BleepingComputer.com: Need help with rootkit mbr trojan removal

Hi there,

I have been hit last night by a trojan that came in by way of a link I clicked on and it put up a loud and obnoxious warning in a window of Security Solutions 2011. I don't use a program by that name and it was yelling out continuously that I had a virus and it was scanning and trying to get me to buy that program. I used control alt delete and ended the application after I saw what it had started in the task manager. It started outlook exe which I don't use at all and it had 3 other exe apps started that I know were bogus and one called security solutions 2011. This one has a severe rating and it will affect the master boot record. Many exe files in the temp internet files that are swearing in mean cussing language. Help please.
thank you for your prompt attention to this.
Gabstercol.

This post has been edited by Budapest: 17 July 2011 - 07:10 PM
Reason for edit: Moved from Virus, Trojan, Spyware, and Malware Removal Logs ~Budapest

Hello and welcome

Please follow our Removal Guide here Remove Security Solution 2011 .
After reading how the malware is misleading you ...
You will move to the Automated Removal Instructions

After you completed that, post your scan log here,let me know how things are.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.


To check for and confirm the MBR (Master Boot Record) rootkit.


Please download mbr.exe and save it to the root directory, usually C:\ <- (Important!).

• Go to Start > Run and type: cmd.exe
  
• press Ok.
  
• At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
  
• press Enter.
  
• The process is automatic...a black DOS window will open and quickly disappear. This is normal.
  
• A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  
• Copy and paste the results of the mbr.log in your next reply.

If you have a problem using the command prompt, you can just double-click on mbr.exe to run the tool.

Hi there,

Thank you for taking my case so quickly. Since yesterday when it infected my computer, I ran the safety live scanner of MS and it removed the viruses for the most part except for the one called Trojan:Dos/Alureon.A which needed a manual removal. Then I ran malwarebytes right after that scan and removal and malwarebytes found a bunch of trojans and it removed those. Then it seemed like it was working fine and I looked in the registry to see if there were any of the tell tale signs of the trojan and found nothing and I was thinking it was okay but .... NO it was not. Malwarebytes just found another 6 infections so we are very much initiating the viruses all over again I guess with each restart or in the restore feature of the computer. See below the malwarebytes scan. So I noticed that there is a deployment of the virus thru the sun java application showing in its log. Then next I am posting the mbr log.

I have also run a hijack this scan and I am going to post it here too, hopefully that is okay to do because I don't like something I see in there. It has to do with a shared task scheduler and that has never been in my hijack this log before. They are noted as 2 item number 22's. Thank you so much for your help with this. gabstercol.


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7189

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/18/2011 2:21:14 AM
mbam-log-2011-07-18 (02-21-14).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 331198
Time elapsed: 48 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Gabi\application data\Sun\Java\deployment\cache\6.0\9\77007949-256f6e85 (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Gabi\application data\Sun\Java\deployment\cache\6.0\9\77007949-297e12b0 (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{389b4acf-ea42-4beb-88d1-28fadd819fc1}\RP355\A0056546.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{389b4acf-ea42-4beb-88d1-28fadd819fc1}\RP355\A0056547.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\system volume information\_restore{389b4acf-ea42-4beb-88d1-28fadd819fc1}\RP355\A0056555.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{389b4acf-ea42-4beb-88d1-28fadd819fc1}\RP355\A0056556.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


Here is the mbr log.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HDT721010SLA360 rev.ST6OA31B -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4

device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8B21E31B
user & kernel MBR OK


Mod Edit: HijackThis log removed; not permitted in this forum.

This post has been edited by quietman7: 18 July 2011 - 09:10 AM

Hello, Hjt logs are not to be posted in this section. I see a Moderator removed it. OK,not a big deal. Let's just do these and if we still have issues we'll move there.


Your HOSTS file may be infected.
Reset the HOSTS file
As this infection also changes your Windows HOSTS file, we want to replace this file with the default version for your operating system.
Some types of malware will alter the HOSTS file as part of its infection. Please follow the instructions provided in How do I reset the hosts file back to the default?

To reset the hosts file automatically,go HERE click the button. Then just follow the prompts in the Fix it wizard.


OR
Click Run in the File Download dialog box or save MicrosoftFixit50267.msi to your Desktop and double-click on it to run. Then just follow the promots in the Fix it wizard.



Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.5.9.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

• Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
  Vista/Windows 7 users right-click and select Run As Administrator.
  
• If TDSSKiller does not run, try renaming it.
  
• To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  
• Click the Start Scan button.
  
• Do not use the computer during the scan
  
• If the scan completes with nothing found, click Close to exit.
  
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  
• Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  
• A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  
• Copy and paste the contents of that file in your next reply.

Now an online scan.
I'd like us to scan your machine with ESET OnlineScan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
  
• Click the button.
  
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
    
  • Double click on the icon on your desktop.
  
  
• Check
  
• Click the button.
  
• Accept any security warnings from your browser.
  
• Under scan settings, check and check Remove found threats
  
• Click Advanced settings and select the following:
  • Scan potentially unwanted applications
    
  • Scan for potentially unsafe applications
    
  • Enable Anti-Stealth technology
  
  
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  
• When the scan completes, push
  
• Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  
• Push the button.
  
• Push

NOTE: In some instances if no malware is found there will be no log produced.

Hi there,

Thanks for your reply and for helping me resolve this issue. It is much appreciated.

Sorry about the hijack this log yesterday. I wasn't sure if that would cause a problem. Forgive me.

Because I have been here before with Bleeping Computer and a rootkit invasion of the mbr, I pay attention to what you guys teach. So whenever I get hit I keep a very close watch over the hosts file. When I first got this computer, I took a look at the hosts file and I did a screen capture so I would always know what it is supposed to look like so if it changes then I would know that it has been altered.

Yesterday I used hijack this to go into the hosts file and verify that it was clean and had not been altered and it showed me it was identical to the hosts file when the computer was brand new. So I believe we are okay there with the hosts file not being affected at this point. I am keeping tabs on that because I have experienced a corrupted hosts file before.

As far as the two programs that you want me to run, I just wanted to give you a heads up that I am in receipt of the message and tonight I will be able to run those when I am not using my computer for my business. Right now I am still in the middle of many things on my computer and I will have the information from those programs later tonight after I have time to run them when I won't need to use the computer. I am so totally grateful that the computer is running fine in the meantime while this trojan is slowly but surely trying to work its way in to where it doesn't belong and where it is not welcome. I will not sit on this since I realize the urgency on getting it out before it does damage. I will have those logs to you later tonight.

Thanks for all your help with this issue.

Gabstercol

Hi there,

The results of the TDSS Killer scan and cure are below. It definitely found a rootkit. Before you review the results, just to give you a heads up, the ESET online scanner did not work. It would not let me get started at all. I got the window to open and I agreed to the terms and conditions and hit start. Then it gave me the security warning and when I right clicked on the warning to install the Active X for all users of this computer was the warning, and then it gave me a message that said retry and that internet explorer needs to resend the information that I was requesting. It said if you are buying a program then you may wish to cancel so you don't get charged for a duplicate. And it kept going round and round and ending up the same place and never let it install the active x to run that scanner. Hmmmm. So all I have for you is the TDSS killer log below. thank you. Gabster


2011/07/18 22:40:48.0953 3248 TDSS rootkit removing tool 2.5.11.0 Jul 11 2011 16:56:56
2011/07/18 22:40:49.0687 3248 ================================================================================
2011/07/18 22:40:49.0687 3248 SystemInfo:
2011/07/18 22:40:49.0687 3248
2011/07/18 22:40:49.0687 3248 OS Version: 5.1.2600 ServicePack: 3.0
2011/07/18 22:40:49.0687 3248 Product type: Workstation
2011/07/18 22:40:49.0687 3248 ComputerName: COMPUTER-E03E53
2011/07/18 22:40:49.0687 3248 UserName: Gabi
2011/07/18 22:40:49.0687 3248 Windows directory: C:\WINDOWS
2011/07/18 22:40:49.0687 3248 System windows directory: C:\WINDOWS
2011/07/18 22:40:49.0687 3248 Processor architecture: Intel x86
2011/07/18 22:40:49.0687 3248 Number of processors: 2
2011/07/18 22:40:49.0687 3248 Page size: 0x1000
2011/07/18 22:40:49.0687 3248 Boot type: Normal boot
2011/07/18 22:40:49.0687 3248 ================================================================================
2011/07/18 22:40:50.0718 3248 Initialize success
2011/07/18 22:40:58.0359 3628 ================================================================================
2011/07/18 22:40:58.0359 3628 Scan started
2011/07/18 22:40:58.0359 3628 Mode: Manual;
2011/07/18 22:40:58.0359 3628 ================================================================================
2011/07/18 22:40:58.0765 3628 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/07/18 22:40:58.0796 3628 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/07/18 22:40:58.0843 3628 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/07/18 22:40:58.0859 3628 AFD (8d499b1276012eb907e7a9e0f4d8fda4) C:\WINDOWS\System32\drivers\afd.sys
2011/07/18 22:40:58.0953 3628 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys
2011/07/18 22:40:59.0046 3628 amdide (6e58654cb25730b2579e45e1fd116a47) C:\WINDOWS\system32\DRIVERS\amdide.sys
2011/07/18 22:40:59.0078 3628 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
2011/07/18 22:40:59.0125 3628 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/07/18 22:40:59.0140 3628 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/07/18 22:40:59.0156 3628 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/07/18 22:40:59.0187 3628 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/07/18 22:40:59.0187 3628 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/07/18 22:40:59.0218 3628 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/07/18 22:40:59.0265 3628 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/07/18 22:40:59.0281 3628 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/07/18 22:40:59.0296 3628 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/07/18 22:40:59.0453 3628 DcCam (1b269ed3eb2d81ec11cd5b0544e89962) C:\WINDOWS\system32\DRIVERS\DcCam.sys
2011/07/18 22:40:59.0484 3628 DcFpoint (bd6ce20068159f9714ebe9e76decab2c) C:\WINDOWS\system32\DRIVERS\DcFpoint.sys
2011/07/18 22:40:59.0515 3628 DCFS2K (1315e0b5b6fc1fe930ee3498309700bd) C:\WINDOWS\system32\drivers\dcfs2k.sys
2011/07/18 22:40:59.0546 3628 DcLps (5f5055efb3e0820f349924e7c5bd5af4) C:\WINDOWS\system32\DRIVERS\DcLps.sys
2011/07/18 22:40:59.0562 3628 DcPTP (31689427da60a724b31a622b35ed21ec) C:\WINDOWS\system32\DRIVERS\DcPTP.sys
2011/07/18 22:40:59.0640 3628 DefragFS (d0589c02158e79f6589da7a35348ee38) C:\WINDOWS\system32\drivers\DefragFS.sys
2011/07/18 22:40:59.0656 3628 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/07/18 22:40:59.0718 3628 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/07/18 22:40:59.0734 3628 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/07/18 22:40:59.0734 3628 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/07/18 22:40:59.0796 3628 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/07/18 22:40:59.0828 3628 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/07/18 22:40:59.0859 3628 Exportit (f85ffdeae43f9e9a7c3f4e3cc5ef09eb) C:\WINDOWS\system32\DRIVERS\exportit.sys
2011/07/18 22:40:59.0890 3628 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/07/18 22:40:59.0906 3628 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/07/18 22:40:59.0953 3628 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/07/18 22:40:59.0953 3628 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/07/18 22:41:00.0000 3628 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/07/18 22:41:00.0015 3628 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/07/18 22:41:00.0015 3628 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/07/18 22:41:00.0046 3628 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/07/18 22:41:00.0093 3628 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/07/18 22:41:00.0125 3628 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/07/18 22:41:00.0156 3628 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/07/18 22:41:00.0171 3628 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/07/18 22:41:00.0171 3628 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/07/18 22:41:00.0203 3628 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/07/18 22:41:00.0281 3628 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/07/18 22:41:00.0296 3628 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/07/18 22:41:00.0406 3628 IntcAzAudAddService (0cacdcbbc8e6f11e2865c47bfc509848) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/07/18 22:41:00.0484 3628 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/07/18 22:41:00.0500 3628 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/07/18 22:41:00.0515 3628 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/07/18 22:41:00.0531 3628 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/07/18 22:41:00.0546 3628 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/07/18 22:41:00.0562 3628 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/07/18 22:41:00.0625 3628 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/07/18 22:41:00.0640 3628 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/07/18 22:41:00.0656 3628 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/07/18 22:41:00.0687 3628 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/07/18 22:41:00.0703 3628 KSecDD (c6ebf1d6ad71df30db49b8d3287e1368) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/07/18 22:41:00.0765 3628 MBAMSwissArmy (b309912717c29fc67e1ba4730a82b6dd) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011/07/18 22:41:00.0796 3628 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/07/18 22:41:00.0828 3628 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/07/18 22:41:00.0906 3628 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys
2011/07/18 22:41:01.0000 3628 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/07/18 22:41:01.0031 3628 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/07/18 22:41:01.0062 3628 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/07/18 22:41:01.0093 3628 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/07/18 22:41:01.0156 3628 MRxSmb (8dd801e28eb76fda2a38907882a0036f) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/07/18 22:41:01.0171 3628 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/07/18 22:41:01.0203 3628 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/07/18 22:41:01.0218 3628 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/07/18 22:41:01.0250 3628 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/07/18 22:41:01.0265 3628 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/07/18 22:41:01.0328 3628 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/07/18 22:41:01.0343 3628 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/07/18 22:41:01.0359 3628 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/07/18 22:41:01.0359 3628 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/07/18 22:41:01.0375 3628 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/07/18 22:41:01.0406 3628 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/07/18 22:41:01.0437 3628 NetBIOS (58f7421393048c12b2f8f2fde5246375) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/07/18 22:41:01.0437 3628 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\netbios.sys. Real md5: 58f7421393048c12b2f8f2fde5246375, Fake md5: 5d81cf9a2f1a3a756b66cf684911cdf0
2011/07/18 22:41:01.0437 3628 NetBIOS - detected ForgedFile.Multi.Generic (1)
2011/07/18 22:41:01.0484 3628 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/07/18 22:41:01.0515 3628 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/07/18 22:41:01.0531 3628 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/07/18 22:41:01.0562 3628 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
2011/07/18 22:41:01.0578 3628 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/07/18 22:41:01.0781 3628 nv (cb0ce8de9f66a297cd86eb98921b8e58) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/07/18 22:41:01.0984 3628 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/07/18 22:41:02.0000 3628 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/07/18 22:41:02.0046 3628 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/07/18 22:41:02.0093 3628 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/07/18 22:41:02.0109 3628 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/07/18 22:41:02.0187 3628 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/07/18 22:41:02.0203 3628 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/07/18 22:41:02.0234 3628 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/07/18 22:41:02.0296 3628 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/07/18 22:41:02.0328 3628 PQNTDrv (4228630829c0e521c43d882a00533374) C:\WINDOWS\system32\drivers\PQNTDrv.sys
2011/07/18 22:41:02.0328 3628 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/07/18 22:41:02.0343 3628 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/07/18 22:41:02.0359 3628 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/07/18 22:41:02.0421 3628 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/07/18 22:41:02.0500 3628 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/07/18 22:41:02.0515 3628 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/07/18 22:41:02.0531 3628 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/07/18 22:41:02.0546 3628 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/07/18 22:41:02.0578 3628 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/07/18 22:41:02.0578 3628 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/07/18 22:41:02.0593 3628 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/07/18 22:41:02.0625 3628 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/07/18 22:41:02.0640 3628 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/07/18 22:41:02.0671 3628 RimUsb (92d33f76769a028ddc54a863eb7de4a2) C:\WINDOWS\system32\Drivers\RimUsb.sys
2011/07/18 22:41:02.0718 3628 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2011/07/18 22:41:02.0734 3628 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2011/07/18 22:41:02.0765 3628 RTLE8023xp (ba7ced0f0799012b1f2bfda06d7506db) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2011/07/18 22:41:02.0812 3628 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/07/18 22:41:02.0812 3628 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/07/18 22:41:02.0828 3628 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/07/18 22:41:02.0843 3628 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/07/18 22:41:02.0890 3628 snapman (e60646143eb6b746eb3ab58ef7d5cff7) C:\WINDOWS\system32\DRIVERS\snapman.sys
2011/07/18 22:41:02.0921 3628 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/07/18 22:41:02.0953 3628 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/07/18 22:41:03.0000 3628 Srv (9b390283569ea58d43d2586032b892f5) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/07/18 22:41:03.0031 3628 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/07/18 22:41:03.0078 3628 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/07/18 22:41:03.0218 3628 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/07/18 22:41:03.0234 3628 Tcpip (ad978a1b783b5719720cff204b666c8e) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/07/18 22:41:03.0265 3628 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/07/18 22:41:03.0359 3628 tdrpman228 (664469f03c955e851c5de58eea233f5a) C:\WINDOWS\system32\DRIVERS\tdrpm228.sys
2011/07/18 22:41:03.0390 3628 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/07/18 22:41:03.0406 3628 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/07/18 22:41:03.0406 3628 tifsfilter (6dcb8ddb481cd3c40fa68593723b4d89) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
2011/07/18 22:41:03.0421 3628 timounter (394fc70b88b7958fa85798bbc76d140a) C:\WINDOWS\system32\DRIVERS\timntr.sys
2011/07/18 22:41:03.0453 3628 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/07/18 22:41:03.0500 3628 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/07/18 22:41:03.0578 3628 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/07/18 22:41:03.0593 3628 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/07/18 22:41:03.0609 3628 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/07/18 22:41:03.0625 3628 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/07/18 22:41:03.0640 3628 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/07/18 22:41:03.0671 3628 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/07/18 22:41:03.0687 3628 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/07/18 22:41:03.0718 3628 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/07/18 22:41:03.0734 3628 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/07/18 22:41:03.0750 3628 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/07/18 22:41:03.0781 3628 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/07/18 22:41:03.0796 3628 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/07/18 22:41:03.0875 3628 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/07/18 22:41:03.0921 3628 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/07/18 22:41:03.0937 3628 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/07/18 22:41:03.0953 3628 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/07/18 22:41:03.0984 3628 MBR (0x1B8) (80fd0528e2ba77a5827680d8a26822a3) \Device\Harddisk0\DR0
2011/07/18 22:41:03.0984 3628 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/07/18 22:41:03.0984 3628 Boot (0x1200) (f90f3ecb65091bd463a5b19c9e2eafca) \Device\Harddisk0\DR0\Partition0
2011/07/18 22:41:04.0000 3628 Boot (0x1200) (a3a0f80baa714496fe529910807a83a7) \Device\Harddisk0\DR0\Partition1
2011/07/18 22:41:04.0015 3628 ================================================================================
2011/07/18 22:41:04.0015 3628 Scan finished
2011/07/18 22:41:04.0015 3628 ================================================================================
2011/07/18 22:41:04.0015 3288 Detected object count: 2
2011/07/18 22:41:04.0015 3288 Actual detected object count: 2
2011/07/18 22:42:52.0593 3288 ForgedFile.Multi.Generic(NetBIOS) - User select action: Skip
2011/07/18 22:42:52.0625 3288 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/07/18 22:42:52.0625 3288 \Device\Harddisk0\DR0 - ok
2011/07/18 22:42:52.0625 3288 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure
2011/07/18 22:43:04.0546 2580 Deinitialize success

Hi there,

I was reading in the FAQs and help section of ESET online scanner because it failed to run the scanner and I know why that would happen. I noticed that in their example it showed that when you right click the securtiy warning, it says install the Active X. It was strange that my computer worded this warning differently because mine said install the Active X for all users of this computer. I don't think my computer ever said it this way before. It always just said install the Active X, so I thought that might be significant for you to know.

Next, something else that may be significant for you to know ... When I first got hit by this trojan a couple days ago, I called Microsoft's PC safety hotline, and because it was the weekend they did not have their second level tech support on hand to assist with rootkit removals. So they lacked the necessary tools to effectively cure a computer of a rootkit. Go figure right. So they had me run the live safety scanner and it found the initial infection, which is how I knew the name of this trojan and it's severity rating. Then they got on my computer to check to make sure the trojan was gone, and they found it was not active anymore. Okaay. So then I had them help me fix a problem that I had for a while with one critical update of the net framework that kept failing for months now. After diligent manual effort on thier part they managed to finally succeed at installing that update. Then all the others following that one were necessary to install again.

Now the reason I am telling you this is because I thought maybe ESET failed because Microsoft never did remove their Easy Assist Active X control. So I went and uninstalled their Easy Assist control from the Add Remove Programs, just to be on the safe side and not keep programs installed that could potentially be a risk later for a remote intrusion. What I found to be strange was that in the list of programs there was actually one entry that was a word document. I don't recall ever seeing that document there before and it seemed wierd to have a word document in between what I thought were only applications and executable programs. So I am bringing it to your attention so you can determine if it is normal to be in there or not. The name of the word doc in the Add Remove Programs list is: Microsoft Office file Validation Add In. Please let me know what you know about that Add In.

Oh Guess what? I just went back to the ESET Online Scanner to see if that helped it to get the Active X installed to run the online Scanner and … It worked. I now am able to get ESET to run on my computer. I will get back to you shortly with the results. Thanks. Gabster

Hi Boopme,

Here are the results of the ESET online scanner. It found 16 threats and most of them showed
up in the restore files towards the end of the scan. thank you. Gabster

C:\Documents and Settings\Gabi\Application Data\Sun\Java\Deployment\cache\6.0\30\5eb7c1de-64e0cbdf multiple threats deleted - quarantined
C:\Documents and Settings\Gabi\Application Data\Sun\Java\Deployment\cache\6.0\33\51938761-21574b81 multiple threats deleted - quarantined
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{389B4ACF-EA42-4BEB-88D1-28FADD819FC1}\RP355\A0056737.ini a variant of Win32/Sirefef.CH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{389B4ACF-EA42-4BEB-88D1-28FADD819FC1}\RP357\A0056774.ini a variant of Win32/Sirefef.CH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{389B4ACF-EA42-4BEB-88D1-28FADD819FC1}\RP359\A0057285.ini a variant of Win32/Sirefef.CH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{389B4ACF-EA42-4BEB-88D1-28FADD819FC1}\RP360\A0058868.ini a variant of Win32/Sirefef.CH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{389B4ACF-EA42-4BEB-88D1-28FADD819FC1}\RP361\A0058974.ini a variant of Win32/Sirefef.CH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{389B4ACF-EA42-4BEB-88D1-28FADD819FC1}\RP362\A0059360.ini a variant of Win32/Sirefef.CH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{389B4ACF-EA42-4BEB-88D1-28FADD819FC1}\RP362\A0059371.ini a variant of Win32/Sirefef.CH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{389B4ACF-EA42-4BEB-88D1-28FADD819FC1}\RP362\A0059377.ini a variant of Win32/Sirefef.CH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{389B4ACF-EA42-4BEB-88D1-28FADD819FC1}\RP362\A0059396.ini a variant of Win32/Sirefef.CH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{389B4ACF-EA42-4BEB-88D1-28FADD819FC1}\RP362\A0059420.ini a variant of Win32/Sirefef.CH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{389B4ACF-EA42-4BEB-88D1-28FADD819FC1}\RP363\A0059439.ini a variant of Win32/Sirefef.CH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{389B4ACF-EA42-4BEB-88D1-28FADD819FC1}\RP364\A0059505.exe Win32/Patched.HN trojan cleaned - quarantined
C:\WINDOWS\system32\wuauclt.exe Win32/Patched.HN trojan cleaned - quarantined

The word doc is legit.
Office File Validation (OFV) is a security feature that was introduced in Microsoft Office 2010. Office File Validation verifies that a particular binary file complies with the application’s expectations. Office File Validation can help prevent unknown binary file format attacks against Microsoft Office 97-2003 file formats.

http://support.microsoft.com/kb/2501584

Everything else looks good here. I would update and rerun MBAM again . Then we will mop up and get the System Volume Information\_restore files.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal/regular mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Hi Boopme,

Thanks for your message and verification of my questions. You are very thorough.

So you seem to have a lot of faith in the effectiveness of those 2 programs we ran and I was quite impressed also to see them actually perform and find all these hidden infections in the restore files and such. So here is a question that I had about the restore scenario since those files were hit. Shouldn't I be disabling the restore feature of the computer while we are working to remove trojans because Windows will automatically create the restore for everything that we are removing anyway? I thought virus removal always needed to be done with the restore feature off. I know that would eliminate the ability for one to restore to a previous point in time but it would prevent the virus from recreating itself again.

Then the next thing I need to tell you is that whatever this trojan has done, it has made it impossible for me to use the google search engine effectively. Everything is being redirected and I haven't been able to open a link from a search engine for a few days now. I see the website name that I click on and I am ending up at something else entirely. I imagine that will be included in the mopping up of the infection but just wanted you to know that it has my browser either showing me the oops it can't find the website or I end up at other search engines to purchase things at squeeze pages.

I will have to run the scan of malwarebytes in a couple hours from now as I have a lot of things going at the same time but I am very appreciative of your assistance and thing you guys at Bleeping Computer are the bomb. I don't know what I would do without you because even Microsoft, is basically worthless to us when things like this happen. So thank you so very much. I will submit the Mbam log a little later today. Gabster

Please Clarify something for me. Are you wanting me to run the scan in safe mode and just update in regular mode? You said run in normal mode and then you said to reboot into normal mode. Can you please verify that for me? thanks. Gabster

Hello Gabi. it appears that we are not yet clean. I prefer to use MBAM in Normal mode as much as possible. Scanning with MBAM in safe or normal mode will work but removal functions are not as powerful in safe mode. MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, it loses some effectiveness for detection & removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Doing a safe mode scan should only be done when a regular mode scan fails.

The 5 tools ran are very effective against most malwares. Some rootkits and bcakdoors being an exception.

Quote

I /we (BC Staff) always clean this last as I prefer to have an infected Resore Point than none to fall back on if someting goes bad.

Some of the malware you picked up could have been saved in System Restore. This IS why may others clean that first. This is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.


I would like to Rerun TDSS killer and be sure they are gone... and Rerun MBAM.

Next run this tool to check the Goored infecyion.
Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Ensure all Firefox windows are closed.
  
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  
• When prompted to run the scan, click Yes.
  
• GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Now another Rootkit scan.

Please download Rootkit Unhooker from one of the following links and save it to your desktop.

Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)

In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

• Double-click on RKUnhookerLE.exe to start the program.
  Vista/Windows 7 users right-click and select Run As Administrator.
  
• Click the Report tab, then click Scan.
  
• Check Drivers, Stealth, and uncheck the rest.
  
• Click OK.
  
• Wait until it's finished and then go to File > Save Report.
  
• Save the report to your Desktop.
  
• Copy and paste the contents of the report into your next reply.

-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".


EDIT: are you on a router? If yes are others on it and do they redirect?

This post has been edited by boopme: 19 July 2011 - 08:14 PM

Thank you for being so thorough in your answers to my questions. That really helps me know that you are taking care of the concerns I have as well as removing the nasty critters. I understand what you explained about for Malwarebytes so I will run it in normal mode. I will also run the other programs that you have advised and I will get back to you later tonight or by tomorrow with the results. Also thanks for explaining about the restore question because that makes total sense and works for me. I feel very comfortable with you handling this case for me. Thank you so much. Gabster

Hi there,
Here is the TDSS killer log after running it again.

It showed me there was 1 infection and then when I went to the next screen it showed me infection not found. It showed me forged files and gave the option to skip but it did not give me the option to cure. Should I have downloaded a fresh program of it or using the same one was okay? Anyway, I used the same one. Here is the log. I did not get to run the other 2 programs so I have to do that when I wake up. I need to catch some zzzz's. thanks.

2011/07/20 04:12:44.0921 3968 TDSS rootkit removing tool 2.5.11.0 Jul 11 2011 16:56:56
2011/07/20 04:12:45.0468 3968 ================================================================================
2011/07/20 04:12:45.0468 3968 SystemInfo:
2011/07/20 04:12:45.0468 3968
2011/07/20 04:12:45.0468 3968 OS Version: 5.1.2600 ServicePack: 3.0
2011/07/20 04:12:45.0468 3968 Product type: Workstation
2011/07/20 04:12:45.0468 3968 ComputerName: COMPUTER-E03E53
2011/07/20 04:12:45.0468 3968 UserName: Gabi
2011/07/20 04:12:45.0468 3968 Windows directory: C:\WINDOWS
2011/07/20 04:12:45.0468 3968 System windows directory: C:\WINDOWS
2011/07/20 04:12:45.0468 3968 Processor architecture: Intel x86
2011/07/20 04:12:45.0468 3968 Number of processors: 2
2011/07/20 04:12:45.0468 3968 Page size: 0x1000
2011/07/20 04:12:45.0468 3968 Boot type: Normal boot
2011/07/20 04:12:45.0468 3968 ================================================================================
2011/07/20 04:12:46.0390 3968 Initialize success
2011/07/20 04:12:52.0968 3192 ================================================================================
2011/07/20 04:12:52.0968 3192 Scan started
2011/07/20 04:12:52.0968 3192 Mode: Manual;
2011/07/20 04:12:52.0968 3192 ================================================================================
2011/07/20 04:12:54.0671 3192 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/07/20 04:12:54.0687 3192 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/07/20 04:12:54.0718 3192 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/07/20 04:12:54.0750 3192 AFD (8d499b1276012eb907e7a9e0f4d8fda4) C:\WINDOWS\System32\drivers\afd.sys
2011/07/20 04:12:54.0843 3192 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys
2011/07/20 04:12:54.0890 3192 amdide (6e58654cb25730b2579e45e1fd116a47) C:\WINDOWS\system32\DRIVERS\amdide.sys
2011/07/20 04:12:54.0906 3192 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
2011/07/20 04:12:54.0984 3192 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/07/20 04:12:54.0984 3192 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/07/20 04:12:55.0000 3192 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/07/20 04:12:55.0031 3192 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/07/20 04:12:55.0046 3192 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/07/20 04:12:55.0062 3192 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/07/20 04:12:55.0078 3192 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/07/20 04:12:55.0140 3192 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/07/20 04:12:55.0156 3192 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/07/20 04:12:55.0218 3192 DcCam (1b269ed3eb2d81ec11cd5b0544e89962) C:\WINDOWS\system32\DRIVERS\DcCam.sys
2011/07/20 04:12:55.0234 3192 DcFpoint (bd6ce20068159f9714ebe9e76decab2c) C:\WINDOWS\system32\DRIVERS\DcFpoint.sys
2011/07/20 04:12:55.0281 3192 DCFS2K (1315e0b5b6fc1fe930ee3498309700bd) C:\WINDOWS\system32\drivers\dcfs2k.sys
2011/07/20 04:12:55.0312 3192 DcLps (5f5055efb3e0820f349924e7c5bd5af4) C:\WINDOWS\system32\DRIVERS\DcLps.sys
2011/07/20 04:12:55.0359 3192 DcPTP (31689427da60a724b31a622b35ed21ec) C:\WINDOWS\system32\DRIVERS\DcPTP.sys
2011/07/20 04:12:55.0359 3192 DefragFS (d0589c02158e79f6589da7a35348ee38) C:\WINDOWS\system32\drivers\DefragFS.sys
2011/07/20 04:12:55.0390 3192 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/07/20 04:12:55.0406 3192 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/07/20 04:12:55.0437 3192 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/07/20 04:12:55.0437 3192 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/07/20 04:12:55.0500 3192 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/07/20 04:12:55.0515 3192 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/07/20 04:12:55.0562 3192 Exportit (f85ffdeae43f9e9a7c3f4e3cc5ef09eb) C:\WINDOWS\system32\DRIVERS\exportit.sys
2011/07/20 04:12:55.0593 3192 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/07/20 04:12:55.0625 3192 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/07/20 04:12:55.0640 3192 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/07/20 04:12:55.0656 3192 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/07/20 04:12:55.0671 3192 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/07/20 04:12:55.0687 3192 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/07/20 04:12:55.0703 3192 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/07/20 04:12:55.0734 3192 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/07/20 04:12:55.0781 3192 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/07/20 04:12:55.0796 3192 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/07/20 04:12:55.0828 3192 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/07/20 04:12:55.0828 3192 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/07/20 04:12:55.0843 3192 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/07/20 04:12:55.0890 3192 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/07/20 04:12:55.0968 3192 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/07/20 04:12:56.0015 3192 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/07/20 04:12:56.0125 3192 IntcAzAudAddService (0cacdcbbc8e6f11e2865c47bfc509848) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/07/20 04:12:56.0218 3192 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/07/20 04:12:56.0234 3192 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/07/20 04:12:56.0250 3192 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/07/20 04:12:56.0265 3192 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/07/20 04:12:56.0281 3192 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/07/20 04:12:56.0296 3192 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/07/20 04:12:56.0328 3192 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/07/20 04:12:56.0359 3192 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/07/20 04:12:56.0375 3192 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/07/20 04:12:56.0390 3192 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/07/20 04:12:56.0437 3192 KSecDD (c6ebf1d6ad71df30db49b8d3287e1368) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/07/20 04:12:56.0468 3192 MBAMSwissArmy (b309912717c29fc67e1ba4730a82b6dd) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011/07/20 04:12:56.0484 3192 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/07/20 04:12:56.0484 3192 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/07/20 04:12:56.0531 3192 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys
2011/07/20 04:12:56.0625 3192 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/07/20 04:12:56.0640 3192 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/07/20 04:12:56.0656 3192 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/07/20 04:12:56.0687 3192 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/07/20 04:12:56.0718 3192 MRxSmb (8dd801e28eb76fda2a38907882a0036f) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/07/20 04:12:56.0781 3192 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/07/20 04:12:56.0812 3192 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/07/20 04:12:56.0828 3192 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/07/20 04:12:56.0843 3192 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/07/20 04:12:56.0875 3192 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/07/20 04:12:56.0890 3192 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/07/20 04:12:57.0015 3192 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/07/20 04:12:57.0046 3192 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/07/20 04:12:57.0078 3192 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/07/20 04:12:57.0078 3192 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/07/20 04:12:57.0109 3192 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/07/20 04:12:57.0171 3192 NetBIOS (58f7421393048c12b2f8f2fde5246375) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/07/20 04:12:57.0171 3192 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\netbios.sys. Real md5: 58f7421393048c12b2f8f2fde5246375, Fake md5: 5d81cf9a2f1a3a756b66cf684911cdf0
2011/07/20 04:12:57.0171 3192 NetBIOS - detected ForgedFile.Multi.Generic (1)
2011/07/20 04:12:57.0203 3192 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/07/20 04:12:57.0265 3192 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/07/20 04:12:57.0281 3192 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/07/20 04:12:57.0359 3192 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
2011/07/20 04:12:57.0375 3192 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/07/20 04:12:57.0531 3192 nv (cb0ce8de9f66a297cd86eb98921b8e58) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/07/20 04:12:57.0718 3192 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/07/20 04:12:57.0718 3192 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/07/20 04:12:57.0750 3192 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/07/20 04:12:57.0765 3192 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/07/20 04:12:57.0796 3192 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/07/20 04:12:57.0812 3192 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/07/20 04:12:57.0828 3192 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/07/20 04:12:57.0843 3192 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/07/20 04:12:57.0890 3192 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/07/20 04:12:57.0921 3192 PQNTDrv (4228630829c0e521c43d882a00533374) C:\WINDOWS\system32\drivers\PQNTDrv.sys
2011/07/20 04:12:58.0000 3192 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/07/20 04:12:58.0000 3192 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/07/20 04:12:58.0015 3192 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/07/20 04:12:58.0046 3192 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/07/20 04:12:58.0093 3192 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/07/20 04:12:58.0109 3192 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/07/20 04:12:58.0125 3192 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/07/20 04:12:58.0125 3192 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/07/20 04:12:58.0140 3192 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/07/20 04:12:58.0203 3192 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/07/20 04:12:58.0218 3192 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/07/20 04:12:58.0250 3192 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/07/20 04:12:58.0265 3192 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/07/20 04:12:58.0281 3192 RimUsb (92d33f76769a028ddc54a863eb7de4a2) C:\WINDOWS\system32\Drivers\RimUsb.sys
2011/07/20 04:12:58.0296 3192 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2011/07/20 04:12:58.0312 3192 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2011/07/20 04:12:58.0328 3192 RTLE8023xp (ba7ced0f0799012b1f2bfda06d7506db) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2011/07/20 04:12:58.0406 3192 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/07/20 04:12:58.0421 3192 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/07/20 04:12:58.0421 3192 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/07/20 04:12:58.0437 3192 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/07/20 04:12:58.0468 3192 snapman (e60646143eb6b746eb3ab58ef7d5cff7) C:\WINDOWS\system32\DRIVERS\snapman.sys
2011/07/20 04:12:58.0484 3192 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/07/20 04:12:58.0500 3192 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/07/20 04:12:58.0531 3192 Srv (9b390283569ea58d43d2586032b892f5) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/07/20 04:12:58.0609 3192 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/07/20 04:12:58.0625 3192 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/07/20 04:12:58.0656 3192 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/07/20 04:12:58.0703 3192 Tcpip (ad978a1b783b5719720cff204b666c8e) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/07/20 04:12:58.0718 3192 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/07/20 04:12:58.0750 3192 tdrpman228 (664469f03c955e851c5de58eea233f5a) C:\WINDOWS\system32\DRIVERS\tdrpm228.sys
2011/07/20 04:12:58.0812 3192 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/07/20 04:12:58.0828 3192 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/07/20 04:12:58.0843 3192 tifsfilter (6dcb8ddb481cd3c40fa68593723b4d89) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
2011/07/20 04:12:58.0859 3192 timounter (394fc70b88b7958fa85798bbc76d140a) C:\WINDOWS\system32\DRIVERS\timntr.sys
2011/07/20 04:12:58.0890 3192 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/07/20 04:12:58.0921 3192 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/07/20 04:12:58.0984 3192 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/07/20 04:12:59.0046 3192 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/07/20 04:12:59.0062 3192 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/07/20 04:12:59.0078 3192 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/07/20 04:12:59.0093 3192 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/07/20 04:12:59.0125 3192 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/07/20 04:12:59.0140 3192 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/07/20 04:12:59.0187 3192 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/07/20 04:12:59.0250 3192 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/07/20 04:12:59.0265 3192 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/07/20 04:12:59.0281 3192 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/07/20 04:12:59.0328 3192 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/07/20 04:12:59.0359 3192 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/07/20 04:12:59.0406 3192 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/07/20 04:12:59.0437 3192 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/07/20 04:12:59.0437 3192 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/07/20 04:12:59.0453 3192 MBR (0x1B8) (79adb7590ed24e2461d6b8c14345e2b0) \Device\Harddisk0\DR0
2011/07/20 04:12:59.0500 3192 Boot (0x1200) (f90f3ecb65091bd463a5b19c9e2eafca) \Device\Harddisk0\DR0\Partition0
2011/07/20 04:12:59.0515 3192 Boot (0x1200) (a3a0f80baa714496fe529910807a83a7) \Device\Harddisk0\DR0\Partition1
2011/07/20 04:12:59.0515 3192 ================================================================================
2011/07/20 04:12:59.0515 3192 Scan finished
2011/07/20 04:12:59.0515 3192 ================================================================================
2011/07/20 04:12:59.0515 1000 Detected object count: 1
2011/07/20 04:12:59.0515 1000 Actual detected object count: 1
2011/07/20 04:13:10.0250 1000 ForgedFile.Multi.Generic(NetBIOS) - User select action: Skip


Here is the malwarebytes log and it found no threats. I did the quick scan.


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7210

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/20/2011 4:20:29 AM
mbam-log-2011-07-20 (04-20-29).txt

Scan type: Quick scan
Objects scanned: 178345
Time elapsed: 3 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hi skip was correct. This is way too difficult to explain. It implies that TDSSKiller knows what the real MD5 hash should be and that the faked MD5 hash is only internally consistent. It's just the rootkit misreporting and not a cryptographically forged MD5 hash. A leftover that is considered better left thean removed as it cant do anything and Killer considers it safer to leave it there.

This looks clean now and we can mop up. If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
  
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

• Then use Disk Cleanup to remove all but the most recently created Restore Point.
  
• Go to Start > Run and type: Cleanmgr
  
• Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  
• Click the "More Options" tab, then click the "Clean up" button under System Restore.
  
• Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  
• Click Yes, then click Ok.
  
• Click Yes again when prompted with "Are you sure you want to perform these actions?"
  
• Disk Cleanup will remove the files and close automatically.

Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection:

• Simple and easy ways to keep your computer safe.
  
• How did I get infected?, With steps so it does not happen again!.
  
• Hardening Windows Security - Part 1 & Part 2.
  
• Configuring Internet Explorer for Practical Security and Privacy - How to Secure Your Web Browser.
  
• Your Guide To Staying Safe Online.
  
• Use Task Manager to close pop-up messages to safely exit malware attacks.

• Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

• Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:

• USB-Based Malware Attacks.
  
• When is AUTORUN.INF really an AUTORUN.INF?.
  
• Please disable Autorun asap!.