Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

'thefeedyard' redirecting websites.


  • Please log in to reply
9 replies to this topic

#1 Smarmie

Smarmie

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 12 October 2009 - 08:14 PM

sorry such a rude first post, I normally introduce myself, but it has taken me forever just to get to this place due to the fact that I keep getting redirected to search sites. I've ran malwarebytes (latest update) but it doesn't get rid of the rootkit when i restart my system. (just FYI i got this nasty bug from wwtdd.com) I am unsure of what i can do next, and i don' want to do a complete system restore...I just did one last week, and I'm unsure of trying to use combofix, as I've never used it before.

Any help would be greatly appreciated!

Update- I've also ran Spybot Search and Destroy, which did get rid of some stuff, and things are running faster, however, I'm still being redirected to 'thefeedyard' and other search sites.

Edited by Smarmie, 12 October 2009 - 09:07 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:37 PM

Posted 12 October 2009 - 09:32 PM

Hello and welcome.
Please post the infected MBAM log.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Next...
We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Smarmie

Smarmie
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 12 October 2009 - 09:36 PM

rootkit-

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/12 22:34
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 1394BUS.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\1394BUS.SYS
Address: 0xF759F000 Size: 57344 File Visible: - Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF74E0000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xF3E66000 Size: 138496 File Visible: - Signed: -
Status: -

Name: AFS2K.SYS
Image Path: C:\WINDOWS\System32\Drivers\AFS2K.SYS
Address: 0xF779F000 Size: 35840 File Visible: - Signed: -
Status: -

Name: agp440.sys
Image Path: agp440.sys
Address: 0xF75AF000 Size: 42368 File Visible: - Signed: -
Status: -

Name: ALCXWDM.SYS
Image Path: C:\WINDOWS\system32\drivers\ALCXWDM.SYS
Address: 0xF6334000 Size: 2279424 File Visible: - Signed: -
Status: -

Name: arp1394.sys
Image Path: C:\WINDOWS\System32\DRIVERS\arp1394.sys
Address: 0xF76EF000 Size: 60800 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF7498000 Size: 96512 File Visible: - Signed: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\audstub.sys
Address: 0xF7BB0000 Size: 3072 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF7A71000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF793F000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xBA1F6000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Address: 0xF75DF000 Size: 62976 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Address: 0xF756F000 Size: 53248 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF755F000 Size: 36352 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF75FF000 Size: 61440 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3D23000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A81000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF72F8000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7C7E000 Size: 4096 File Visible: - Signed: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xF3D74000 Size: 143744 File Visible: - Signed: -
Status: -

Name: fasttx2k.sys
Image Path: fasttx2k.sys
Address: 0xF7475000 Size: 142336 File Visible: - Signed: -
Status: -

Name: fdc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\fdc.sys
Address: 0xF78AF000 Size: 27392 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF772F000 Size: 44544 File Visible: - Signed: -
Status: -

Name: flpydisk.sys
Image Path: C:\WINDOWS\System32\DRIVERS\flpydisk.sys
Address: 0xF78FF000 Size: 20480 File Visible: - Signed: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF743D000 Size: 129792 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF7A6F000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF74B0000 Size: 125056 File Visible: - Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
Address: 0xF78CF000 Size: 21120 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806FF000 Size: 134400 File Visible: - Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS
Address: 0xF6300000 Size: 36864 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS
Address: 0xF7927000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\System32\DRIVERS\hidusb.sys
Address: 0xF7A0B000 Size: 10368 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xB8CB9000 Size: 264832 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Address: 0xF777F000 Size: 52480 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\imapi.sys
Address: 0xF778F000 Size: 42112 File Visible: - Signed: -
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\System32\DRIVERS\intelppm.sys
Address: 0xF774F000 Size: 36352 File Visible: - Signed: -
Status: -

Name: ipfltdrv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys
Address: 0xF76DF000 Size: 32896 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Address: 0xF3EFF000 Size: 152832 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Address: 0xF3F7E000 Size: 75264 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF752F000 Size: 37248 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Address: 0xF78B7000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7A2F000 Size: 8192 File Visible: - Signed: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xB86BA000 Size: 172416 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ks.sys
Address: 0xF6561000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF7414000 Size: 92928 File Visible: - Signed: -
Status: -

Name: ltmdmnt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys
Address: 0xF65BE000 Size: 633408 File Visible: - Signed: -
Status: -

Name: mfeavfk.sys
Image Path: C:\WINDOWS\system32\drivers\mfeavfk.sys
Address: 0xB8B6D000 Size: 73088 File Visible: - Signed: -
Status: -

Name: mfebopk.sys
Image Path: C:\WINDOWS\system32\drivers\mfebopk.sys
Address: 0xF7907000 Size: 28544 File Visible: - Signed: -
Status: -

Name: mfehidk.sys
Image Path: C:\WINDOWS\system32\drivers\mfehidk.sys
Address: 0xF3D98000 Size: 207296 File Visible: - Signed: -
Status: -

Name: mfesmfk.sys
Image Path: C:\WINDOWS\system32\drivers\mfesmfk.sys
Address: 0xB8ABA000 Size: 33824 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF7A73000 Size: 4224 File Visible: - Signed: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF78A7000 Size: 30080 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Address: 0xF78BF000 Size: 23040 File Visible: - Signed: -
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouhid.sys
Address: 0xF616D000 Size: 12160 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF753F000 Size: 42368 File Visible: - Signed: -
Status: -

Name: Mpfp.sys
Image Path: C:\WINDOWS\System32\Drivers\Mpfp.sys
Address: 0xF3ED8000 Size: 159744 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Address: 0xB94CC000 Size: 180608 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Address: 0xF3DCB000 Size: 455296 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF7917000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Address: 0xF763F000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Address: 0xF731C000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF7340000 Size: 105344 File Visible: - Signed: -
Status: -

Name: MxlW2k.SYS
Image Path: C:\WINDOWS\System32\Drivers\MxlW2k.SYS
Address: 0xF78C7000 Size: 25504 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF735A000 Size: 182656 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Address: 0xF7A23000 Size: 10112 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Address: 0xBA6C9000 Size: 14592 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Address: 0xF6259000 Size: 91520 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF769F000 Size: 40576 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbios.sys
Address: 0xF76FF000 Size: 34688 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbt.sys
Address: 0xF3E88000 Size: 162816 File Visible: - Signed: -
Status: -

Name: nic1394.sys
Image Path: C:\WINDOWS\System32\DRIVERS\nic1394.sys
Address: 0xF765F000 Size: 61824 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF791F000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF7387000 Size: 574976 File Visible: - Signed: -
Status: -

Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7BD3000 Size: 2944 File Visible: - Signed: -
Status: -

Name: nv4_disp.dll
Image Path: C:\WINDOWS\System32\nv4_disp.dll
Address: 0xBF012000 Size: 6172672 File Visible: - Signed: -
Status: -

Name: nv4_mini.sys
Image Path: C:\WINDOWS\System32\DRIVERS\nv4_mini.sys
Address: 0xF666D000 Size: 6301344 File Visible: - Signed: -
Status: -

Name: nv_agp.sys
Image Path: nv_agp.sys
Address: 0xF77CF000 Size: 21120 File Visible: - Signed: -
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xF758F000 Size: 61696 File Visible: - Signed: -
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\System32\DRIVERS\parport.sys
Address: 0xF65AA000 Size: 80128 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF77B7000 Size: 19712 File Visible: - Signed: -
Status: -

Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xF7AB7000 Size: 6784 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF74CF000 Size: 68224 File Visible: - Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xF7AF7000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Address: 0xF77AF000 Size: 28672 File Visible: - Signed: -
Status: -

Name: pfc.sys
Image Path: C:\WINDOWS\system32\drivers\pfc.sys
Address: 0xF7A17000 Size: 10368 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF6310000 Size: 147456 File Visible: - Signed: -
Status: -

Name: PS2.sys
Image Path: C:\WINDOWS\System32\DRIVERS\PS2.sys
Address: 0xF7A13000 Size: 14112 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\System32\DRIVERS\psched.sys
Address: 0xF6248000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Address: 0xF78E7000 Size: 17792 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF77BF000 Size: 16544 File Visible: - Signed: -
Status: -

Name: R8139n51.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\R8139n51.SYS
Address: 0xF775F000 Size: 46976 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Address: 0xF79CF000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Address: 0xF760F000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Address: 0xF761F000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Address: 0xF762F000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspti.sys
Address: 0xF78EF000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Address: 0xF3E3B000 Size: 175744 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF7A75000 Size: 4224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\System32\DRIVERS\redbook.sys
Address: 0xF75EF000 Size: 57600 File Visible: - Signed: -
Status: -

Name: rootrepeal[1].sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal[1].sys
Address: 0xB85F8000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\SCSIPORT.SYS
Address: 0xF745D000 Size: 98304 File Visible: - Signed: -
Status: -

Name: serenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serenum.sys
Address: 0xF7A0F000 Size: 15744 File Visible: - Signed: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serial.sys
Address: 0xF776F000 Size: 64512 File Visible: - Signed: -
Status: -

Name: SISAGPX.sys
Image Path: SISAGPX.sys
Address: 0xF757F000 Size: 36992 File Visible: - Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF742B000 Size: 73472 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\srv.sys
Address: 0xB938A000 Size: 333952 File Visible: - Signed: -
Status: -

Name: srvkp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\srvkp.sys
Address: 0xF79EF000 Size: 11392 File Visible: - Signed: -
Status: -

Name: sunkfilt.sys
Image Path: C:\WINDOWS\System32\Drivers\sunkfilt.sys
Address: 0xF792F000 Size: 26176 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\swenum.sys
Address: 0xF7A57000 Size: 4352 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xF3FF1000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Address: 0xF3F25000 Size: 361600 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Address: 0xF78D7000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\termdd.sys
Address: 0xF764F000 Size: 40704 File Visible: - Signed: -
Status: -

Name: Udfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Udfs.SYS
Address: 0xF3D3B000 Size: 66048 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\System32\DRIVERS\update.sys
Address: 0xF61EA000 Size: 384768 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Address: 0xF7A63000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbehci.sys
Address: 0xF789F000 Size: 30208 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Address: 0xF76AF000 Size: 59520 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Address: 0xF6C70000 Size: 147456 File Visible: - Signed: -
Status: -

Name: USBSTOR.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS
Address: 0xF7937000 Size: 26368 File Visible: - Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Address: 0xF7897000 Size: 20608 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF790F000 Size: 20992 File Visible: - Signed: -
Status: -

Name: viaagp1.sys
Image Path: viaagp1.sys
Address: 0xF77C7000 Size: 27904 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS
Address: 0xF6659000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF754F000 Size: 52352 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Address: 0xF76CF000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF781F000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdf01000.sys
Image Path: C:\WINDOWS\System32\Drivers\wdf01000.sys
Address: 0xF6179000 Size: 462848 File Visible: - Signed: -
Status: -

Name: WDFLDR.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS
Address: 0xF767F000 Size: 57344 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xBA39C000 Size: 83072 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\WMILIB.SYS
Address: 0xF7A31000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -
Status: -

Name: ws2ifsl.sys
Image Path: C:\WINDOWS\System32\drivers\ws2ifsl.sys
Address: 0xF79EB000 Size: 12032 File Visible: - Signed: -
Status: -

Name: WudfPf.sys
Image Path: C:\WINDOWS\system32\DRIVERS\WudfPf.sys
Address: 0xBA6D1000 Size: 91904 File Visible: - Signed: -
Status: -

Name: zumbus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\zumbus.sys
Address: 0xF766F000 Size: 40832 File Visible: - Signed: -
Status: -


----------------


Malwarebytes' Anti-Malware 1.41
Database version: 2948
Windows 5.1.2600 Service Pack 3

10/12/2009 5:06:55 PM
mbam-log-2009-10-12 (17-06-55).txt

Scan type: Quick Scan
Objects scanned: 117216
Time elapsed: 14 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\calc.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\calc.dll (Trojan.Agent) -> Delete on reboot.
C:\jboy.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\scandisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\oqmcrvjkis.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\eeni.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\69.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\qxphorxtit.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\ntuser.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\79TZWGIV\hrobc[1].htm (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\79TZWGIV\zip[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\79TZWGIV\unaooftg[1].htm (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:37 PM

Posted 12 October 2009 - 09:55 PM

Hello. good scans.
Did you reboot normally after MBAM?

A note about the TDDS infection.
A backdoor Trojan can allow an attacker to
gain control of the system, log keystrokes, steal passwords, access personal
data, send malevolent outgoing traffic, and close the security warning
messages displayed by some anti-virus and security programs.

I would advise you to disconnect this PC from the Internet, and then go to
a known clean computer and change any passwords or security information held
on the infected computer. In particular, check whatever relates to online
banking financial transactions, shopping, credit cards, or sensitive
personal information. It is also wise to contact your financial institutions
to apprise them of your situation.


Please do these next.
Rerun Rootrepeal.
This time in step 6 select only FILES.


Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Smarmie

Smarmie
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 13 October 2009 - 04:35 PM

First and foremost- thank you so much for helping me. i had to take a break after last night!

Also, here's the log under 'files' from root

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/13 16:49
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\LocalService\ntuser.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\NetworkService\ntuser.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\ntuser.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\calc.dll
Status: Invisible to the Windows API!

Path: c:\windows\temp\mcafee_wxftv6hufztwjun
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_ozoa8hhwgy7ow9j
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\owner\local settings\temp\~df31bf.tmp
Status: Allocation size mismatch (API: 131072, Raw: 16384)

Path: c:\documents and settings\owner\local settings\temp\~dfc2a8.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\scandisk.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\scandisk.lnk
Status: Invisible to the Windows API!

------------------

I've tried follwing the steps you have given me, however, when i go to start back in safe mode it tells me that i cannot due to an unkown reason.
I did reboot after i ran Malwarebytes, as it told me to do so.

So where do i go from here? i can't seem to go into safemode, and i am unsure as to what would be stopping me from being able to. Could I be running something that would make this happen?

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:37 PM

Posted 13 October 2009 - 06:54 PM

You are welcome.
This is usually the result of:
A) Not entering safe mode properly. If you are doing it properly,then the next item (2) could be a recent hardware installation. Followed by (3) a corrupted windows.
Remove any recent hardware install,if this was the case and see if it is remedied. If hardware was not the case then you will need to format and reinstall Windows.
One more note. If during the re installation you encounter errors with copying files, or errors formatting your hard disk drive, then the drive may be bad. In any case it is time to back up your important files now.

There is still the possibility of Malware. There is a way to force safe mode,but it is risky. We can post an HJT log over there . It will be a week for a reply though. What can I help you with now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Smarmie

Smarmie
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 13 October 2009 - 07:02 PM

I'd rather not force safe mode at this point, I'm starting to experience more problems (it took me the last half hour just to get to this forum! other programs are not working properly). it looks like doing a complete system restore is my best option. I'm going to try your tips one more time before giving up, so thank you again for the help.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:37 PM

Posted 13 October 2009 - 07:38 PM

Hi Smarmie, I am posting this in the event...

Not an unwise decision to make. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech

Of course also feel free to ask anything on this in the XP forum. They'd be glad to help.

==============================

2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe/.scr/.htm/.html/.xml/.zip/.rar files as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

Download Belarc Advisor - builds a detailed profile of your installed software and hardware, including Microsoft Hotfixes, and displays the results in your Web browser.
Run it and then print out the results, they may be handy.

Since we don't know exactly which infections we're dealing with here, we should take some precautions before we attempt to move files from the infected machine. Run the following on your clean computer, and make sure you insert your flash drives at the prompt.
Download and Run FlashDisinfector

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Smarmie

Smarmie
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 13 October 2009 - 08:00 PM

tried to get into safe mode, still no luck and same response from computer.

thank you for the information, I have copied and saved it on my laptop for further reference. As i said, i just barely did a system restore not too long ago, so there really isn't anything i need to backup or save (thank goodness) so this should be a nice easy sweep.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:37 PM

Posted 13 October 2009 - 08:18 PM

Good luck and thanks for visiting us. :thumbsup:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users