Ping/Google Redirect

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

3 Pages
1
2
3
→

You cannot start a new topic
This topic is locked

Ping/Google Redirect

#1 Landulph

Member

Group: Members
Posts: 43
Joined: 07-October 10

Posted 10 December 2011 - 02:34 AM

Today around 1:30 PM, when I wasn't even using my laptop (and wasn't even in the house), Panda blocked/deleted a CI.A trojan in my windows/temp directory from opening, and detected and blocked a "suspicious program" at WINDOWS/SYSTEM32/8PAK81.COM. I also noticed (upon a restart) that my computer was taking much longer to acquire an IP address, and that every single link generated by a google search redirected to "Get-answers-fast.com." Malwarebytes failed to find anything, so I manually deleted 8PAK81.COM and another file in the same directory, 8PAK81.COM_. This seems to have cured the IP address bug, and the worst of the Google redirects, but they have been replaced by a different problem: every few minutes, ping.exe will launch in task manager (often accompanied by a sound chime), and will eventually take up to 100% of CPU usage if I let it. Also, I will occasionally get a google redirect to a variety of sites (not just Get-answers-fast.com this time), both when ping.exe is running and when it is not. Both of these problems can be fixed simply by shutting down ping.exe in task manager; I've also blocked the program from inbound and outbound connections in Panda firewall. A full Panda scan found only about 40 cookies, and two systems restores (though successful) have failed to cure the problem. So far, the symptoms are not horrendous, but I still want this off my system as soon as possible. And now the logs:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Landulph at 19:41:42 on 2011-12-09
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.349 [GMT -5:00]
.
AV: Panda Antivirus Pro 2011 *Enabled/Updated* {EEE2D94A-D4C1-421A-AB2C-2CE8FE51747A}
FW: Panda Personal Firewall 2011 *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Panda Security\Panda Antivirus Pro 2011\TPSrv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\PROGRAM FILES\PANDA SECURITY\PANDA ANTIVIRUS PRO 2011\WebProxy.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2011\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2011\PavFnSvr.exe
C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2011\Firewall\PSHOST.EXE
C:\Program Files\Panda Security\Panda Antivirus Pro 2011\PsImSvc.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2011\PskSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2011\pavsrvx86.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2011\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Security\Panda Antivirus Pro 2011\ApVxdWin.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe
C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\svchost.exe -k netsvc
C:\WINDOWS\System32\ping.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Xvid] c:\program files\xvid\CheckUpdate.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [APVXDWIN] "c:\program files\panda security\panda antivirus pro 2011\APVXDWIN.EXE" /s
mRun: [SCANINICIO] "c:\program files\panda security\panda antivirus pro 2011\Inicio.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{DF633078-3384-470F-86BB-99B4970B1A66} : DhcpNameServer = 209.18.47.61 209.18.47.62
Notify: avldr - avldr.dll
Notify: igfxcui - igfxdev.dll
Notify: TPSvc - TPSvc.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\landulph\application data\mozilla\firefox\profiles\pon2x1m6.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npaudio.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npavi32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npdrmv2.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npdsplay.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npnul32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPOFFICE.DLL
FF - plugin: c:\program files\netscape\communicator\program\plugins\nppl3260.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin7.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\nprfxins.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\nprjplug.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npwmsdrm.dll
.
---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
.
============= SERVICES / DRIVERS ===============
.
R0 pavboot;Panda boot driver;c:\windows\system32\drivers\pavboot.sys [2011-10-3 26696]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-12-9 207280]
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2011-9-26 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2011-8-16 59080]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2011-12-9 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2011-12-9 59664]
R1 APPFLT;App Filter Plugin;c:\windows\system32\drivers\APPFLT.SYS [2011-10-3 76296]
R1 DSAFLT;DSA Filter Plugin;c:\windows\system32\drivers\dsaflt.sys [2011-10-3 53256]
R1 FNETMON;NetMon Filter Plugin;c:\windows\system32\drivers\fnetmon.sys [2011-10-3 22024]
R1 IDSFLT;Ids Filter Plugin;c:\windows\system32\drivers\idsflt.sys [2011-10-3 193800]
R1 NETFLTDI;Panda Net Driver [TDI Layer];c:\windows\system32\drivers\NETFLTDI.SYS [2011-10-3 159112]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2011-12-9 233136]
R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShlDrv51.sys [2011-10-3 37896]
R1 WNMFLT;Wifi Monitor Filter Plugin;c:\windows\system32\drivers\wnmflt.sys [2011-10-3 46856]
R2 AmFSM;AmFSM;c:\windows\system32\drivers\amm8651.sys [2011-10-3 59080]
R2 Panda Software Controller;Panda Software Controller;c:\program files\panda security\panda antivirus pro 2011\PsCtrlS.exe [2011-10-3 173312]
R2 PAVFNSVR;Panda Function Service;c:\program files\panda security\panda antivirus pro 2011\PavFnSvr.exe [2011-10-3 202048]
R2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [2011-10-3 163336]
R2 PavPrSrv;Panda Process Protection Service;c:\program files\common files\panda security\pavshld\PavPrSrv.exe [2011-10-3 62768]
R2 PAVSRV;Panda On-Access Anti-Malware Service;c:\program files\panda security\panda antivirus pro 2011\pavsrvx86.exe [2011-10-3 314176]
R2 PskSvcRetail;Panda PSK service;c:\program files\panda security\panda antivirus pro 2011\psksvc.exe [2011-10-3 28992]
R2 SPService;SPService;c:\windows\system32\svchost.exe -k netsvc [2004-8-4 14336]
R3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]
R3 NETIMFLT01060042;PANDA NDIS IM Filter Miniport v1.6.0.42;c:\windows\system32\drivers\neti1642.sys [2011-10-3 199688]
R3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\pavsrk.sys --> c:\windows\system32\PavSRK.sys [?]
R3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\pavtpk.sys --> c:\windows\system32\PavTPK.sys [?]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2011-9-26 61328]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2011-12-9 70408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2011-12-9 365280]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2011-12-9 1141712]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2011-12-9 33552]
S3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
.
=============== File Associations ===============
.
JSEFile=c:\progra~1\pandas~1\pandaa~1\PavScrip.exe "%1" %*
VBEFile=c:\progra~1\pandas~1\pandaa~1\PavScrip.exe "%1" %*
VBSFile=c:\progra~1\pandas~1\pandaa~1\PavScrip.exe "%1" %*
.
=============== Created Last 30 ================
.
2011-12-09 21:10:17 -------- d-----w- c:\program files\STOPzilla!
2011-12-09 21:10:13 -------- d-----w- c:\program files\common files\iS3
2011-12-09 21:10:12 -------- d-----w- c:\documents and settings\all users\application data\STOPzilla!
2011-12-09 20:32:32 -------- d--h--w- c:\windows\PIF
2011-12-09 20:21:03 59664 --s---w- c:\windows\system32\drivers\TfSysMon.sys
2011-12-09 20:21:03 33552 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2011-12-09 20:21:02 51984 --s---w- c:\windows\system32\drivers\TfFsMon.sys
2011-12-09 20:13:15 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-12-09 20:13:11 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-12-09 20:13:11 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-12-09 20:13:06 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-12-09 20:12:57 -------- d-----w- c:\program files\Spyware Doctor
2011-12-09 20:12:57 -------- d-----w- c:\program files\common files\PC Tools
2011-12-09 20:12:57 -------- d-----w- c:\documents and settings\landulph\application data\PC Tools
2011-12-09 20:12:57 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2011-12-09 20:10:12 -------- d-----w- c:\documents and settings\landulph\application data\GetRightToGo
2011-12-09 19:33:15 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-12-09 19:33:15 -------- d-----w- c:\windows\system32\wbem\Repository
2011-12-07 22:12:22 68648 ----a-r- c:\windows\system32\IS3Hks5.dll
2011-12-07 22:12:22 547880 ----a-r- c:\windows\system32\SZComp5.dll
2011-12-07 22:12:22 482344 ----a-r- c:\windows\system32\SZBase5.dll
2011-12-07 22:12:22 457768 ----a-r- c:\windows\system32\IS3DBA5.dll
2011-12-07 22:12:22 30248 ----a-r- c:\windows\system32\IS3XDat5.dll
2011-12-07 22:12:22 24616 ----a-r- c:\windows\system32\SZIO5.dll
2011-12-07 22:12:22 134184 ----a-r- c:\windows\system32\IS3HTUI5.dll
2011-12-07 22:12:20 740392 ----a-r- c:\windows\system32\IS3Base5.dll
2011-12-07 22:12:20 392232 ----a-r- c:\windows\system32\IS3UI5.dll
2011-12-07 22:12:20 232488 ----a-r- c:\windows\system32\IS3Win325.dll
2011-12-07 22:12:20 105512 ----a-r- c:\windows\system32\IS3Inet5.dll
2011-12-07 22:12:20 101416 ----a-r- c:\windows\system32\IS3Svc5.dll
2011-11-23 20:04:39 -------- d-----w- c:\windows\system32\LogFiles
.
==================== Find3M ====================
.
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 19:45:05 9727564 ----a-w- c:\windows\system32\Shakespeare Picture Book.scr
2011-10-03 19:30:29 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-03 18:41:42 28276 ----a-w- c:\windows\system32\drivers\MxlW2k.sys
2011-10-03 18:25:55 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-10-03 18:25:55 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 16:19:13 319488 ----a-w- c:\windows\system32\AegisI5Installer.exe
2011-10-03 16:19:13 21425 ----a-w- c:\windows\system32\drivers\AegisP.sys
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 16:21:00 61328 ----a-r- c:\windows\system32\drivers\SZKG.sys
2011-09-26 16:21:00 61328 ----a-r- c:\windows\system32\drivers\is3srv.sys
2011-09-26 15:41:20 611328 ------w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 19:43:59.28 ===============

GMER finished, but this form is telling me my 368K ark log is too big to be posted here, so I have attached a "mini-Ark"--everything except the user code sections, which are taking up the bulk of the space--let me know if you want these as well, and how to post them.

Attached File(s)

attach.txt (13.43K)
Number of downloads: 1
ark.txt (20.92K)
Number of downloads: 1

This post has been edited by Landulph: 10 December 2011 - 02:50 AM

#2 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,549
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 12 December 2011 - 03:05 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

Do not run any other tool untill instructed to do so!
please Do not Attach logs or put in code boxes.
Tell me about any problems that have occurred during the fix.
Tell me of any other symptoms you may be having as these can help also.
Do not run anything while running a fix.
Do not run any other tool untill instructed to do so!

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.

Link 1

Link 2

Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

Log from Combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->

<-- Don't worry every little bit helps.

#3 Landulph

Member

Group: Members
Posts: 43
Joined: 07-October 10

Posted 12 December 2011 - 10:31 AM

Thanks for the prompt response, Gringo! Unfortunately, when I try to run combofix, I get an error message when it is installing on my machine:

Warning!!
Do not run ComboFix in Compatibility Mode.
Doing so may damage the machine.

And it refuses to go any further.

What should I do now?

I'm already the admin account for this machine, if that makes a difference.

This post has been edited by Landulph: 12 December 2011 - 11:02 AM

#4 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,549
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 12 December 2011 - 11:45 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo

<-- Don't worry every little bit helps.

#5 Landulph

Member

Group: Members
Posts: 43
Joined: 07-October 10

Posted 13 December 2011 - 12:19 PM

Ran TDSS successfully, Gringo, but the utility found nothing--came up perfectly clean. Here's the log:

12:15:51.0625 1976 TDSS rootkit removing tool 2.6.22.0 Dec 7 2011 13:21:06
12:15:53.0656 1976 ============================================================
12:15:53.0656 1976 Current date / time: 2011/12/13 12:15:53.0656
12:15:53.0656 1976 SystemInfo:
12:15:53.0656 1976
12:15:53.0656 1976 OS Version: 5.1.2600 ServicePack: 3.0
12:15:53.0656 1976 Product type: Workstation
12:15:53.0656 1976 ComputerName: GONDOLIN
12:15:53.0656 1976 UserName: Landulph
12:15:53.0656 1976 Windows directory: C:\WINDOWS
12:15:53.0656 1976 System windows directory: C:\WINDOWS
12:15:53.0656 1976 Processor architecture: Intel x86
12:15:53.0656 1976 Number of processors: 2
12:15:53.0656 1976 Page size: 0x1000
12:15:53.0656 1976 Boot type: Normal boot
12:15:53.0656 1976 ============================================================
12:15:56.0875 1976 Initialize success
12:16:53.0218 5772 ============================================================
12:16:53.0218 5772 Scan started
12:16:53.0218 5772 Mode: Manual;
12:16:53.0218 5772 ============================================================
12:16:55.0796 5772 Abiosdsk - ok
12:16:55.0890 5772 abp480n5 - ok
12:16:56.0046 5772 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
12:16:56.0078 5772 ACPI - ok
12:16:56.0234 5772 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
12:16:56.0281 5772 ACPIEC - ok
12:16:56.0296 5772 adpu160m - ok
12:16:56.0312 5772 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
12:16:56.0328 5772 aec - ok
12:16:56.0359 5772 AegisP (375eb0b97e3950adef3633c27a82438b) C:\WINDOWS\system32\DRIVERS\AegisP.sys
12:16:56.0359 5772 AegisP - ok
12:16:56.0406 5772 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
12:16:56.0406 5772 AFD - ok
12:16:56.0421 5772 Aha154x - ok
12:16:56.0421 5772 aic78u2 - ok
12:16:56.0437 5772 aic78xx - ok
12:16:56.0453 5772 AliIde - ok
12:16:56.0500 5772 AmFSM (ef9dd27aa5a3baaf2fd2b44c08a3e622) C:\WINDOWS\system32\DRIVERS\amm8651.sys
12:16:56.0500 5772 AmFSM - ok
12:16:56.0515 5772 amsint - ok
12:16:56.0546 5772 ApfiltrService (090880e9bf20f928bc341f96d27c019e) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
12:16:56.0562 5772 ApfiltrService - ok
12:16:56.0625 5772 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
12:16:56.0625 5772 APPDRV - ok
12:16:56.0656 5772 APPFLT (f57b596c8b6a143e9dc7ecc52b718a48) C:\WINDOWS\system32\Drivers\APPFLT.SYS
12:16:56.0656 5772 APPFLT - ok
12:16:56.0687 5772 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
12:16:56.0687 5772 Arp1394 - ok
12:16:56.0703 5772 asc - ok
12:16:56.0718 5772 asc3350p - ok
12:16:56.0734 5772 asc3550 - ok
12:16:56.0750 5772 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
12:16:56.0750 5772 AsyncMac - ok
12:16:56.0781 5772 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
12:16:56.0781 5772 atapi - ok
12:16:56.0781 5772 Atdisk - ok
12:16:56.0812 5772 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
12:16:56.0812 5772 Atmarpc - ok
12:16:56.0843 5772 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
12:16:56.0843 5772 audstub - ok
12:16:56.0843 5772 AvFlt - ok
12:16:56.0875 5772 bcm4sbxp (cd4646067cc7dcba1907fa0acf7e3966) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
12:16:56.0875 5772 bcm4sbxp - ok
12:16:56.0890 5772 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
12:16:56.0890 5772 Beep - ok
12:16:56.0937 5772 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
12:16:56.0984 5772 cbidf2k - ok
12:16:57.0031 5772 cd20xrnt - ok
12:16:57.0046 5772 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
12:16:57.0046 5772 Cdaudio - ok
12:16:57.0062 5772 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
12:16:57.0093 5772 Cdfs - ok
12:16:57.0109 5772 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
12:16:57.0109 5772 Cdrom - ok
12:16:57.0156 5772 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
12:16:57.0156 5772 cercsr6 - ok
12:16:57.0171 5772 Changer - ok
12:16:57.0203 5772 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
12:16:57.0203 5772 CmBatt - ok
12:16:57.0218 5772 CmdIde - ok
12:16:57.0234 5772 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
12:16:57.0234 5772 Compbatt - ok
12:16:57.0250 5772 Cpqarray - ok
12:16:57.0265 5772 dac2w2k - ok
12:16:57.0265 5772 dac960nt - ok
12:16:57.0281 5772 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
12:16:57.0296 5772 Disk - ok
12:16:57.0343 5772 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
12:16:57.0359 5772 dmboot - ok
12:16:57.0390 5772 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
12:16:57.0406 5772 dmio - ok
12:16:57.0437 5772 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
12:16:57.0437 5772 dmload - ok
12:16:57.0468 5772 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
12:16:57.0484 5772 DMusic - ok
12:16:57.0500 5772 dpti2o - ok
12:16:57.0531 5772 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
12:16:57.0531 5772 drmkaud - ok
12:16:57.0578 5772 DSAFLT (5bb0f91ffd84057d094d106d9ff53298) C:\WINDOWS\system32\Drivers\DSAFLT.SYS
12:16:57.0578 5772 DSAFLT - ok
12:16:57.0625 5772 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
12:16:57.0640 5772 Fastfat - ok
12:16:57.0671 5772 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
12:16:57.0687 5772 Fdc - ok
12:16:57.0703 5772 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
12:16:57.0703 5772 Fips - ok
12:16:57.0718 5772 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
12:16:57.0718 5772 Flpydisk - ok
12:16:57.0750 5772 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
12:16:57.0750 5772 FltMgr - ok
12:16:57.0765 5772 FNETMON (a38b9ba7a4c17f7dce9ec4e8f7870026) C:\WINDOWS\system32\Drivers\fnetmon.SYS
12:16:57.0765 5772 FNETMON - ok
12:16:57.0781 5772 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
12:16:57.0781 5772 Fs_Rec - ok
12:16:57.0796 5772 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
12:16:57.0796 5772 Ftdisk - ok
12:16:57.0828 5772 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
12:16:57.0843 5772 Gpc - ok
12:16:57.0875 5772 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
12:16:57.0890 5772 HDAudBus - ok
12:16:57.0937 5772 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
12:16:57.0937 5772 HidUsb - ok
12:16:57.0968 5772 hpn - ok
12:16:58.0015 5772 HSF_DPV (e8ec1767ea315a39a0dd8989952ca0e9) C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys
12:16:58.0031 5772 HSF_DPV - ok
12:16:58.0062 5772 HSXHWAZL (61478fa42ee04562e7f11f4dca87e9c8) C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
12:16:58.0062 5772 HSXHWAZL - ok
12:16:58.0109 5772 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
12:16:58.0109 5772 HTTP - ok
12:16:58.0140 5772 i2omgmt - ok
12:16:58.0156 5772 i2omp - ok
12:16:58.0187 5772 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
12:16:58.0187 5772 i8042prt - ok
12:16:58.0265 5772 ialm (cc449157474d5e43daea7e20f52c635a) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
12:16:58.0281 5772 ialm - ok
12:16:58.0328 5772 IDSFLT (188eed48de6dc75e1067e78ed99d928a) C:\WINDOWS\system32\Drivers\IDSFLT.SYS
12:16:58.0328 5772 IDSFLT - ok
12:16:58.0359 5772 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
12:16:58.0359 5772 Imapi - ok
12:16:58.0390 5772 ini910u - ok
12:16:58.0406 5772 IntelIde - ok
12:16:58.0421 5772 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
12:16:58.0421 5772 intelppm - ok
12:16:58.0453 5772 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
12:16:58.0453 5772 Ip6Fw - ok
12:16:58.0515 5772 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
12:16:58.0531 5772 IpFilterDriver - ok
12:16:58.0562 5772 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
12:16:58.0593 5772 IpInIp - ok
12:16:58.0625 5772 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
12:16:58.0625 5772 IpNat - ok
12:16:58.0640 5772 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
12:16:58.0640 5772 IPSec - ok
12:16:58.0656 5772 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
12:16:58.0703 5772 IRENUM - ok
12:16:58.0734 5772 is3srv (447e6a7c3e7e1cd550a8af889a8209e9) C:\WINDOWS\system32\drivers\is3srv.sys
12:16:58.0750 5772 is3srv - ok
12:16:58.0765 5772 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
12:16:58.0765 5772 isapnp - ok
12:16:58.0781 5772 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
12:16:58.0796 5772 Kbdclass - ok
12:16:58.0828 5772 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
12:16:58.0828 5772 kmixer - ok
12:16:58.0843 5772 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
12:16:58.0859 5772 KSecDD - ok
12:16:58.0890 5772 lbrtfdc - ok
12:16:58.0921 5772 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
12:16:58.0921 5772 mdmxsdk - ok
12:16:58.0968 5772 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
12:16:58.0968 5772 mnmdd - ok
12:16:58.0984 5772 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
12:16:58.0984 5772 Modem - ok
12:16:59.0000 5772 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
12:16:59.0000 5772 Mouclass - ok
12:16:59.0031 5772 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
12:16:59.0031 5772 MountMgr - ok
12:16:59.0046 5772 mraid35x - ok
12:16:59.0062 5772 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
12:16:59.0078 5772 MRxDAV - ok
12:16:59.0125 5772 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
12:16:59.0140 5772 MRxSmb - ok
12:16:59.0218 5772 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
12:16:59.0218 5772 Msfs - ok
12:16:59.0250 5772 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
12:16:59.0281 5772 MSKSSRV - ok
12:16:59.0296 5772 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
12:16:59.0343 5772 MSPCLOCK - ok
12:16:59.0375 5772 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
12:16:59.0375 5772 MSPQM - ok
12:16:59.0406 5772 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
12:16:59.0406 5772 mssmbios - ok
12:16:59.0437 5772 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
12:16:59.0437 5772 Mup - ok
12:16:59.0484 5772 MxlW2k (63d074073d5fda93163517c2a8f2ba5a) C:\WINDOWS\system32\drivers\MxlW2k.sys
12:16:59.0484 5772 MxlW2k - ok
12:16:59.0515 5772 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
12:16:59.0531 5772 NDIS - ok
12:16:59.0531 5772 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
12:16:59.0531 5772 NdisTapi - ok
12:16:59.0562 5772 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
12:16:59.0562 5772 Ndisuio - ok
12:16:59.0562 5772 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
12:16:59.0578 5772 NdisWan - ok
12:16:59.0609 5772 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
12:16:59.0609 5772 NDProxy - ok
12:16:59.0625 5772 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
12:16:59.0625 5772 NetBIOS - ok
12:16:59.0640 5772 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
12:16:59.0656 5772 NetBT - ok
12:16:59.0718 5772 NETFLTDI (d8f44fc13db193c9379297973ee42272) C:\WINDOWS\system32\Drivers\NETFLTDI.SYS
12:16:59.0734 5772 NETFLTDI - ok
12:16:59.0750 5772 NETIMFLT01060042 (9eeb6df1f5ffd878a3a44874607eaaef) C:\WINDOWS\system32\DRIVERS\neti1642.sys
12:16:59.0765 5772 NETIMFLT01060042 - ok
12:16:59.0828 5772 NETw3x32 (71371ed9086a3d65f43967c89634e9a9) C:\WINDOWS\system32\DRIVERS\NETw3x32.sys
12:16:59.0875 5772 NETw3x32 - ok
12:16:59.0906 5772 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
12:16:59.0906 5772 NIC1394 - ok
12:16:59.0921 5772 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
12:16:59.0921 5772 Npfs - ok
12:16:59.0953 5772 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
12:16:59.0968 5772 Ntfs - ok
12:17:00.0015 5772 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
12:17:00.0031 5772 Null - ok
12:17:00.0062 5772 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
12:17:00.0078 5772 NwlnkFlt - ok
12:17:00.0109 5772 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
12:17:00.0156 5772 NwlnkFwd - ok
12:17:00.0187 5772 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
12:17:00.0187 5772 ohci1394 - ok
12:17:00.0234 5772 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
12:17:00.0234 5772 Parport - ok
12:17:00.0265 5772 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
12:17:00.0265 5772 PartMgr - ok
12:17:00.0312 5772 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
12:17:00.0343 5772 ParVdm - ok
12:17:00.0406 5772 pavboot (55d654258a9c509b671310c314bd30b4) C:\WINDOWS\system32\Drivers\pavboot.sys
12:17:00.0406 5772 pavboot - ok
12:17:00.0484 5772 PavProc (018f51f5757819fcd9f32162c9808565) C:\WINDOWS\system32\DRIVERS\PavProc.sys
12:17:00.0484 5772 PavProc - ok
12:17:00.0515 5772 PavSRK.sys - ok
12:17:00.0531 5772 PavTPK.sys - ok
12:17:00.0546 5772 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
12:17:00.0546 5772 PCI - ok
12:17:00.0562 5772 PCIDump - ok
12:17:00.0578 5772 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
12:17:00.0593 5772 PCIIde - ok
12:17:00.0609 5772 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
12:17:00.0609 5772 Pcmcia - ok
12:17:00.0656 5772 PCTCore (167b2fea66dde6925766d1a81a1affc0) C:\WINDOWS\system32\drivers\PCTCore.sys
12:17:00.0671 5772 PCTCore - ok
12:17:00.0687 5772 pctgntdi (d15669bd3e1cf18f00b46a7949ea541f) C:\WINDOWS\system32\drivers\pctgntdi.sys
12:17:00.0703 5772 pctgntdi - ok
12:17:00.0734 5772 pctplsg (95a8562701e6b4494993847f85b2d60e) C:\WINDOWS\system32\drivers\pctplsg.sys
12:17:00.0765 5772 pctplsg - ok
12:17:00.0765 5772 PDCOMP - ok
12:17:00.0781 5772 PDFRAME - ok
12:17:00.0796 5772 PDRELI - ok
12:17:00.0812 5772 PDRFRAME - ok
12:17:00.0828 5772 perc2 - ok
12:17:00.0828 5772 perc2hib - ok
12:17:00.0890 5772 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
12:17:00.0890 5772 PptpMiniport - ok
12:17:00.0921 5772 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
12:17:00.0921 5772 PSched - ok
12:17:00.0968 5772 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
12:17:00.0968 5772 Ptilink - ok
12:17:00.0984 5772 ql1080 - ok
12:17:00.0984 5772 Ql10wnt - ok
12:17:01.0000 5772 ql12160 - ok
12:17:01.0015 5772 ql1240 - ok
12:17:01.0031 5772 ql1280 - ok
12:17:01.0046 5772 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
12:17:01.0046 5772 RasAcd - ok
12:17:01.0062 5772 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
12:17:01.0062 5772 Rasl2tp - ok
12:17:01.0078 5772 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
12:17:01.0093 5772 RasPppoe - ok
12:17:01.0109 5772 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
12:17:01.0109 5772 Raspti - ok
12:17:01.0125 5772 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
12:17:01.0140 5772 Rdbss - ok
12:17:01.0140 5772 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
12:17:01.0140 5772 RDPCDD - ok
12:17:01.0171 5772 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
12:17:01.0187 5772 rdpdr - ok
12:17:01.0234 5772 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
12:17:01.0234 5772 RDPWD - ok
12:17:01.0265 5772 redbook (f318fde43398d363ba3f1f5b28a42889) C:\WINDOWS\system32\DRIVERS\redbook.sys
12:17:01.0265 5772 redbook - ok
12:17:01.0343 5772 s24trans (daef68fc328342d219de928c8ee610b2) C:\WINDOWS\system32\DRIVERS\s24trans.sys
12:17:01.0343 5772 s24trans - ok
12:17:01.0390 5772 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
12:17:01.0437 5772 Secdrv - ok
12:17:01.0484 5772 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
12:17:01.0484 5772 serenum - ok
12:17:01.0515 5772 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
12:17:01.0531 5772 Serial - ok
12:17:01.0546 5772 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
12:17:01.0546 5772 Sfloppy - ok
12:17:01.0593 5772 ShldDrv (a2f0bf07cac43a11555c173f7b1ad28a) C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys
12:17:01.0593 5772 ShldDrv - ok
12:17:01.0609 5772 Simbad - ok
12:17:01.0625 5772 Sparrow - ok
12:17:01.0640 5772 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
12:17:01.0640 5772 splitter - ok
12:17:01.0671 5772 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
12:17:01.0671 5772 sr - ok
12:17:01.0703 5772 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
12:17:01.0734 5772 Srv - ok
12:17:01.0812 5772 STHDA (3ad78e22210d3fbd9f76de84a8df19b5) C:\WINDOWS\system32\drivers\sthda.sys
12:17:01.0828 5772 STHDA - ok
12:17:01.0875 5772 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
12:17:01.0875 5772 swenum - ok
12:17:01.0906 5772 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
12:17:01.0906 5772 swmidi - ok
12:17:01.0921 5772 symc810 - ok
12:17:01.0937 5772 symc8xx - ok
12:17:01.0953 5772 sym_hi - ok
12:17:01.0968 5772 sym_u3 - ok
12:17:02.0000 5772 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
12:17:02.0000 5772 sysaudio - ok
12:17:02.0031 5772 szkg5 (447e6a7c3e7e1cd550a8af889a8209e9) C:\WINDOWS\system32\DRIVERS\szkg.sys
12:17:02.0031 5772 szkg5 - ok
12:17:02.0062 5772 szkgfs (2b8581dc75d6d043e273eb0244632bcb) C:\WINDOWS\system32\drivers\szkgfs.sys
12:17:02.0062 5772 szkgfs - ok
12:17:02.0109 5772 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
12:17:02.0125 5772 Tcpip - ok
12:17:02.0171 5772 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
12:17:02.0171 5772 TDPIPE - ok
12:17:02.0187 5772 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
12:17:02.0187 5772 TDTCP - ok
12:17:02.0218 5772 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
12:17:02.0218 5772 TermDD - ok
12:17:02.0265 5772 TfFsMon (d2a1cd31200a6c9d3dfad022503e4836) C:\WINDOWS\system32\drivers\TfFsMon.sys
12:17:02.0265 5772 TfFsMon - ok
12:17:02.0281 5772 TfNetMon (3e3a544d10b0ac1c4c133048f84390ac) C:\WINDOWS\system32\drivers\TfNetMon.sys
12:17:02.0296 5772 TfNetMon - ok
12:17:02.0312 5772 TfSysMon (706be7328a35c39dbe449e10c1ac6a38) C:\WINDOWS\system32\drivers\TfSysMon.sys
12:17:02.0312 5772 TfSysMon - ok
12:17:02.0343 5772 TosIde - ok
12:17:02.0359 5772 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
12:17:02.0375 5772 Udfs - ok
12:17:02.0390 5772 UIUSys - ok
12:17:02.0390 5772 ultra - ok
12:17:02.0437 5772 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
12:17:02.0453 5772 Update - ok
12:17:02.0500 5772 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
12:17:02.0500 5772 usbccgp - ok
12:17:02.0531 5772 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
12:17:02.0531 5772 usbehci - ok
12:17:02.0562 5772 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
12:17:02.0562 5772 usbhub - ok
12:17:02.0578 5772 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
12:17:02.0578 5772 USBSTOR - ok
12:17:02.0625 5772 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
12:17:02.0625 5772 usbuhci - ok
12:17:02.0640 5772 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
12:17:02.0656 5772 VgaSave - ok
12:17:02.0656 5772 ViaIde - ok
12:17:02.0671 5772 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
12:17:02.0687 5772 VolSnap - ok
12:17:02.0718 5772 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
12:17:02.0718 5772 Wanarp - ok
12:17:02.0765 5772 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\WINDOWS\system32\DRIVERS\wdcsam.sys
12:17:02.0765 5772 WDC_SAM - ok
12:17:02.0781 5772 WDICA - ok
12:17:02.0796 5772 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
12:17:02.0812 5772 wdmaud - ok
12:17:02.0859 5772 winachsf (ba6b6fb242a6ba4068c8b763063beb63) C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
12:17:02.0875 5772 winachsf - ok
12:17:02.0953 5772 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
12:17:02.0953 5772 WmiAcpi - ok
12:17:02.0984 5772 WNMFLT (0411d0433e8c48ad24b2ef32d7c97ae0) C:\WINDOWS\system32\Drivers\WNMFLT.SYS
12:17:03.0000 5772 WNMFLT - ok
12:17:03.0078 5772 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
12:17:03.0093 5772 WS2IFSL - ok
12:17:03.0156 5772 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
12:17:03.0437 5772 \Device\Harddisk0\DR0 - ok
12:17:03.0437 5772 MBR (0x1B8) (65e858a8a0293be11a920b0bc99d695e) \Device\Harddisk1\DR3
12:17:03.0625 5772 \Device\Harddisk1\DR3 - ok
12:17:03.0625 5772 MBR (0x1B8) (feffdedea77250a6fcd92c304b49ace2) \Device\Harddisk2\DR5
12:17:03.0625 5772 \Device\Harddisk2\DR5 - ok
12:17:03.0671 5772 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk3\DR7
12:17:03.0687 5772 \Device\Harddisk3\DR7 - ok
12:17:03.0687 5772 Boot (0x1200) (3f30929eebc7c888cb32788c2f227b39) \Device\Harddisk0\DR0\Partition0
12:17:03.0687 5772 \Device\Harddisk0\DR0\Partition0 - ok
12:17:03.0703 5772 Boot (0x1200) (9e7e8b1a45f84ae639736906fa9ca078) \Device\Harddisk1\DR3\Partition0
12:17:03.0703 5772 \Device\Harddisk1\DR3\Partition0 - ok
12:17:03.0703 5772 Boot (0x1200) (b485b52af064fba0d5796be7dba2ad7a) \Device\Harddisk2\DR5\Partition0
12:17:03.0703 5772 \Device\Harddisk2\DR5\Partition0 - ok
12:17:03.0703 5772 Boot (0x1200) (e106c08c8107be1a082a6be8203dbec8) \Device\Harddisk3\DR7\Partition0
12:17:03.0703 5772 \Device\Harddisk3\DR7\Partition0 - ok
12:17:03.0703 5772 ============================================================
12:17:03.0703 5772 Scan finished
12:17:03.0703 5772 ============================================================
12:17:03.0718 5884 Detected object count: 0
12:17:03.0718 5884 Actual detected object count: 0

Any thoughts, Gring?

#6 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,549
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 13 December 2011 - 02:00 PM

Hello

This is the tool I would like you to try and run next.

Please download aswMBR ( 511KB ) to your desktop.

Double click the aswMBR.exe icon to run it
Click the Scan button to start the scan
On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Gringo

<-- Don't worry every little bit helps.

#7 Landulph

Member

Group: Members
Posts: 43
Joined: 07-October 10

Posted 13 December 2011 - 03:18 PM

Hallelujah, Gringo! We FINALLY have something! aswMBR downloaded and ran successfully, and found some apparent red nasties. Here's the log:

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-13 15:15:12
-----------------------------
15:15:12.218 OS Version: Windows 5.1.2600 Service Pack 3
15:15:12.218 Number of processors: 2 586 0xF02
15:15:12.218 ComputerName: GONDOLIN UserName: Landulph
15:15:14.843 Initialize success
15:15:51.937 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
15:15:51.937 Disk 0 Vendor: Hitachi_HTS722080K9A300 DCBOC54P Size: 76319MB BusType: 3
15:15:53.968 Disk 0 MBR read successfully
15:15:53.968 Disk 0 MBR scan
15:15:53.968 Disk 0 Windows XP default MBR code
15:15:53.968 Disk 0 scanning sectors +156296385
15:15:54.046 Disk 0 scanning C:\WINDOWS\system32\drivers
15:16:03.437 Service scanning
15:16:04.718 Modules scanning
15:16:06.562 Module: C:\WINDOWS\system32\DRIVERS\redbook.sys **SUSPICIOUS**
15:16:13.406 Disk 0 trace - called modules:
15:16:13.421 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8616ff10]<<
15:16:13.421 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86589030]
15:16:13.421 3 CLASSPNP.SYS[f765dfd7] -> nt!IofCallDriver -> [0x860f93b0]
15:16:13.421 \Driver\00000657[0x860f83a8] -> IRP_MJ_CREATE -> 0x8616ff10
15:16:13.421 Scan finished successfully
15:16:23.093 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Landulph\Desktop\MBR.dat"
15:16:23.093 The log file has been saved successfully to "C:\Documents and Settings\Landulph\Desktop\aswMBR.txt"

#8 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,549
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 13 December 2011 - 03:25 PM

Hello

I would like you to run this tool for me - fixTDSS

download it to your desktop and start the program

Follow the prompts and Ok any security prompts

when it is complete it will say the infection was cleared or no infection was found - let me know what it says

after it is complete I want you to restart the computer and try to rerun ASWMbr for me and send me the report

Double click the aswMBR.exe icon to run it
Click the Scan button to start the scan
On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Gringo

<-- Don't worry every little bit helps.

#9 Landulph

Member

Group: Members
Posts: 43
Joined: 07-October 10

Posted 13 December 2011 - 03:47 PM

Ran fixTDSS. Got message at end saying "Backdoor.Tidserv not found." Restarted, ran aswMBR again, got log looking similar to first time I ran it:

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-13 15:44:06
-----------------------------
15:44:06.515 OS Version: Windows 5.1.2600 Service Pack 3
15:44:06.515 Number of processors: 2 586 0xF02
15:44:06.515 ComputerName: GONDOLIN UserName: Landulph
15:44:08.125 Initialize success
15:44:18.171 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
15:44:18.171 Disk 0 Vendor: Hitachi_HTS722080K9A300 DCBOC54P Size: 76319MB BusType: 3
15:44:20.203 Disk 0 MBR read successfully
15:44:20.218 Disk 0 MBR scan
15:44:20.218 Disk 0 Windows XP default MBR code
15:44:20.265 Disk 0 scanning sectors +156296385
15:44:20.359 Disk 0 scanning C:\WINDOWS\system32\drivers
15:44:29.078 Service scanning
15:44:30.234 Modules scanning
15:44:31.625 Module: C:\WINDOWS\system32\DRIVERS\redbook.sys **SUSPICIOUS**
15:44:34.250 Disk 0 trace - called modules:
15:44:34.265 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x860f3f10]<<
15:44:34.265 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86496ab8]
15:44:34.265 3 CLASSPNP.SYS[f765dfd7] -> nt!IofCallDriver -> [0x863bba80]
15:44:34.765 \Driver\00000715[0x85ff7268] -> IRP_MJ_CREATE -> 0x860f3f10
15:44:34.765 Scan finished successfully
15:45:08.796 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Landulph\Desktop\MBR.dat"
15:45:08.812 The log file has been saved successfully to "C:\Documents and Settings\Landulph\Desktop\aswMBR1.txt"

#10 Landulph

Member

Group: Members
Posts: 43
Joined: 07-October 10

Posted 15 December 2011 - 04:58 PM

Bump, Gringo?

#11 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,549
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 16 December 2011 - 11:38 AM

Greetings

I need you to make a bootable usb and to make a screenshot for me - follow the instructions below to do this

How to create a bootable Puppy USB Drive

Download and save a copy of the latest Puppy ISO file
Download and save a copy of Unetbootin for Windows.
Insert an empty formatted USB drive into a USB port on the computer that's being used to create the bootable USB.
Launch Unetbootin ....
Ensure that Disk Image is selected.
Using the browse button ... browse to and select the Puppy ISO file.
Ensure that Type: is set to USB Drive and that the Drive: letter corresponds to the USB drive.
Click OK

Unetbootin will now copy the Puppy files to the USB and make it a bootable device.

Next

You need to change the boot order of the computer to boot from a USB drive ....

Read HERE for instructions how to do this.

Now boot into Puppylinux

when you get to the desktop Click on each of the drive items found in the bottom left corner to mount them (when mounted they will have a red cross next to them)

Next - Launch GParted which is found at Menu > System > GParted partition manager,
Click to select All Drives then click Okay
I need you to take a screenshot of the window that opens up - to do this follow these instructions

To take a screenshot in Puppy ....

With the GParted window open ...

Click menu > Graphic > mtPaint-snapshot screen capture
A small window will open ....
- Click Capture Now
- Click OK
The mtPaint program will open ....
- Click File > Save
- Double click on ../
- Double click on mnt/
- Double click on sdb1/
- Set File Format to JPEG
- Enter screenshot1 into the text box
- Click OK