Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Malware (not sure which!)


  • This topic is locked This topic is locked
46 replies to this topic

#1 Stavrogin

Stavrogin

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 22 April 2010 - 08:59 PM

My internet and computer speed is being affected by a virus. I have noticed two specific problems. First, when I click on links after a Google search, about 50% of the time I am taken to a completely different website. Second, Whenever I try to go to any website I notice in the bottom-left corner of my browser the computer is not only trying to connect to the one site, but also several other sites, often with "ad" in the address somewhere.

Here is by DDS log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Jon at 20:21:11.18 on Thu 04/22/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.30 [GMT -4:00]

AV: Auslogics Antivirus *On-access scanning disabled* (Outdated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
svchost.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Program Files\Auslogics\Auslogics Antivirus\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Auslogics\Auslogics Update Service\livesrv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Auslogics\Auslogics Antivirus\seccenter.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Hotspot Shield\bin\openvpntray.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Auslogics\Auslogics Antivirus\seccenter.exe
C:\Documents and Settings\Jon\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/ig?hl=en
uSearch Bar = about:blank
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
mSearch Bar =
uInternet Settings,ProxyServer = ftp=NEWSERVER:8080;gopher=NEWSERVER:8080;socks=NEWSERVER:8080
uInternet Settings,ProxyOverride = <local>;*.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: PCTools Site Guard: {5c8b2a36-3db1-42a4-a3cb-d426709bbfeb} - c:\progra~1\spywar~1\tools\iesdsg.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: PCTools Browser Monitor: {b56a7d7d-6927-48c8-a975-17df180c71ac} - c:\progra~1\spywar~1\tools\iesdpb.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Auslogics Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\auslogics\auslogics antivirus\IEToolbar.dll
TB: {40D41A8B-D79B-43D7-99A7-9EE0F344C385} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p
mRun: [Smapp] c:\program files\analog devices\soundmax\Smtray.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [Lexmark X74-X75] "c:\program files\lexmark x74-x75\lxbbbmgr.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [BDWizReg] "c:\program files\auslogics\auslogics antivirus\bdwizreg.exe" /reg
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021} - c:\progra~1\spywar~1\tools\iesdpb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3334504D-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171471560531
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 93.188.164.230,93.188.166.78
TCP: {07104D50-C783-449E-9F91-DD638442561B} = 93.188.164.230,93.188.166.78
TCP: {B4DBBD63-AE65-47ED-A3F3-4AA23DAB6EA8} = 93.188.164.230,93.188.166.78
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jon\applic~1\mozilla\firefox\profiles\xod5e3ji.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/ig?hl=en
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2009-12-7 152456]
S3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;c:\windows\system32\drivers\rt2500usb.sys [2005-12-31 79616]

=============== Created Last 30 ================

2010-04-23 00:07:22 52 ----a-w- c:\windows\system32\ashttpstats.csv
2010-04-17 14:12:45 0 d-----w- c:\program files\iTunes
2010-04-17 14:12:45 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-17 13:50:14 0 d-----w- c:\program files\Bonjour
2010-03-24 03:46:23 0 d-----w- c:\docume~1\alluse~1\applic~1\BitDefender
2010-03-24 03:40:29 0 d-----w- c:\docume~1\jon\applic~1\Auslogics
2010-03-24 03:40:28 0 d-----w- c:\program files\common files\Auslogics
2010-03-24 03:40:28 0 d-----w- c:\program files\Auslogics
2010-03-24 03:40:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Auslogics
2010-03-24 03:37:30 0 d-----w- c:\program files\common files\BitDefender

==================== Find3M ====================

2010-02-12 15:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 15:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
2005-02-14 17:29:42 403869 ----a-w- c:\program files\hijackthis199_beta.zip
2005-02-14 05:31:44 465040 ----a-w- c:\program files\CWShredder.exe
2008-08-23 01:02:35 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082220080823\index.dat

============= FINISH: 20:26:36.54 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:58 AM

Posted 24 April 2010 - 08:27 PM


Hello Stavrogin smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.













Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 Stavrogin

Stavrogin
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 25 April 2010 - 10:02 AM

Thanks for your help. Below is my ComboFix log.

ComboFix 10-04-21.01 - Jon 04/25/2010 10:43:53.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.234 [GMT -4:00]
Running from: c:\documents and settings\Jon\My Documents\Downloads\ComboFix.exe
AV: Auslogics Antivirus *On-access scanning disabled* (Outdated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\progra~1\AWS\WEATHE~1\MINIbu~1.dll
c:\program files\AWS\WEATHE~1\MINIBU~1.DLL
c:\recycler\S-1-5-21-1004336348-1844237615-682003330-1003
c:\recycler\S-1-5-21-1175317209-3627084083-4281045560-1003
c:\recycler\S-1-5-21-2095102940-842349010-2319803984-1003
c:\windows\BackUp
c:\windows\BackUp\S\50304000.DAT
c:\windows\BackUp\T\50214000.DAT
c:\windows\patch.exe
c:\windows\regedit.com
c:\windows\system\oeminfo.ini
c:\windows\system32\spool\prtprocs\w32x86\00006585.tmp
c:\windows\system32\spool\prtprocs\w32x86\00007e2c.tmp
c:\windows\system32\taskmgr.com
c:\windows\system32\Thumbs.db
D:\AUTORUN.INF

.
((((((((((((((((((((((((( Files Created from 2010-03-25 to 2010-04-25 )))))))))))))))))))))))))))))))
.

2010-04-17 14:12 . 2010-04-17 14:16 -------- d-----w- c:\program files\iTunes
2010-04-17 14:12 . 2010-04-17 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-17 14:02 . 2010-04-17 14:05 -------- d-----w- c:\program files\QuickTime
2010-04-17 13:50 . 2010-04-17 13:50 -------- d-----w- c:\program files\Bonjour
2010-04-17 13:37 . 2010-04-17 13:37 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-25 14:40 . 2008-12-11 01:11 -------- d-----w- c:\documents and settings\Jon\Application Data\DNA
2010-04-25 13:47 . 2009-03-14 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-04-24 18:21 . 2005-02-15 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-24 18:19 . 2009-04-18 14:13 -------- d-----w- c:\program files\BHOK It Consulting
2010-04-24 18:18 . 2005-02-11 17:55 -------- d-----w- c:\program files\Spyware Doctor
2010-04-23 00:36 . 2010-03-24 03:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Auslogics
2010-04-17 14:18 . 2005-03-31 07:08 -------- d-----w- c:\documents and settings\Jon\Application Data\Apple Computer
2010-04-17 14:13 . 2005-03-31 07:07 -------- d-----w- c:\program files\iPod
2010-04-17 14:13 . 2007-07-23 00:11 -------- d-----w- c:\program files\Common Files\Apple
2010-04-13 16:29 . 2009-03-14 20:32 -------- d-----w- c:\program files\Google
2010-03-24 03:46 . 2010-03-24 03:46 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2010-03-24 03:46 . 2008-12-11 01:11 -------- d-----w- c:\program files\DNA
2010-03-24 03:41 . 2010-03-24 03:40 -------- d-----w- c:\documents and settings\Jon\Application Data\Auslogics
2010-03-24 03:40 . 2010-03-24 03:40 -------- d-----w- c:\program files\Common Files\Auslogics
2010-03-24 03:40 . 2010-03-24 03:40 -------- d-----w- c:\program files\Auslogics
2010-03-24 03:37 . 2010-03-24 03:37 -------- d-----w- c:\program files\Common Files\BitDefender
2010-02-28 01:47 . 2005-03-31 06:55 -------- d-----w- c:\documents and settings\Jon\Application Data\BitTorrent
2010-02-26 18:30 . 2007-02-14 20:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-21 12:42 . 2010-02-21 12:42 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-12 15:46 . 2010-02-12 15:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 15:46 . 2010-02-12 15:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2005-02-14 17:29 . 2005-02-14 05:39 403869 ----a-w- c:\program files\hijackthis199_beta.zip
2005-02-14 05:31 . 2005-02-14 05:31 465040 ----a-w- c:\program files\CWShredder.exe
2009-10-19 22:59 . 2010-03-24 03:53 47104 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-09-07 21:23 218160 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-13 323392]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2009-10-28 257440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\Smtray.exe" [2002-06-27 90112]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-10-13 294912]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-17 28672]
"Lexmark X74-X75"="c:\program files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 57344]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-10-19 293888]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\PROGRA~1\\ExamSoft\\SofTest\\SoftLnch.exe"=
"c:\\PROGRA~1\\ExamSoft\\SofTest\\softest.exe"= c:\\PROGRA~1\\ExamSoft\\SofTest\\SofTest.exe
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/11/2007 8:40 PM 24652]
S2 gupdate1c9a4e46e2a4032;Google Update Service (gupdate1c9a4e46e2a4032);c:\program files\Google\Update\GoogleUpdate.exe [3/14/2009 4:35 PM 133104]
S3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;c:\windows\system32\drivers\rt2500usb.sys [12/31/2005 3:17 PM 79616]
.
Contents of the 'Scheduled Tasks' folder

2010-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2010-04-25 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20]

2010-04-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-14 03:08]

2010-04-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 20:35]

2010-04-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 20:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/ig?hl=en
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
mSearch Bar =
uInternet Settings,ProxyServer = ftp=NEWSERVER:8080;gopher=NEWSERVER:8080;socks=NEWSERVER:8080
uInternet Settings,ProxyOverride = <local>;*.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\xod5e3ji.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/ig?hl=en
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-25 10:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll IdeChnDr.sys >>UNKNOWN [0x82F468C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf86abf28
\Driver\ACPI -> ACPI.sys @ 0xf85eecb8
\Driver\atapi -> atapi.sys @ 0xf858e852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf8482bb0
PacketIndicateHandler -> NDIS.sys @ 0xf848fa21
SendHandler -> NDIS.sys @ 0xf846d87b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-25610127-1705076363-1112439221-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2010-04-25 10:57:27
ComboFix-quarantined-files.txt 2010-04-25 14:57

Pre-Run: 10,267,312,128 bytes free
Post-Run: 10,257,903,616 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 897E3A5E0312EE5758C068ECC476BEEF


#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:58 AM

Posted 25 April 2010 - 11:32 AM

You're welcome!

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 Stavrogin

Stavrogin
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 25 April 2010 - 12:20 PM

TDSSKiller Log:

13:17:48:390 3492 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
13:17:48:390 3492 ================================================================================
13:17:48:390 3492 SystemInfo:

13:17:48:390 3492 OS Version: 5.1.2600 ServicePack: 3.0
13:17:48:390 3492 Product type: Workstation
13:17:48:390 3492 ComputerName: VALHALLA
13:17:48:390 3492 UserName: Jon
13:17:48:390 3492 Windows directory: C:\WINDOWS
13:17:48:390 3492 Processor architecture: Intel x86
13:17:48:390 3492 Number of processors: 1
13:17:48:390 3492 Page size: 0x1000
13:17:48:390 3492 Boot type: Normal boot
13:17:48:390 3492 ================================================================================
13:17:48:406 3492 UnloadDriverW: NtUnloadDriver error 2
13:17:48:406 3492 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
13:17:48:578 3492 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
13:17:48:578 3492 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
13:17:48:578 3492 wfopen_ex: Trying to KLMD file open
13:17:48:578 3492 wfopen_ex: File opened ok (Flags 2)
13:17:48:578 3492 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
13:17:48:578 3492 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
13:17:48:578 3492 wfopen_ex: Trying to KLMD file open
13:17:48:578 3492 wfopen_ex: File opened ok (Flags 2)
13:17:48:578 3492 Initialize success
13:17:48:578 3492
13:17:48:578 3492 Scanning Services ...
13:17:48:843 3492 Raw services enum returned 345 services
13:17:48:875 3492
13:17:48:875 3492 Scanning Kernel memory ...
13:17:48:875 3492 Devices to scan: 3
13:17:48:875 3492
13:17:48:875 3492 Driver Name: Disk
13:17:48:875 3492 IRP_MJ_CREATE : F86ADBB0
13:17:48:875 3492 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
13:17:48:875 3492 IRP_MJ_CLOSE : F86ADBB0
13:17:48:875 3492 IRP_MJ_READ : F86A7D1F
13:17:48:875 3492 IRP_MJ_WRITE : F86A7D1F
13:17:48:875 3492 IRP_MJ_QUERY_INFORMATION : 804FA88E
13:17:48:875 3492 IRP_MJ_SET_INFORMATION : 804FA88E
13:17:48:875 3492 IRP_MJ_QUERY_EA : 804FA88E
13:17:48:875 3492 IRP_MJ_SET_EA : 804FA88E
13:17:48:875 3492 IRP_MJ_FLUSH_BUFFERS : F86A82E2
13:17:48:875 3492 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
13:17:48:875 3492 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
13:17:48:875 3492 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
13:17:48:875 3492 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
13:17:48:875 3492 IRP_MJ_DEVICE_CONTROL : F86A83BB
13:17:48:875 3492 IRP_MJ_INTERNAL_DEVICE_CONTROL : F86ABF28
13:17:48:875 3492 IRP_MJ_SHUTDOWN : F86A82E2
13:17:48:875 3492 IRP_MJ_LOCK_CONTROL : 804FA88E
13:17:48:875 3492 IRP_MJ_CLEANUP : 804FA88E
13:17:48:875 3492 IRP_MJ_CREATE_MAILSLOT : 804FA88E
13:17:48:875 3492 IRP_MJ_QUERY_SECURITY : 804FA88E
13:17:48:875 3492 IRP_MJ_SET_SECURITY : 804FA88E
13:17:48:875 3492 IRP_MJ_POWER : F86A9C82
13:17:48:875 3492 IRP_MJ_SYSTEM_CONTROL : F86AE99E
13:17:48:875 3492 IRP_MJ_DEVICE_CHANGE : 804FA88E
13:17:48:875 3492 IRP_MJ_QUERY_QUOTA : 804FA88E
13:17:48:875 3492 IRP_MJ_SET_QUOTA : 804FA88E
13:17:48:890 3492 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
13:17:48:890 3492
13:17:48:890 3492 Driver Name: Disk
13:17:48:890 3492 IRP_MJ_CREATE : F86ADBB0
13:17:48:890 3492 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
13:17:48:890 3492 IRP_MJ_CLOSE : F86ADBB0
13:17:48:890 3492 IRP_MJ_READ : F86A7D1F
13:17:48:890 3492 IRP_MJ_WRITE : F86A7D1F
13:17:48:890 3492 IRP_MJ_QUERY_INFORMATION : 804FA88E
13:17:48:890 3492 IRP_MJ_SET_INFORMATION : 804FA88E
13:17:48:890 3492 IRP_MJ_QUERY_EA : 804FA88E
13:17:48:890 3492 IRP_MJ_SET_EA : 804FA88E
13:17:48:890 3492 IRP_MJ_FLUSH_BUFFERS : F86A82E2
13:17:48:890 3492 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
13:17:48:890 3492 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
13:17:48:890 3492 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
13:17:48:890 3492 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
13:17:48:890 3492 IRP_MJ_DEVICE_CONTROL : F86A83BB
13:17:48:890 3492 IRP_MJ_INTERNAL_DEVICE_CONTROL : F86ABF28
13:17:48:890 3492 IRP_MJ_SHUTDOWN : F86A82E2
13:17:48:890 3492 IRP_MJ_LOCK_CONTROL : 804FA88E
13:17:48:890 3492 IRP_MJ_CLEANUP : 804FA88E
13:17:48:890 3492 IRP_MJ_CREATE_MAILSLOT : 804FA88E
13:17:48:890 3492 IRP_MJ_QUERY_SECURITY : 804FA88E
13:17:48:890 3492 IRP_MJ_SET_SECURITY : 804FA88E
13:17:48:890 3492 IRP_MJ_POWER : F86A9C82
13:17:48:890 3492 IRP_MJ_SYSTEM_CONTROL : F86AE99E
13:17:48:890 3492 IRP_MJ_DEVICE_CHANGE : 804FA88E
13:17:48:890 3492 IRP_MJ_QUERY_QUOTA : 804FA88E
13:17:48:890 3492 IRP_MJ_SET_QUOTA : 804FA88E
13:17:48:906 3492 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
13:17:48:906 3492
13:17:48:906 3492 Driver Name: IdeChnDr
13:17:48:906 3492 IRP_MJ_CREATE : F8581108
13:17:48:906 3492 IRP_MJ_CREATE_NAMED_PIPE : F8581108
13:17:48:906 3492 IRP_MJ_CLOSE : F8581108
13:17:48:906 3492 IRP_MJ_READ : F8581108
13:17:48:906 3492 IRP_MJ_WRITE : F8581108
13:17:48:906 3492 IRP_MJ_QUERY_INFORMATION : F8581108
13:17:48:906 3492 IRP_MJ_SET_INFORMATION : F8581108
13:17:48:906 3492 IRP_MJ_QUERY_EA : F8581108
13:17:48:906 3492 IRP_MJ_SET_EA : F8581108
13:17:48:906 3492 IRP_MJ_FLUSH_BUFFERS : F8581108
13:17:48:906 3492 IRP_MJ_QUERY_VOLUME_INFORMATION : F8581108
13:17:48:906 3492 IRP_MJ_SET_VOLUME_INFORMATION : F8581108
13:17:48:906 3492 IRP_MJ_DIRECTORY_CONTROL : F8581108
13:17:48:906 3492 IRP_MJ_FILE_SYSTEM_CONTROL : F8581108
13:17:48:906 3492 IRP_MJ_DEVICE_CONTROL : F8581108
13:17:48:906 3492 IRP_MJ_INTERNAL_DEVICE_CONTROL : F8581108
13:17:48:906 3492 IRP_MJ_SHUTDOWN : F8581108
13:17:48:906 3492 IRP_MJ_LOCK_CONTROL : F8581108
13:17:48:906 3492 IRP_MJ_CLEANUP : F8581108
13:17:48:906 3492 IRP_MJ_CREATE_MAILSLOT : F8581108
13:17:48:906 3492 IRP_MJ_QUERY_SECURITY : F8581108
13:17:48:906 3492 IRP_MJ_SET_SECURITY : F8581108
13:17:48:906 3492 IRP_MJ_POWER : F8581108
13:17:48:906 3492 IRP_MJ_SYSTEM_CONTROL : F8581108
13:17:48:906 3492 IRP_MJ_DEVICE_CHANGE : F8581108
13:17:48:906 3492 IRP_MJ_QUERY_QUOTA : F8581108
13:17:48:906 3492 IRP_MJ_SET_QUOTA : F8581108
13:17:48:906 3492 Driver "IdeChnDr" infected by TDSS rootkit!
13:17:48:921 3492 C:\WINDOWS\system32\DRIVERS\IdeChnDr.sys - Verdict: 1
13:17:48:921 3492 File "C:\WINDOWS\system32\DRIVERS\IdeChnDr.sys" infected by TDSS rootkit ... 13:17:48:921 3492 Processing driver file: C:\WINDOWS\system32\DRIVERS\IdeChnDr.sys
13:17:48:921 3492 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
13:17:49:203 3492 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\OemDir\*) error 3
13:17:50:171 3492 !fdfb7
13:17:50:171 3492 vfvi6
13:17:50:343 3492 !dsvbh1
13:17:50:515 3492 !vdf7
13:17:50:515 3492 Backup copy not found, trying to cure infected file..
13:17:50:515 3492 C:\WINDOWS\system32\DRIVERS\IdeChnDr.sys - Verdict: Cure failed (0)
13:17:50:515 3492 cure failed
13:17:50:515 3492
13:17:50:515 3492 Completed
13:17:50:515 3492
13:17:50:515 3492 Results:
13:17:50:515 3492 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
13:17:50:515 3492 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
13:17:50:515 3492 File objects infected / cured / cured on reboot: 1 / 0 / 0
13:17:50:515 3492
13:17:50:515 3492 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
13:17:50:515 3492 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
13:17:50:531 3492 KLMD(ARK) unloaded successfully

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:58 AM

Posted 25 April 2010 - 12:27 PM

Next thing to do:
  • Click on the Start button, then click on Run...
  • In the empty "Open:" box provided, type cmd and press OK
      This will launch a Command Prompt window (looks like DOS).
  • Type or Copy/Paste: c:\windows\mbr.exe -f >>"C:\mbr.log"
  • press Enter.
  • A "DOS" box will open and quickly disappear. That is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive.
  • Copy and paste the results of the mbr.log in your next reply along with a new DDS log.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 Stavrogin

Stavrogin
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 25 April 2010 - 12:39 PM

MBR Log
_____________________

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK


New DSS Log
_____________________
13:38:01:406 3480 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
13:38:01:406 3480 ================================================================================
13:38:01:406 3480 SystemInfo:

13:38:01:406 3480 OS Version: 5.1.2600 ServicePack: 3.0
13:38:01:406 3480 Product type: Workstation
13:38:01:406 3480 ComputerName: VALHALLA
13:38:01:406 3480 UserName: Jon
13:38:01:406 3480 Windows directory: C:\WINDOWS
13:38:01:406 3480 Processor architecture: Intel x86
13:38:01:406 3480 Number of processors: 1
13:38:01:406 3480 Page size: 0x1000
13:38:01:406 3480 Boot type: Normal boot
13:38:01:406 3480 ================================================================================
13:38:01:406 3480 UnloadDriverW: NtUnloadDriver error 2
13:38:01:406 3480 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
13:38:01:421 3480 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
13:38:01:421 3480 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
13:38:01:421 3480 wfopen_ex: Trying to KLMD file open
13:38:01:421 3480 wfopen_ex: File opened ok (Flags 2)
13:38:01:421 3480 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
13:38:01:421 3480 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
13:38:01:421 3480 wfopen_ex: Trying to KLMD file open
13:38:01:421 3480 wfopen_ex: File opened ok (Flags 2)
13:38:01:421 3480 Initialize success
13:38:01:421 3480
13:38:01:421 3480 Scanning Services ...
13:38:01:515 3480 Raw services enum returned 345 services
13:38:01:531 3480
13:38:01:531 3480 Scanning Kernel memory ...
13:38:01:531 3480 Devices to scan: 3
13:38:01:531 3480
13:38:01:531 3480 Driver Name: Disk
13:38:01:531 3480 IRP_MJ_CREATE : F86ADBB0
13:38:01:531 3480 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
13:38:01:531 3480 IRP_MJ_CLOSE : F86ADBB0
13:38:01:531 3480 IRP_MJ_READ : F86A7D1F
13:38:01:531 3480 IRP_MJ_WRITE : F86A7D1F
13:38:01:531 3480 IRP_MJ_QUERY_INFORMATION : 804FA88E
13:38:01:531 3480 IRP_MJ_SET_INFORMATION : 804FA88E
13:38:01:531 3480 IRP_MJ_QUERY_EA : 804FA88E
13:38:01:531 3480 IRP_MJ_SET_EA : 804FA88E
13:38:01:531 3480 IRP_MJ_FLUSH_BUFFERS : F86A82E2
13:38:01:531 3480 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
13:38:01:531 3480 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
13:38:01:531 3480 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
13:38:01:531 3480 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
13:38:01:531 3480 IRP_MJ_DEVICE_CONTROL : F86A83BB
13:38:01:531 3480 IRP_MJ_INTERNAL_DEVICE_CONTROL : F86ABF28
13:38:01:531 3480 IRP_MJ_SHUTDOWN : F86A82E2
13:38:01:531 3480 IRP_MJ_LOCK_CONTROL : 804FA88E
13:38:01:531 3480 IRP_MJ_CLEANUP : 804FA88E
13:38:01:531 3480 IRP_MJ_CREATE_MAILSLOT : 804FA88E
13:38:01:531 3480 IRP_MJ_QUERY_SECURITY : 804FA88E
13:38:01:531 3480 IRP_MJ_SET_SECURITY : 804FA88E
13:38:01:531 3480 IRP_MJ_POWER : F86A9C82
13:38:01:531 3480 IRP_MJ_SYSTEM_CONTROL : F86AE99E
13:38:01:531 3480 IRP_MJ_DEVICE_CHANGE : 804FA88E
13:38:01:531 3480 IRP_MJ_QUERY_QUOTA : 804FA88E
13:38:01:531 3480 IRP_MJ_SET_QUOTA : 804FA88E
13:38:01:531 3480 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
13:38:01:531 3480
13:38:01:531 3480 Driver Name: Disk
13:38:01:531 3480 IRP_MJ_CREATE : F86ADBB0
13:38:01:531 3480 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
13:38:01:531 3480 IRP_MJ_CLOSE : F86ADBB0
13:38:01:531 3480 IRP_MJ_READ : F86A7D1F
13:38:01:531 3480 IRP_MJ_WRITE : F86A7D1F
13:38:01:531 3480 IRP_MJ_QUERY_INFORMATION : 804FA88E
13:38:01:531 3480 IRP_MJ_SET_INFORMATION : 804FA88E
13:38:01:531 3480 IRP_MJ_QUERY_EA : 804FA88E
13:38:01:531 3480 IRP_MJ_SET_EA : 804FA88E
13:38:01:531 3480 IRP_MJ_FLUSH_BUFFERS : F86A82E2
13:38:01:531 3480 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
13:38:01:531 3480 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
13:38:01:531 3480 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
13:38:01:531 3480 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
13:38:01:531 3480 IRP_MJ_DEVICE_CONTROL : F86A83BB
13:38:01:531 3480 IRP_MJ_INTERNAL_DEVICE_CONTROL : F86ABF28
13:38:01:531 3480 IRP_MJ_SHUTDOWN : F86A82E2
13:38:01:531 3480 IRP_MJ_LOCK_CONTROL : 804FA88E
13:38:01:531 3480 IRP_MJ_CLEANUP : 804FA88E
13:38:01:531 3480 IRP_MJ_CREATE_MAILSLOT : 804FA88E
13:38:01:531 3480 IRP_MJ_QUERY_SECURITY : 804FA88E
13:38:01:531 3480 IRP_MJ_SET_SECURITY : 804FA88E
13:38:01:531 3480 IRP_MJ_POWER : F86A9C82
13:38:01:531 3480 IRP_MJ_SYSTEM_CONTROL : F86AE99E
13:38:01:531 3480 IRP_MJ_DEVICE_CHANGE : 804FA88E
13:38:01:531 3480 IRP_MJ_QUERY_QUOTA : 804FA88E
13:38:01:531 3480 IRP_MJ_SET_QUOTA : 804FA88E
13:38:01:546 3480 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
13:38:01:546 3480
13:38:01:546 3480 Driver Name: IdeChnDr
13:38:01:546 3480 IRP_MJ_CREATE : F8581108
13:38:01:546 3480 IRP_MJ_CREATE_NAMED_PIPE : F8581108
13:38:01:546 3480 IRP_MJ_CLOSE : F8581108
13:38:01:546 3480 IRP_MJ_READ : F8581108
13:38:01:546 3480 IRP_MJ_WRITE : F8581108
13:38:01:546 3480 IRP_MJ_QUERY_INFORMATION : F8581108
13:38:01:546 3480 IRP_MJ_SET_INFORMATION : F8581108
13:38:01:546 3480 IRP_MJ_QUERY_EA : F8581108
13:38:01:546 3480 IRP_MJ_SET_EA : F8581108
13:38:01:546 3480 IRP_MJ_FLUSH_BUFFERS : F8581108
13:38:01:546 3480 IRP_MJ_QUERY_VOLUME_INFORMATION : F8581108
13:38:01:546 3480 IRP_MJ_SET_VOLUME_INFORMATION : F8581108
13:38:01:546 3480 IRP_MJ_DIRECTORY_CONTROL : F8581108
13:38:01:546 3480 IRP_MJ_FILE_SYSTEM_CONTROL : F8581108
13:38:01:546 3480 IRP_MJ_DEVICE_CONTROL : F8581108
13:38:01:546 3480 IRP_MJ_INTERNAL_DEVICE_CONTROL : F8581108
13:38:01:546 3480 IRP_MJ_SHUTDOWN : F8581108
13:38:01:546 3480 IRP_MJ_LOCK_CONTROL : F8581108
13:38:01:546 3480 IRP_MJ_CLEANUP : F8581108
13:38:01:546 3480 IRP_MJ_CREATE_MAILSLOT : F8581108
13:38:01:546 3480 IRP_MJ_QUERY_SECURITY : F8581108
13:38:01:546 3480 IRP_MJ_SET_SECURITY : F8581108
13:38:01:546 3480 IRP_MJ_POWER : F8581108
13:38:01:546 3480 IRP_MJ_SYSTEM_CONTROL : F8581108
13:38:01:546 3480 IRP_MJ_DEVICE_CHANGE : F8581108
13:38:01:546 3480 IRP_MJ_QUERY_QUOTA : F8581108
13:38:01:546 3480 IRP_MJ_SET_QUOTA : F8581108
13:38:01:546 3480 Driver "IdeChnDr" infected by TDSS rootkit!
13:38:01:546 3480 C:\WINDOWS\system32\DRIVERS\IdeChnDr.sys - Verdict: 1
13:38:01:546 3480 File "C:\WINDOWS\system32\DRIVERS\IdeChnDr.sys" infected by TDSS rootkit ... 13:38:01:562 3480 Processing driver file: C:\WINDOWS\system32\DRIVERS\IdeChnDr.sys
13:38:01:562 3480 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
13:38:01:593 3480 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\OemDir\*) error 3
13:38:01:703 3480 !fdfb7
13:38:01:703 3480 vfvi6
13:38:01:796 3480 !dsvbh1
13:38:01:906 3480 !vdf7
13:38:01:906 3480 Backup copy not found, trying to cure infected file..
13:38:01:906 3480 C:\WINDOWS\system32\DRIVERS\IdeChnDr.sys - Verdict: Cure failed (0)
13:38:01:906 3480 cure failed
13:38:01:906 3480
13:38:01:906 3480 Completed
13:38:01:906 3480
13:38:01:906 3480 Results:
13:38:01:906 3480 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
13:38:01:906 3480 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
13:38:01:906 3480 File objects infected / cured / cured on reboot: 1 / 0 / 0
13:38:01:906 3480
13:38:01:906 3480 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
13:38:01:906 3480 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
13:38:01:906 3480 KLMD(ARK) unloaded successfully


#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:58 AM

Posted 25 April 2010 - 01:36 PM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    IdeChnDr.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 Stavrogin

Stavrogin
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 25 April 2010 - 01:50 PM

SystemLook log:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 14:48 on 25/04/2010 by Jon (Administrator - Elevation successful)

========== filefind ==========

Searching for "IdeChnDr.sys"
C:\Program Files\Intel\Intel Application Accelerator\Driver\IdeChnDr.sys --a--- 101431 bytes [17:21 10/04/2003] [07:00 15/10/2002] 7D2B8BE9E89628663C1FB571F7C34062
C:\WINDOWS\system32\drivers\IdeChnDr.sys --a--- 101431 bytes [17:21 10/04/2003] [07:00 15/10/2002] 7D2B8BE9E89628663C1FB571F7C34062

-=End Of File=-

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:58 AM

Posted 25 April 2010 - 02:05 PM

Next thing is we'll boot into the Recovery Console and perform a file replacement.



Starting the Recovery Console

there are a good set of instructions at http://www.bleepingcomputer.com/tutorials/how-to-install-the-windows-xp-recovery-console/ on how to enter the Recovery Console, starting at the line How to start the Recovery Console, which is about a third of the way down the page:


To start the Recovery Console when it is installed on your hard drive:

1. Reboot your computer and as Windows starts it will present you with your startup options which usually only show up for a couple of second. Your choices will be Microsoft Windows XP Home Edition or Microsoft Windows Recovery Console

2. With the arrows keys on your keyboard select the option listed as Microsoft Windows Recovery Console and press the enter key on your keyboard.

3. The Recovery Console will start and ask you which Windows installation you would like to log on to. If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press enter.

4. It will then prompt you for the Administrator's password. If there is no password, simply press enter. Otherwise type in the password and then press enter.

5. If you entered the correct password you will now be presented with a C:\Windows> prompt and you can start using the Recovery Console.


6.once at the command prompt, type the following carefully:

QUOTE
copy C:\Program Files\Intel\Intel Application Accelerator\Driver\IdeChnDr.sys C:\WINDOWS\system32\drivers\IdeChnDr.sys


then press enter

If prompted to overwrite the existing file, type Y and hit Enter




7. Next type exit at the command prompt, then press enter. That will exit the Recovery Console and attempt to restart your machine.


8. Once it has restarted back into normal mode please run GMER again like you did the last time.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 Stavrogin

Stavrogin
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 25 April 2010 - 03:09 PM

When I rebooted my computer I wasn't given the option to boot in Recovery Mode. I tried running combofix again and it didn't ask to install the Windows Recovery Console, so it must be there. There is one thing that may be affecting it. Spybot S&D automatically boots with my computer. After combofix was done it asked about several changes and I denied them all.

1. Should I re-run again and allow the changes?
2. Is Spybot S&D any good? Should I just uninstall it?

Sorry for the snag and thanks again for your help.

Jon

#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:58 AM

Posted 25 April 2010 - 03:38 PM

Spybot S&D is a fairly good program as far as I know. When you say it boots with your computer don't you mean it starts up with Windows? You should be seeing the choice for the RC before Windows starts to boot.

Edited by thewall, 25 April 2010 - 03:39 PM.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 Stavrogin

Stavrogin
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 25 April 2010 - 03:45 PM

Yah, I meant it starts with Windows. Unfortunately the RC choice doesn't come up before Windows starts to boot. Is there a way to check if it's working properly? Should I try re-booting one more time to check?

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:58 AM

Posted 25 April 2010 - 04:08 PM

Do this first:

Click on Start>>Run and when the box opens type in msconfig. When the next box opens click on boot.ini. At that screen in the top section you should see [operating systems]. Look under that and see if both Windows XP Home Edition and Microsoft Windows Recovery Console is listed. They will be listed separately if the RC is installed. Let me know what you see.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 Stavrogin

Stavrogin
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 25 April 2010 - 04:12 PM

Looks like they're both there.

Here is what is says under operating systems:

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(o)disk(0)rdisk(0)partition(1)/WINDOWS="Microsoft Windows XP Home Edition" /fastdectect /NoExecture=OptIn




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users