076 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
13:44:00.0187 6076 mouhid - ok
13:44:00.0281 6076 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
13:44:00.0281 6076 MountMgr - ok
13:44:00.0312 6076 mraid35x - ok
13:44:00.0359 6076 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
13:44:00.0359 6076 MRxDAV - ok
13:44:00.0406 6076 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
13:44:00.0421 6076 MRxSmb - ok
13:44:00.0531 6076 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
13:44:00.0531 6076 Msfs - ok
13:44:00.0578 6076 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
13:44:00.0593 6076 MSKSSRV - ok
13:44:00.0609 6076 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
13:44:00.0609 6076 MSPCLOCK - ok
13:44:00.0625 6076 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
13:44:00.0640 6076 MSPQM - ok
13:44:00.0703 6076 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
13:44:00.0703 6076 mssmbios - ok
13:44:00.0734 6076 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
13:44:00.0734 6076 Mup - ok
13:44:00.0796 6076 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
13:44:00.0812 6076 NDIS - ok
13:44:00.0843 6076 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
13:44:00.0843 6076 NdisTapi - ok
13:44:00.0890 6076 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
13:44:00.0890 6076 Ndisuio - ok
13:44:00.0906 6076 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
13:44:00.0906 6076 NdisWan - ok
13:44:00.0953 6076 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
13:44:00.0953 6076 NDProxy - ok
13:44:01.0015 6076 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
13:44:01.0015 6076 NetBIOS - ok
13:44:01.0078 6076 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
13:44:01.0078 6076 NetBT - ok
13:44:01.0093 6076 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
13:44:01.0093 6076 Npfs - ok
13:44:01.0125 6076 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
13:44:01.0125 6076 Ntfs - ok
13:44:01.0203 6076 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
13:44:01.0203 6076 Null - ok
13:44:01.0234 6076 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
13:44:01.0234 6076 NwlnkFlt - ok
13:44:01.0265 6076 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
13:44:01.0265 6076 NwlnkFwd - ok
13:44:01.0343 6076 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
13:44:01.0343 6076 P3 - ok
13:44:01.0390 6076 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
13:44:01.0390 6076 Parport - ok
13:44:01.0453 6076 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
13:44:01.0453 6076 PartMgr - ok
13:44:01.0515 6076 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
13:44:01.0515 6076 ParVdm - ok
13:44:01.0546 6076 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
13:44:01.0546 6076 PCI - ok
13:44:01.0562 6076 PCIDump - ok
13:44:01.0578 6076 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
13:44:01.0578 6076 PCIIde - ok
13:44:01.0625 6076 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
13:44:01.0640 6076 Pcmcia - ok
13:44:01.0671 6076 PDCOMP - ok
13:44:01.0687 6076 PDFRAME - ok
13:44:01.0687 6076 PDRELI - ok
13:44:01.0703 6076 PDRFRAME - ok
13:44:01.0703 6076 perc2 - ok
13:44:01.0765 6076 perc2hib - ok
13:44:01.0812 6076 PersonalSecureDrive (c7d5cf6c7dbe6d96de252457721bd0e8) C:\WINDOWS\System32\drivers\psd.sys
13:44:01.0890 6076 PersonalSecureDrive - ok
13:44:02.0015 6076 pnarp (ce27fc8bdc54b3ac63d53e2d5f6cc929) C:\WINDOWS\system32\DRIVERS\pnarp.sys
13:44:02.0015 6076 pnarp - ok
13:44:02.0062 6076 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
13:44:02.0078 6076 PptpMiniport - ok
13:44:02.0078 6076 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
13:44:02.0093 6076 PSched - ok
13:44:02.0125 6076 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
13:44:02.0125 6076 Ptilink - ok
13:44:02.0156 6076 purendis (f4fd591e86ecb6b5d000c7d6c987416b) C:\WINDOWS\system32\DRIVERS\purendis.sys
13:44:02.0156 6076 purendis - ok
13:44:02.0250 6076 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
13:44:02.0359 6076 PxHelp20 - ok
13:44:02.0468 6076 ql1080 - ok
13:44:02.0484 6076 Ql10wnt - ok
13:44:02.0484 6076 ql12160 - ok
13:44:02.0500 6076 ql1240 - ok
13:44:02.0500 6076 ql1280 - ok
13:44:02.0546 6076 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
13:44:02.0546 6076 RasAcd - ok
13:44:02.0578 6076 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
13:44:02.0578 6076 Rasl2tp - ok
13:44:02.0578 6076 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
13:44:02.0593 6076 RasPppoe - ok
13:44:02.0593 6076 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
13:44:02.0593 6076 Raspti - ok
13:44:02.0609 6076 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
13:44:02.0609 6076 Rdbss - ok
13:44:02.0718 6076 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
13:44:02.0718 6076 RDPCDD - ok
13:44:02.0734 6076 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
13:44:02.0734 6076 rdpdr - ok
13:44:02.0781 6076 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
13:44:02.0781 6076 RDPWD - ok
13:44:02.0828 6076 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
13:44:02.0843 6076 redbook - ok
13:44:02.0984 6076 RsvLock (02ff0fbd2945b7dd67db3fb0248ae61e) C:\WINDOWS\system32\drivers\RsvLock.sys
13:44:03.0046 6076 RsvLock - ok
13:44:03.0109 6076 SafeBoot (0e448c0306ba36cfd5c2388046e4ace0) C:\WINDOWS\system32\drivers\SafeBoot.sys
13:44:03.0171 6076 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\SafeBoot.sys. md5: 0e448c0306ba36cfd5c2388046e4ace0
13:44:03.0171 6076 SafeBoot ( LockedFile.Multi.Generic ) - warning
13:44:03.0171 6076 SafeBoot - detected LockedFile.Multi.Generic (1)
13:44:03.0343 6076 SbAlg (f6367fb350f8e5d3f6dd8040e4c0e33b) C:\WINDOWS\system32\drivers\SbAlg.sys
13:44:03.0375 6076 SbAlg - ok
13:44:03.0390 6076 SbFsLock (d48f49ef1cfd73d7371b96839529bc89) C:\WINDOWS\system32\drivers\SbFsLock.sys
13:44:03.0453 6076 SbFsLock - ok
13:44:03.0640 6076 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
13:44:03.0640 6076 Secdrv - ok
13:44:03.0687 6076 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
13:44:03.0687 6076 serenum - ok
13:44:03.0718 6076 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
13:44:03.0765 6076 Serial - ok
13:44:03.0796 6076 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
13:44:03.0812 6076 Sfloppy - ok
13:44:04.0000 6076 Simbad - ok
13:44:04.0046 6076 Sparrow - ok
13:44:04.0093 6076 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
13:44:04.0093 6076 splitter - ok
13:44:04.0156 6076 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
13:44:04.0156 6076 sr - ok
13:44:04.0203 6076 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
13:44:04.0203 6076 Srv - ok
13:44:04.0250 6076 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
13:44:04.0250 6076 swenum - ok
13:44:04.0296 6076 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
13:44:04.0296 6076 swmidi - ok
13:44:04.0359 6076 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
13:44:04.0359 6076 symc810 - ok
13:44:04.0390 6076 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
13:44:04.0390 6076 symc8xx - ok
13:44:04.0468 6076 Symmpi (f2b7e8416f508368ac6730e2ae1c614f) C:\WINDOWS\system32\DRIVERS\symmpi.sys
13:44:04.0546 6076 Symmpi - ok
13:44:04.0578 6076 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
13:44:04.0593 6076 sym_hi - ok
13:44:04.0656 6076 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
13:44:04.0656 6076 sym_u3 - ok
13:44:04.0703 6076 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
13:44:04.0703 6076 sysaudio - ok
13:44:04.0765 6076 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
13:44:04.0765 6076 Tcpip - ok
13:44:04.0812 6076 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
13:44:04.0812 6076 TDPIPE - ok
13:44:04.0828 6076 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
13:44:04.0828 6076 TDTCP - ok
13:44:04.0875 6076 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
13:44:04.0875 6076 TermDD - ok
13:44:05.0000 6076 tmactmon (e8e528896ff2595cfada88749cd72ef8) C:\WINDOWS\system32\DRIVERS\tmactmon.sys
13:44:05.0015 6076 tmactmon - ok
13:44:05.0015 6076 tmcomm (1837512d4aab862bd297a2ef035fba14) C:\WINDOWS\system32\DRIVERS\tmcomm.sys
13:44:05.0015 6076 tmcomm - ok
13:44:05.0046 6076 tmevtmgr (dbac510d1c7cc66b7a78eb2264f3072e) C:\WINDOWS\system32\DRIVERS\tmevtmgr.sys
13:44:05.0046 6076 tmevtmgr - ok
13:44:05.0093 6076 tmtdi (a6e20b094a8d3e3f46d10bbe7e1ebb82) C:\WINDOWS\system32\DRIVERS\tmtdi.sys
13:44:05.0109 6076 tmtdi - ok
13:44:05.0171 6076 TosIde - ok
13:44:05.0218 6076 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
13:44:05.0218 6076 Udfs - ok
13:44:05.0234 6076 ultra - ok
13:44:05.0250 6076 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
13:44:05.0250 6076 usbccgp - ok
13:44:05.0281 6076 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
13:44:05.0281 6076 usbehci - ok
13:44:05.0312 6076 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
13:44:05.0328 6076 usbhub - ok
13:44:05.0375 6076 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
13:44:05.0375 6076 USBSTOR - ok
13:44:05.0515 6076 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
13:44:05.0515 6076 usbuhci - ok
13:44:05.0562 6076 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
13:44:05.0562 6076 VgaSave - ok
13:44:05.0593 6076 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
13:44:05.0593 6076 ViaIde - ok
13:44:05.0703 6076 VirtDisk (1b8f371423bb41426632b704a0fd466e) c:\windows\sminst\VirtDisk.sys
13:44:05.0968 6076 VirtDisk - ok
13:44:06.0109 6076 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
13:44:06.0109 6076 VolSnap - ok
13:44:06.0171 6076 wacommousefilter (427a8bc96f16c40df81c2d2f4edd32dd) C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys
13:44:06.0171 6076 wacommousefilter - ok
13:44:06.0250 6076 wacomvhid (846b58ea44bf8c92e4b59f4e2252c4c0) C:\WINDOWS\system32\DRIVERS\wacomvhid.sys
13:44:06.0250 6076 wacomvhid - ok
13:44:06.0328 6076 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
13:44:06.0328 6076 Wanarp - ok
13:44:06.0328 6076 WDICA - ok
13:44:06.0375 6076 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
13:44:06.0375 6076 wdmaud - ok
13:44:06.0421 6076 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
13:44:06.0421 6076 WmiAcpi - ok
13:44:06.0546 6076 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
13:44:06.0546 6076 WudfPf - ok
13:44:06.0609 6076 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
13:44:06.0625 6076 WudfRd - ok
13:44:06.0656 6076 MBR (0x1B8) (22932cd5780a49182a8f485fd070964c) \Device\Harddisk0\DR0
13:44:06.0687 6076 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
13:44:06.0687 6076 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
13:44:06.0687 6076 Boot (0x1200) (227c6cf7b2a0c5e4caac27a77e0b91d1) \Device\Harddisk0\DR0\Partition0
13:44:06.0687 6076 \Device\Harddisk0\DR0\Partition0 - ok
13:44:06.0703 6076 Boot (0x1200) (9499a793094424a5113b399f306e6eba) \Device\Harddisk0\DR0\Partition1
13:44:06.0703 6076 \Device\Harddisk0\DR0\Partition1 - ok
13:44:06.0703 6076 ============================================================
13:44:06.0703 6076 Scan finished
13:44:06.0703 6076 ============================================================
13:44:06.0703 3416 Detected object count: 2
13:44:06.0703 3416 Actual detected object count: 2
14:18:38.0296 3416 SafeBoot ( LockedFile.Multi.Generic ) - skipped by user
14:18:38.0328 3416 SafeBoot ( LockedFile.Multi.Generic ) - User select action: Skip
14:18:38.0515 3416 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
14:18:38.0531 3416 \Device\Harddisk0\DR0 - ok
14:18:38.0546 3416 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
14:18:51.0468 5252 Deinitialize success

 

[johnb35]

Nope, continue on. Kind of figured you would have a rootkit to kill first.

 

[patrick]

Continuing on and if you have time could you answer 1. What is the "root kit" file? 2. Why wasn't there the option offered to "cure" rather the option of "skip". Thanks very much for being there and assisting.

 

[johnb35]

The tdsskiller program found and removed a rootkit, if you wouldn't have selected cure, it still would be on your system. This is where most users get the google redirect issue is from a bootkit/rootkit/mbr infection. Scanning with tdsskiller is almost required nowadays.

 

[patrick]

Hi, here are the log files.

1. Malwarebytes log file

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2011.12.31.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: HP11005506461 [administrator]

12/31/2011 2:47:11 PM
mbam-log-2011-12-31 (14-47-11).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 193723
Time elapsed: 28 minute(s), 26 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\WINDOWS\Temp\wera0.0709276298994217.exe (Exploit.Drop.6) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\oiu0.8385896513212964.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\oiu0.06559594403979829.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.

(end)
2. Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:29:19 PM, on 12/31/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Intel\AMT\atchk.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\WINDOWS\system32\ifxspmgt.exe
C:\WINDOWS\system32\ifxtcs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\WINDOWS\system32\IfxPsdSv.exe
C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe
C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe
c:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Trend Micro NSC BHO - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.0.1313\6.8.1072\TmIEPlg.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll
O2 - BHO: StartNow Toolbar Helper - {6E13D095-45C3-4271-9475-F3B48227DD9F} - C:\Program Files\StartNow Toolbar\Toolbar32.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: TmBpIeBHO - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.0.1086\7.0.1086\TmBpIe32.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll
O3 - Toolbar: StartNow Toolbar - {5911488E-9D1E-40ec-8CBB-06B231CC153F} - C:\Program Files\StartNow Toolbar\Toolbar32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe"
O4 - HKLM\..\Run: [PTHOSTTR] c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [IFXSPMGT] C:\WINDOWS\system32\ifxspmgt.exe /NotifyLogon
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [TkBellExe] "C:\program files\real\realplayer\update\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe"
O4 - HKLM\..\Run: [Trend Micro Titanium] "C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" -set Silent "1" SplashURL ""
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1290153598093
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.0.1086\7.0.1086\TmBpIe32.dll
O18 - Protocol: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.0.1313\6.8.1072\TmIEPlg.dll
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll
O18 - Protocol: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - C:\Program Files\Trend Micro\Titanium\UIFramework\ProToolbarIMRatingActiveX.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - AppInit_DLLs: APSHook.dll
O20 - Winlogon Notify: OneCard - c:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Trend Micro Solution Platform (Amsp) - Trend Micro Inc. - C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
O23 - Service: Intel(R) Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\ifxspmgt.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\ifxtcs.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel(R) Active Management Technology Local Management Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Personal Secure Drive service (PersonalSecureDriveService) - Infineon Technologies AG - C:\WINDOWS\system32\IfxPsdSv.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe
O23 - Service: Intel(R) Active Management Technology User Notification Service (UNS) - Intel - C:\Program Files\Intel\AMT\UNS.exe
O23 - Service: Updater Service for StartNow Toolbar - Unknown owner - C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe

--
End of file - 13369 bytes

 

[johnb35]

Ok, continue with the next procedure.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

• Download this file here :
  
  Combofix
  
  
• When the page loads click on the blue combofix download link next to the BleepingComputer Mirror.
• Save the file to your windows desktop. The combofix icon will look like this when it has downloaded to your desktop.
  
  
  
• We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
  
  
• Close all open Windows including this one.
  
• Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found here.
  Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.
  
• Please click on I agree on the disclaimer window.
• ComboFix will now install itself on to your computer. When it is done, a blue screen will appear as shown below.
  
  
  
  
  
• ComboFix is now preparing to run. When it has finished ComboFix will automatically attempt to create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry as shown in the image below.
  
  
  
  
  
• Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:
  
  
  
  
  
• At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console.
  
• Please click on yes in the next window to continue scanning for malware.
  
• ComboFix will now disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.
  
• ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
  
• While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. An example of this can be seen below.
  
  
  
  
  
• When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
  
• This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
  
• When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you.
  
• Now you just click on the edit menu and click on select all, then click on the edit menu again and click on copy. Then come to the forum in your reply and right click on your mouse and click on paste.
  

In your next reply please post:

• The ComboFix log
• A fresh HiJackThis log
• An update on how your computer is running

 

[patrick]

Hi, I followed the instructions for disabling Trend Micro; however, I didn't get the window that says to confirm that I want to disable the program. It is no longer in the taskbar. Does this mean it was disabled?

 

[johnb35]

Usually, you can just right click on the trendmicro icon in the system tray and click on disable auto protect or something similar.

 

[patrick]

When I right click on the Trend Micro icon on the desktop, I don't get any thing about disabling the program. However, when I click on the "Compatibility" tab from Properties, I see in "Input Settings", "Turn off advanced text settings for this program". Should I click the box for this option?

 

[johnb35]

You don't right click on the icon on your desktop. You right click on the icon that is in the system tray by the clock.

Look at these images.

Right click on the icon and click so that it unchecks protection against virus and spyware.

 

[patrick]

Yes, first I did right click on the icon near the system clock and got the menu you show. However, I never got a window indicating to disable the program and now I no longer have the icon near the system clock. I am wondering whether it is disabled.

 

[johnb35]

If the icon is no longer there then most likely you just exited the program, which means its not longer running. If its still active, combofix will pop up a message saying so.