BleepingComputer.com: System check rootkit.boot.sst.a not removed

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

System check rootkit.boot.sst.a not removed Trying a second time with your help

#1 User is offline   edwh 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 6
  • Joined: 04-February 12
  • Gender:Male

Posted 04 February 2012 - 12:50 PM

30 Jan 12 I had the Fake HDD windows "windows delayed write failed" etc with files hidden. I should have said I have been following the page http://www.bleepingcomputer.com/virus-removal/remove-system-check .

I booted in safe mode and ran RKill restoring the file view and TDSSKiller to which found Rootkit.Boot.sst.a.
At the end it aksed for a normal reboot, but the Fake HDD started again.

Second time I rebooted in safe mode again, repeated RKill, TDSSKiller the rootkit was OK a few files found and removed.
Now I ran Malwarebytes. 4 Feb 12, I booted in safe mode. Realising I needed to be safe this time I have backed up recent data (not on my external Omega HD) onto USB and am copying to a safe place.
Not enough space for the whole computer. In order to do that I unhid some files to back them up. This may have been a mistake, as RKill did not unhide everything as it should I ran RKill, TDSKiller (nothing) and Malwarebytes again, still going after an hour, nothing found yet.

Q1. If I back up onto my external drive will I risk corrupting the backups I have? (Iomega Quikprotect)
Q2. I have a file appearing on the usb stick I don't recognise "nmndsdcid". What does that indicate?

I ran defogger dds.scr and gmer this time around, results below.

What to do next?

I have the ark.txt if needed.

Edward
---------------------------------------
Attached File  dds.txt (14.86K)
Number of downloads: 1
---------------------------------------
Attached File  ark.txt (416.35K)
Number of downloads: 0

This post has been edited by edwh: 05 February 2012 - 09:37 AM

#2 User is offline   edwh 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 6
  • Joined: 04-February 12
  • Gender:Male

Posted 05 February 2012 - 11:11 AM

I rebooted into safe mode, and ran superantispyware Quickscan
Registry item Trojan.Agent/Gen-FakeAV was removed.
I'm running again after updating, using full scan

#3 User is offline   edwh 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 6
  • Joined: 04-February 12
  • Gender:Male

Posted 05 February 2012 - 02:13 PM

Thanks to Superantispyware (not removed by anything else), I have removed Trojan.Agent/Gen-FakeAV, Trojan.Agent/Gen-Sinowal, Trojan.Agent/Gen-Crypt, Trojan.Agent/Gen-FakeAlert.
Normal boot is OK, but I still have a lot of hidden files, because I changed some files to unhidden manually before running RKill (as above)

Q3. How can I get the right files hidden (which should be on XP SP3) and unhide the rest? I will create new users and transfer over the data I want.

I updated Java (last update 8 months ago and deleted temp files.This is where the Trojan.Agent/Gen-FakeAV, Trojan.Agent/Gen-Sinowal, Trojan.Agent/Gen-Crypt were cached
I have updated Firefox to the latest.

Edward

#4 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 05 February 2012 - 11:48 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.



The first thing I would like you to do is run this for me - http://download.bleepingcomputer.com/grinler/unhide.exe after it is complete restart the computer and continue with these steps




Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

    In your next post I need the following

  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#5 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 09 February 2012 - 12:09 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#6 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 12 February 2012 - 02:55 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#7 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 14 February 2012 - 07:06 PM

This topic has been re-opened at the request of the person who originally posted.
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#8 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 17 February 2012 - 12:33 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#9 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 19 February 2012 - 11:33 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#10 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 24 February 2012 - 04:49 PM

This topic has been re-opened at the request of the person who originally posted.
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#11 User is offline   edwh 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 6
  • Joined: 04-February 12
  • Gender:Male

Posted 25 February 2012 - 07:13 PM

Dear Gringo

Thank you for your messages and help.

I installed Recovery console when asked.
I could not disable Sophos for the combofix.

I don't think I can get everything back to what it was, and plan to reinstall windows from a slipstreamed XP SP3 CD I am creating (the forum has a helpful page). Anyway this would give me a fresh start. I have my C: and E: (data) backed up.

1. I can't install a recent Firefox - asks me to "reboot to complete the installation" but this does not make it work.
2. Almost all the folders in Start/Programs are empty. e.g. I cannot restart Ad-aware. Yes I understand I have two anti-virus programs but Ad-aware started out as not an Anti-virus program.

However if you think I can try anything else, I look forward to hearing from you.

Here is the text from the combofix log:

Many thanks

Edward Howard

ComboFix 12-02-24.02 - Edward_2 25/02/2012 1:07.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3070.2351 [GMT 0:00]
Running from: e:\received files\Blpcmtr\CombFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Sophos Anti-Virus *Enabled/Updated* {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\edward\WINDOWS
c:\windows\system32\SET123.tmp
c:\windows\system32\SET128.tmp
c:\windows\system32\SETED.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-01-25 to 2012-02-25 )))))))))))))))))))))))))))))))
.
.
2012-02-15 04:46 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-15 04:46 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-14 10:34 . 2012-02-14 10:42 -------- d-----w- c:\documents and settings\Matthew Zoostorm
2012-02-10 21:05 . 2012-01-29 16:13 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2012-02-10 21:05 . 2012-01-29 16:13 97240 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2012-02-10 21:05 . 2012-01-29 16:13 818136 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2012-02-10 21:05 . 2012-01-29 16:13 45016 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-02-10 21:05 . 2012-01-29 16:13 437208 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2012-02-10 21:05 . 2012-01-29 16:13 1911768 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2012-02-10 21:05 . 2012-01-29 16:13 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2012-02-10 21:05 . 2012-01-29 13:35 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2012-02-10 21:05 . 2012-01-29 13:35 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2012-02-10 21:05 . 2012-01-29 13:35 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-02-10 21:05 . 2012-01-29 13:35 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-02-10 21:05 . 2012-01-29 13:35 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-02-06 07:12 . 2012-02-11 12:08 -------- d-----w- c:\documents and settings\Edward_2
2012-02-05 14:46 . 2012-02-15 00:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-02-05 14:46 . 2012-02-05 14:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-01-31 01:47 . 2012-01-31 01:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-31 01:47 . 2011-08-31 17:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-31 01:47 . 2012-01-31 01:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-20 21:55 . 2010-05-18 23:58 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-20 21:55 . 2007-04-17 22:55 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-20 21:09 . 2011-05-19 17:55 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-12 16:53 . 2006-02-28 12:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2006-02-28 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2006-02-28 12:00 385024 ------w- c:\windows\system32\html.iec
2009-06-18 13:16 . 2009-06-18 13:16 10437264 ----a-w- c:\program files\mozilla firefox\plugins\PDFNetC.dll
2009-06-18 13:36 . 2009-06-18 13:36 108272 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2012-01-29 16:13 . 2012-02-10 21:05 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-01 16208384]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]
"nwiz"="nwiz.exe" [2006-06-01 1519616]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 86016]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"sclauncher"="c:\program files\Nokia\SimpleCenter\bin\win\sclauncher.exe" [2007-01-30 94208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2011-08-15 1191216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Sophos AutoUpdate Monitor"="c:\program files\Sophos\AutoUpdate\almon.exe" [2011-01-20 439536]
"NSU_agent"="c:\program files\Nokia\Nokia Software Updater\nsu3ui_agent.exe" [2011-10-19 190768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideFastUserSwitching"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\eudora7\EuShlExt.dll" [2006-08-17 86016]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi2"=xgusb.cpl
"midi3"=xgusb.cpl
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\OFFICE11\\WINWORD.EXE"=
"c:\windows\system32\dpvsetup.exe"= c:\windows\system32\dpvsetup.exe:192.168.1.0/255.255.255.0:Enabled:Microsoft DirectPlay Voice Test
"c:\windows\system32\usmt\migwiz.exe"= c:\windows\system32\usmt\migwiz.exe:192.168.1.0/255.255.255.0:Enabled:Files and Settings Transfer Wizard
"c:\windows\Network Diagnostic\xpnetdiag.exe"= c:\windows\Network Diagnostic\xpnetdiag.exe:192.168.1.0/255.255.255.0:Enabled:@xpsp3res.dll,-20000
"c:\program files\Common Files\Nokia\Service Layer\A\nsl_host_process.exe"= c:\program files\Common Files\Nokia\Service Layer\A\nsl_host_process.exe:192.168.1.0/255.255.255.0:Enabled:Nokia Service Layer Host Process
"c:\program files\Retrospect\Retrospect 7.7\Retrospect.exe"= c:\program files\Retrospect\Retrospect 7.7\Retrospect.exe:192.168.1.0/255.255.255.0:Enabled:Retrospect
"c:\program files\Skype\Phone\Skype.exe"= c:\program files\Skype\Phone\Skype.exe:192.168.1.0/255.255.255.0:Enabled:Skype
"c:\windows\system32\ZoneLabs\vsmon.exe"= c:\windows\system32\ZoneLabs\vsmon.exe:192.168.1.0/255.255.255.0:Enabled:TrueVector Service
"c:\windows\system32\sessmgr.exe"= c:\windows\system32\sessmgr.exe:192.168.1.0/255.255.255.0:Disabled:@xpsp2res.dll,-22019
"%windir%\explorer.exe"= %windir%\explorer.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1900:UDP"= 1900:UDP:192.168.1.0/255.255.255.0:Enabled:@xpsp2res.dll,-22007
"2869:TCP"= 2869:TCP:192.168.1.0/255.255.255.0:Enabled:@xpsp2res.dll,-22008
"3389:TCP"= 3389:TCP:192.168.1.0/255.255.255.0:Disabled:@xpsp2res.dll,-22009
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [14/02/2009 11:22 64288]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [07/11/2011 21:28 56208]
R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [27/02/2010 15:16 390528]
R1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys [15/12/2011 16:59 228208]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [07/11/2011 21:28 71440]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [07/11/2011 21:28 164112]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 16:27 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 21:55 67664]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [20/12/2009 09:29 153344]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [20/12/2009 09:30 24064]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [11/08/2011 23:38 116608]
R2 ezSharedSvc;Easybits Services for Windows;c:\windows\System32\ezSharedSvcHost.exe [14/02/2011 16:44 512696]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/12/2010 09:05 2152152]
R2 NetProbe;NetProbe Packet Driver;c:\windows\system32\drivers\NetProbe.sys [15/03/2006 12:40 5365]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [07/11/2011 21:28 931640]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [20/01/2011 14:47 163056]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [20/01/2011 14:47 97520]
R2 swi_service;Sophos Web Intelligence Service;c:\program files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [20/01/2011 14:48 1541360]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [04/09/2008 19:53 33400]
S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [29/07/2010 09:12 10744]
S3 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe [22/11/2008 22:26 81920]
S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe [22/11/2008 22:26 2723840]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [03/12/2010 09:05 15232]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [07/12/2011 00:06 137472]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [07/12/2011 00:06 8576]
S3 sdcfilter;sdcfilter;c:\windows\system32\drivers\sdcfilter.sys [20/01/2011 14:48 23928]
S3 SFC4;SFC4;c:\windows\system32\drivers\sfc4.sys [30/10/2006 12:48 41472]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [20/12/2009 09:30 14976]
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-12-03 07:40]
.
2012-02-25 c:\windows\Tasks\User_Feed_Synchronization-{0EE688A2-92A2-42B3-8687-572472A22AE3}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.brookes.ac.uk/
TCP: Interfaces\{670B5C53-12A6-40F4-86F1-6BA413A52803}: NameServer = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Edward_2\Application Data\Mozilla\Firefox\Profiles\e6r7hzn8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.brookes.ac.uk/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: PC Sync 2 Synchronisation Extension: bkmrksync@nokia.com - c:\program files\Nokia\Nokia PC Suite 7\bkmrksync
FF - Ext: Firefox Synchronisation Extension: fe_3.6@nokia.com - c:\program files\Nokia\Nokia Suite\Connectors\Bookmarks Connector\FirefoxExtension_3.6
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
------- File Associations -------
.
.reg=Regedit.Document
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
ShellExecuteHooks-UPB:{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-25 01:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL]
"ImagePath"="c:\xampp\mysql\bin\mysqld-nt --defaults-file=c:\xampp\mysql\bin\my.cnf mysql"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(796)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(7596)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Retrospect\Retrospect 7.7\retrorun.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RunDLL32.exe
.
**************************************************************************
.
Completion time: 2012-02-25 01:27:50 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-25 01:27
.
Pre-Run: 49,975,783,424 bytes free
Post-Run: 50,141,159,424 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 19900DC94987DE9E1312287A84C0AE55

#12 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 25 February 2012 - 08:46 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.


If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#13 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 28 February 2012 - 12:33 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#14 User is offline   edwh 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 6
  • Joined: 04-February 12
  • Gender:Male

Posted 28 February 2012 - 02:45 AM

Dear Gringo

Though I think I have removed all the viruses, I decided to reinstall Windows anyway and am up and running.

Thank you for all your help

Edward

#15 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,549
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 28 February 2012 - 03:09 AM

hello

thank you for letting me know


gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users