Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

afd.sys(Ba​ckdoor.Tid​serv.l!inf​)


  • This topic is locked This topic is locked
23 replies to this topic

#1 Hhar

Hhar

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 07 May 2010 - 03:33 PM

QUOTE
Norton internet security found this: afd.sys(Backdoor.Tidserv.l!inf)

It is unable to remove it and linked me to this page hxxp://securityresponse.symantec.com/security_resp​onse/writeup.jsp?docid=2009-120316-3836-99&tabid=3


I have tried running the scan in safe mode but norton crashes in an runtime error
whenever i press any of the tabs in the scan window OR when it finds the: afd.sys(Backdoor.Tidserv.l!inf)

I am unsure of what do do next.


Im running Vista sp2.


Posted this here http://community.norton.com/t5/Norton-Inte...inf/td-p/228346

Was told to ask for help on this site.

Possibly related:

Got a sudden bluescreen a few weeks ago since then everytime i start windows it asks wich program i would like to use to open net.net.

Last night when i started my computer i would get a bluescreen whenever i reached the windows loginscreen was able to start in safe mode, Used system restore to restore the computer to around 2010-april-25.

I could start windows normally again net.net issue still there.
Norton internet security ui was completly thrashed and requested me to reinstall, It also reported a virus but the ui was to damaged to make out what it was.

After reinstall it reported: afd.sys(Backdoor.Tidserv.l!inf)
googled it then posted the above topic


Most likely unrelated:

Two times after the net.net issue the computer has had a complete freeze while emmiting a continiuos loud beep from the speakers, Had to hold down the power button to turn it off.
When trying to boot it again it wont work for around 40 minutes, only the fans start and the keyboard light flashes no hardrive or anything else it seems.

It happened once as i was starting windows and once while playing a game.


DDS.txt
QUOTE
DDS (Ver_10-03-17.01) - NTFSx86
Run by Joel at 13:26:24,21 on 2010-05-07
Internet Explorer: 8.0.6001.18904
Microsoft Windows Vista™ Home Premium 6.0.6002.2.1252.46.1053.18.3326.1971 [GMT 2:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\CTHELPER.EXE
C:\Windows\System32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Portrait Displays\Pivot Software\wpCtrl.exe
C:\Windows\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Portrait Displays\HP My Display\dthtml.exe
C:\Program Files\ekort\ekort.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Personal\bin\Personal.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Windows\System32\OBroker.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\DllHost.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\hp\kbd\kbd.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Joel\Desktop\dds.scr
C:\Windows\system32\conime.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.wowhead.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=SV_SE&c=71&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=SV_SE&c=71&bd=Pavilion&pf=desktop
BHO: Lnkhjlp till Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: EKortBrowserHelper Class: {1c900459-deef-4aa9-b260-1ef0f0c70a8d} - c:\program files\ekort\Bhoekort.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.2.2.28.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\norton internet security\engine\17.6.0.32\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\norton internet security\engine\17.6.0.32\IPSBHO.DLL
BHO: Windows Live inloggningshjlpen: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: e-kort Helper Class: {9065e913-4f23-4b47-9b5d-b055d32db1f3} - c:\program files\ekort\EKortHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: e-kort Toolbar: {8db2b2e8-579f-48a8-a496-18fefcf8f4df} - c:\program files\ekort\EKortToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\norton internet security\engine\17.6.0.32\coIEPlg.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
uRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanlu.exe" /r
mRun: [CTXFIREG] CTxfiReg.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [PivotSoftware] "c:\program files\portrait displays\pivot software\wpctrl.exe"
mRun: [DT HPW] c:\program files\portrait displays\hp my display\DTHtml.exe -startup_folder
mRun: [e-kort] c:\progra~1\ekort\ekort.exe /dontopenmycards /Autostart
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
dRunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\bankid~1.lnk - c:\program files\personal\bin\Personal.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.2.2.28.dll/206
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} - hxxp://webserver.dyyno.com/tng/dyyno-client/DyynoCAB.CAB
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1106000.020\symds.sys [2010-5-7 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1106000.020\symefa.sys [2010-5-7 172592]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20100429.001\BHDrvx86.sys [2010-4-29 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1106000.020\cchpx86.sys [2010-5-7 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20100429.001\IDSvix86.sys [2010-5-7 343088]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1106000.020\ironx86.sys [2010-5-7 116784]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1106000.020\symtdiv.sys [2010-5-7 340016]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\norton internet security\engine\17.6.0.32\ccsvchst.exe [2010-5-7 126392]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-9-27 240232]
R3 3xHybrid;ASUSTek SAA713x PCI Card;c:\windows\system32\drivers\3xHybrid.sys [2007-4-3 2831616]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-7 102448]
S2 Automatisk LiveUpdate-schemalggare;Automatisk LiveUpdate-schemalggare;"c:\program files\symantec\liveupdate\aluschedulersvc.exe" --> c:\program files\symantec\liveupdate\ALUSchedulerSvc.exe [?]
S2 gupdate;Tjnsten Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-6 135664]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;e:\program\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-15 25832]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-5 21504]
S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\drivers\s3017bus.sys [2008-8-22 83880]
S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\drivers\s3017mdfl.sys [2008-8-22 15016]
S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\drivers\s3017mdm.sys [2008-8-22 110632]
S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3017mgmt.sys [2008-8-22 104616]
S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\drivers\s3017nd5.sys [2008-8-22 25512]
S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\drivers\s3017obex.sys [2008-8-22 100648]
S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\drivers\s3017unic.sys [2008-8-22 110120]

=============== Created Last 30 ================

2010-05-07 11:18:11 304 ----a-w- c:\users\joel\defogger_reenable
2010-05-06 23:44:48 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-06 23:44:48 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-06 23:44:48 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-06 23:43:10 0 d-----w- c:\program files\NortonInstaller
2010-05-06 19:43:18 0 d-----w- c:\programdata\Sun
2010-05-06 19:42:26 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-14 05:49:51 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 05:49:51 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 05:49:51 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 05:49:42 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 05:49:41 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 05:49:40 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 05:49:39 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-04-14 05:49:39 220672 ----a-w- c:\windows\system32\l3codecp.acm
2010-04-14 05:49:16 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 05:49:15 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 05:49:15 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 05:48:29 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-14 05:48:27 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-12 22:39:13 293376 ----a-w- c:\windows\system32\browserchoice.exe

==================== Find3M ====================

2010-05-07 11:20:45 34800 ----a-w- c:\programdata\nvModes.dat
2010-05-06 19:30:01 605690 ----a-w- c:\windows\system32\perfh01D.dat
2010-05-06 19:30:01 121424 ----a-w- c:\windows\system32\perfc01D.dat
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06:41 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05:14 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-18 08:09:49 86016 ----a-w- c:\windows\inf\infpub.dat
2009-11-18 08:09:49 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-18 08:09:49 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-18 08:09:49 143360 ----a-w- c:\windows\inf\infstor.dat
2008-06-06 01:38:02 174 --sha-w- c:\program files\desktop.ini
2007-04-03 07:13:12 35978 ----a-w- c:\windows\inf\perflib\041d\perfd.dat
2007-04-03 07:13:12 35978 ----a-w- c:\windows\inf\perflib\041d\perfc.dat
2007-04-03 07:13:12 290490 ----a-w- c:\windows\inf\perflib\041d\perfi.dat
2007-04-03 07:13:12 290490 ----a-w- c:\windows\inf\perflib\041d\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-17 08:37:15 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-10-16 06:54:36 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 13:28:16,29 ===============

Attached Files


Edited by Orange Blossom, 07 May 2010 - 08:21 PM.
Deactivated link. ~ OB


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:27 PM

Posted 10 May 2010 - 04:07 PM

Hi Hhar,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

If the issue is still not resolved please update me on the current condition of your computer.

Also post a fresh DDS.txt, no need for the Attach.txt.
Then run GMER and uncheck all the sections except Sections (C drive should be checked) and click Scan. It will not take long. Please save and post the log.post the log

#3 Hhar

Hhar
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 10 May 2010 - 04:45 PM

Thanks for helping me out!

Well the net.net thing doesnt pop up anymore.
I seem to be running low on ram sometimes and i have had attempts to steal my b.net account
havent noticed anything else i belive.

And yea wont be changing anything.

QUOTE
DDS (Ver_10-03-17.01) - NTFSx86
Run by Joel at 23:15:31,18 on 2010-05-10
Internet Explorer: 8.0.6001.18904
Microsoft Windows Vista Home Premium 6.0.6002.2.1252.46.1053.18.3326.2027 [GMT 2:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\CTHELPER.EXE
C:\Windows\System32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Portrait Displays\Pivot Software\wpCtrl.exe
C:\Program Files\Portrait Displays\HP My Display\dthtml.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\SYSTEM32\CTXFISPI.EXE
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\ehome\ehsched.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\ehome\ehRecvr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Joel\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.wowhead.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=SV_SE&c=71&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=SV_SE&c=71&bd=Pavilion&pf=desktop
BHO: Lnkhjlp till Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: EKortBrowserHelper Class: {1c900459-deef-4aa9-b260-1ef0f0c70a8d} - c:\program files\ekort\Bhoekort.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.2.2.28.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\norton internet security\engine\17.6.0.32\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\norton internet security\engine\17.6.0.32\IPSBHO.DLL
BHO: Windows Live inloggningshjlpen: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: e-kort Helper Class: {9065e913-4f23-4b47-9b5d-b055d32db1f3} - c:\program files\ekort\EKortHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: e-kort Toolbar: {8db2b2e8-579f-48a8-a496-18fefcf8f4df} - c:\program files\ekort\EKortToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\norton internet security\engine\17.6.0.32\coIEPlg.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
uRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanlu.exe" /r
mRun: [CTXFIREG] CTxfiReg.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [PivotSoftware] "c:\program files\portrait displays\pivot software\wpctrl.exe"
mRun: [DT HPW] c:\program files\portrait displays\hp my display\DTHtml.exe -startup_folder
mRun: [e-kort] c:\progra~1\ekort\ekort.exe /dontopenmycards /Autostart
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
dRunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\bankid~1.lnk - c:\program files\personal\bin\Personal.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.2.2.28.dll/206
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} - hxxp://webserver.dyyno.com/tng/dyyno-client/DyynoCAB.CAB
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1106000.020\symds.sys [2010-5-7 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1106000.020\symefa.sys [2010-5-7 172592]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20100429.001\BHDrvx86.sys [2010-4-29 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1106000.020\cchpx86.sys [2010-5-7 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20100505.001\IDSvix86.sys [2010-5-8 343088]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1106000.020\ironx86.sys [2010-5-7 116784]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1106000.020\symtdiv.sys [2010-5-7 340016]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\norton internet security\engine\17.6.0.32\ccsvchst.exe [2010-5-7 126392]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-9-27 240232]
R3 3xHybrid;ASUSTek SAA713x PCI Card;c:\windows\system32\drivers\3xHybrid.sys [2007-4-3 2831616]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-7 102448]
S2 Automatisk LiveUpdate-schemalggare;Automatisk LiveUpdate-schemalggare;"c:\program files\symantec\liveupdate\aluschedulersvc.exe" --> c:\program files\symantec\liveupdate\ALUSchedulerSvc.exe [?]
S2 gupdate;Tjnsten Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-6 135664]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;e:\program\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-15 25832]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-5 21504]
S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\drivers\s3017bus.sys [2008-8-22 83880]
S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\drivers\s3017mdfl.sys [2008-8-22 15016]
S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\drivers\s3017mdm.sys [2008-8-22 110632]
S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3017mgmt.sys [2008-8-22 104616]
S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\drivers\s3017nd5.sys [2008-8-22 25512]
S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\drivers\s3017obex.sys [2008-8-22 100648]
S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\drivers\s3017unic.sys [2008-8-22 110120]

=============== Created Last 30 ================

2010-05-07 11:18:11 304 ----a-w- c:\users\joel\defogger_reenable
2010-05-06 23:44:48 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-06 23:44:48 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-06 23:44:48 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-06 23:43:10 0 d-----w- c:\program files\NortonInstaller
2010-05-06 19:43:18 0 d-----w- c:\programdata\Sun
2010-05-06 19:42:26 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-14 05:49:51 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 05:49:51 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 05:49:51 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 05:49:42 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 05:49:41 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 05:49:40 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 05:49:39 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-04-14 05:49:39 220672 ----a-w- c:\windows\system32\l3codecp.acm
2010-04-14 05:49:16 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 05:49:15 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 05:49:15 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 05:48:29 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-14 05:48:27 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-12 22:39:13 293376 ----a-w- c:\windows\system32\browserchoice.exe

==================== Find3M ====================

2010-05-10 19:29:43 34800 ----a-w- c:\programdata\nvModes.dat
2010-05-06 19:30:01 605690 ----a-w- c:\windows\system32\perfh01D.dat
2010-05-06 19:30:01 121424 ----a-w- c:\windows\system32\perfc01D.dat
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06:41 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05:14 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-18 08:09:49 86016 ----a-w- c:\windows\inf\infpub.dat
2009-11-18 08:09:49 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-18 08:09:49 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-18 08:09:49 143360 ----a-w- c:\windows\inf\infstor.dat
2008-06-06 01:38:02 174 --sha-w- c:\program files\desktop.ini
2007-04-03 07:13:12 35978 ----a-w- c:\windows\inf\perflib\041d\perfd.dat
2007-04-03 07:13:12 35978 ----a-w- c:\windows\inf\perflib\041d\perfc.dat
2007-04-03 07:13:12 290490 ----a-w- c:\windows\inf\perflib\041d\perfi.dat
2007-04-03 07:13:12 290490 ----a-w- c:\windows\inf\perflib\041d\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-17 08:37:15 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-10-16 06:54:36 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 23:17:42,57 ===============


QUOTE
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-10 23:29:22
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Joel\AppData\Local\Temp\fwldypow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 828DF880 8 Bytes [10, 71, 90, 8A, 10, F1, 80, ...]
.text ntkrnlpa.exe!KeSetEvent + 131 828DF894 4 Bytes [A8, 71, 48, 8B]
.text ntkrnlpa.exe!KeSetEvent + 13D 828DF8A0 4 Bytes [78, 8C, 35, 8A]
.text ntkrnlpa.exe!KeSetEvent + 191 828DF8F4 4 Bytes [08, AE, 40, 8B]
.text ntkrnlpa.exe!KeSetEvent + 1F5 828DF958 4 Bytes [80, 7B, 49, 8B] {CMP BYTE [EBX+0x49], 0x8b}
.text ...
.rsrc C:\Windows\system32\drivers\afd.sys entry point in ".rsrc" section [0x955B8014]
? C:\Windows\system32\drivers\afd.sys tkomst nekad.
.text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0xB400E300, 0x3AF78, 0xE8000020]
.text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0xB4051300, 0x1BCE, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[1552] USER32.dll!SetWindowsHookExW 75A587AD 5 Bytes JMP 6F3A9A75 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1552] USER32.dll!CallNextHookEx 75A58E3B 5 Bytes JMP 6F39D101 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1552] USER32.dll!UnhookWindowsHookEx 75A598DB 5 Bytes JMP 6F31466E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1552] USER32.dll!CreateWindowExW 75A61305 5 Bytes JMP 6F3ADAC4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1552] USER32.dll!DialogBoxParamW 75A810B0 5 Bytes JMP 6F2D5505 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1552] USER32.dll!DialogBoxIndirectParamW 75A82EF5 5 Bytes JMP 6F4A473F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1552] USER32.dll!DialogBoxParamA 75A98152 5 Bytes JMP 6F4A46DC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1552] USER32.dll!DialogBoxIndirectParamA 75A9847D 5 Bytes JMP 6F4A47A2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1552] USER32.dll!MessageBoxIndirectA 75AAD4D9 5 Bytes JMP 6F4A4671 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1552] USER32.dll!MessageBoxIndirectW 75AAD5D3 5 Bytes JMP 6F4A4606 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1552] USER32.dll!MessageBoxExA 75AAD639 5 Bytes JMP 6F4A45A4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1552] USER32.dll!MessageBoxExW 75AAD65D 5 Bytes JMP 6F4A4542 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1552] ole32.dll!OleLoadFromStream 75E21E12 5 Bytes JMP 6F4A4AA7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1552] ole32.dll!CoCreateInstance 75E59EA6 5 Bytes JMP 6F3ADB20 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3176] USER32.dll!CreateWindowExW 75A61305 5 Bytes JMP 6F3ADAC4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3176] USER32.dll!DialogBoxParamW 75A810B0 5 Bytes JMP 6F2D5505 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3176] USER32.dll!DialogBoxIndirectParamW 75A82EF5 5 Bytes JMP 6F4A473F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3176] USER32.dll!DialogBoxParamA 75A98152 5 Bytes JMP 6F4A46DC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3176] USER32.dll!DialogBoxIndirectParamA 75A9847D 5 Bytes JMP 6F4A47A2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3176] USER32.dll!MessageBoxIndirectA 75AAD4D9 5 Bytes JMP 6F4A4671 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3176] USER32.dll!MessageBoxIndirectW 75AAD5D3 5 Bytes JMP 6F4A4606 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3176] USER32.dll!MessageBoxExA 75AAD639 5 Bytes JMP 6F4A45A4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3176] USER32.dll!MessageBoxExW 75AAD65D 5 Bytes JMP 6F4A4542 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4292] USER32.dll!SetWindowsHookExW 75A587AD 5 Bytes JMP 6F3A9A75 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4292] USER32.dll!CallNextHookEx 75A58E3B 5 Bytes JMP 6F39D101 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4292] USER32.dll!UnhookWindowsHookEx 75A598DB 5 Bytes JMP 6F31466E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4292] USER32.dll!CreateWindowExW 75A61305 5 Bytes JMP 6F3ADAC4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4292] USER32.dll!DialogBoxParamW 75A810B0 5 Bytes JMP 6F2D5505 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4292] USER32.dll!DialogBoxIndirectParamW 75A82EF5 5 Bytes JMP 6F4A473F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4292] USER32.dll!DialogBoxParamA 75A98152 5 Bytes JMP 6F4A46DC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4292] USER32.dll!DialogBoxIndirectParamA 75A9847D 5 Bytes JMP 6F4A47A2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4292] USER32.dll!MessageBoxIndirectA 75AAD4D9 5 Bytes JMP 6F4A4671 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4292] USER32.dll!MessageBoxIndirectW 75AAD5D3 5 Bytes JMP 6F4A4606 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4292] USER32.dll!MessageBoxExA 75AAD639 5 Bytes JMP 6F4A45A4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4292] USER32.dll!MessageBoxExW 75AAD65D 5 Bytes JMP 6F4A4542 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4292] ole32.dll!OleLoadFromStream 75E21E12 5 Bytes JMP 6F4A4AA7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4292] ole32.dll!CoCreateInstance 75E59EA6 5 Bytes JMP 6F3ADB20 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4892] USER32.dll!SetWindowsHookExW 75A587AD 5 Bytes JMP 6F3A9A75 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4892] USER32.dll!CallNextHookEx 75A58E3B 5 Bytes JMP 6F39D101 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4892] USER32.dll!UnhookWindowsHookEx 75A598DB 5 Bytes JMP 6F31466E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4892] USER32.dll!CreateWindowExW 75A61305 5 Bytes JMP 6F3ADAC4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4892] USER32.dll!DialogBoxParamW 75A810B0 5 Bytes JMP 6F2D5505 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4892] USER32.dll!DialogBoxIndirectParamW 75A82EF5 5 Bytes JMP 6F4A473F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4892] USER32.dll!DialogBoxParamA 75A98152 5 Bytes JMP 6F4A46DC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4892] USER32.dll!DialogBoxIndirectParamA 75A9847D 5 Bytes JMP 6F4A47A2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4892] USER32.dll!MessageBoxIndirectA 75AAD4D9 5 Bytes JMP 6F4A4671 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4892] USER32.dll!MessageBoxIndirectW 75AAD5D3 5 Bytes JMP 6F4A4606 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4892] USER32.dll!MessageBoxExA 75AAD639 5 Bytes JMP 6F4A45A4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4892] USER32.dll!MessageBoxExW 75AAD65D 5 Bytes JMP 6F4A4542 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4892] ole32.dll!OleLoadFromStream 75E21E12 5 Bytes JMP 6F4A4AA7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4892] ole32.dll!CoCreateInstance 75E59EA6 5 Bytes JMP 6F3ADB20 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5764] USER32.dll!SetWindowsHookExW 75A587AD 5 Bytes JMP 6F3A9A75 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5764] USER32.dll!CallNextHookEx 75A58E3B 5 Bytes JMP 6F39D101 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5764] USER32.dll!UnhookWindowsHookEx 75A598DB 5 Bytes JMP 6F31466E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5764] USER32.dll!CreateWindowExW 75A61305 5 Bytes JMP 6F3ADAC4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5764] USER32.dll!DialogBoxParamW 75A810B0 5 Bytes JMP 6F2D5505 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5764] USER32.dll!DialogBoxIndirectParamW 75A82EF5 5 Bytes JMP 6F4A473F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5764] USER32.dll!DialogBoxParamA 75A98152 5 Bytes JMP 6F4A46DC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5764] USER32.dll!DialogBoxIndirectParamA 75A9847D 5 Bytes JMP 6F4A47A2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5764] USER32.dll!MessageBoxIndirectA 75AAD4D9 5 Bytes JMP 6F4A4671 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5764] USER32.dll!MessageBoxIndirectW 75AAD5D3 5 Bytes JMP 6F4A4606 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5764] USER32.dll!MessageBoxExA 75AAD639 5 Bytes JMP 6F4A45A4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5764] USER32.dll!MessageBoxExW 75AAD65D 5 Bytes JMP 6F4A4542 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5764] ole32.dll!OleLoadFromStream 75E21E12 5 Bytes JMP 6F4A4AA7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5764] ole32.dll!CoCreateInstance 75E59EA6 5 Bytes JMP 6F3ADB20 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\afd.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:27 PM

Posted 10 May 2010 - 07:56 PM

Thanks for the feedback. Please read the whole post before doing the fix in order not to prevent working of the tool.
  1. Download http://download.bleepingcomputer.com/farbar/TDLfix.exe and save it to your desktop.
    • Close all the open windows.
    • Imporatnt: Right-click TDLfix.exe and select "Run as administrator".
    • Type (or copy the following and right-click to paste) in the command window and press Enter:
      afd
    • The application shall restart the computer immediately and runs after restart. In this case it reboots the computer once more. Please don't do anything until after the second reboot Windows is loaded fully.
    • Tell me if the computer rebooted and ran to completion.

  2. After Windows fully loaded for the second time run the tool as administrator again. Type the following and press Enter:

    mbr

    A log file opens. Please post it to your reply.


#5 Hhar

Hhar
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 11 May 2010 - 02:27 AM

This is the response i got from TDLfix i ran it as admin.

QUOTE
Please enter name of the suspected driver and press Enter:
afd
Could not make back up.
Operation aborted.
Tryck ned valfri tangent fr att fortstta...


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:27 PM

Posted 11 May 2010 - 03:00 AM

Please do the following:

Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:


CODE
@ECHO OFF
copy /v /y "%systemroot%\system32\drivers\afd.sys" "%systemdrive%\" >log.txt 2>&1
START log.txt

  • Go to the File menu at the top of the Notepad and select Save as.
  • Select Save in: desktop
  • Fill in File name: look.bat
  • Save as type: All file types (*.*)
  • Click save.
  • Close the Notepad.
  • Locate look.bat on the desktop. It should look like this:
  • Right-click to run it as administrator.
  • A notepad opens, copy and paste the content (log.txt) to your reply.


#7 Hhar

Hhar
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 11 May 2010 - 03:19 AM

QUOTE
tkomst nekad.
0 fil(er) kopierad(e).

Access denied dry.gif

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:27 PM

Posted 11 May 2010 - 04:22 AM

Please make a batch file with the following syntax, run it and post the log.

QUOTE
@echo off
icacls "%systemroot%\system32\drivers\afd.sys" >log.txt 2>&1
START log.txt


#9 Hhar

Hhar
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 11 May 2010 - 04:27 AM

QUOTE
C:\Windows\system32\drivers\afd.sys NT SERVICE\TrustedInstaller:(F)
BUILTIN\Administratrer:(RX)
NT INSTANS\SYSTEM:(RX)
BUILTIN\Anvndare:(RX)

1 filer behandlades; Det gick inte att behandla 0 filer


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:27 PM

Posted 11 May 2010 - 04:39 AM

Looks those settings are okay and the rootkit prevents access to the file. We need to take this one in a special way.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    afd.sy*

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt





#11 Hhar

Hhar
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 11 May 2010 - 04:55 AM

QUOTE
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 11:50 on 11/05/2010 by Joel (Administrator - Elevation successful)

========== filefind ==========

Searching for "afd.sy*"
C:\Users\Joel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3CWSHVVK\afd.sys[1].htm --a--- 10538 bytes [13:52 07/05/2010] [13:52 07/05/2010] 40469795F1F937D815062C9CC5478FEF
C:\Users\Joel\Favorites\afd.sys(Ba​ckdoor.Tid​serv.l!inf​).url --a--- 295 bytes [23:30 07/05/2010] [09:24 11/05/2010] CB79E5474D1E74E9D6CF9F1DE18B0EF4
C:\Windows\System32\drivers\afd.sys --a--- 273920 bytes [22:44 23/09/2009] [04:47 11/04/2009] (Unable to calculate MD5)
C:\Windows\System32\drivers\sv-SE\afd.sys.mui --a--- 9216 bytes [07:12 03/04/2007] [07:12 03/04/2007] CA3706E4010BDA319761AFD64B48284F
C:\Windows\winsxs\x86_microsoft-windows-winsock-core.resources_31bf3856ad364e35_6.0.6000.16386_sv-se_2ece0088c9a99015\afd.sys.mui --a--- 9216 bytes [07:12 03/04/2007] [07:12 03/04/2007] CA3706E4010BDA319761AFD64B48284F
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6000.16386_none_d5b1809661820e7c\afd.sys --a--- 270336 bytes [08:58 02/11/2006] [08:58 02/11/2006] 5D24CAF8EFD924A875698FF28384DB8B
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18000_none_d7e842925e6d1f50\afd.sys --a--- 273920 bytes [11:59 05/06/2008] [05:57 19/01/2008] 763E172A55177E478CB419F88FD0BA03
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18005_none_d9d3bb9e5b8eea9c\afd.sys --a--- 273920 bytes [22:44 23/09/2009] [04:47 11/04/2009] (Unable to calculate MD5)

-=End Of File=-


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:27 PM

Posted 11 May 2010 - 05:13 AM

Okey we need to make 2 batch files. Make them now to have them ready because at one stage you will loose internet connection and need to have the batch files ready. Make sure you run the batch files as admin otherwise it will not work.

Name them step1.bat and step2.bat in the order I have presented the syntax:

QUOTE
sc config afd start= disabled >log.txt 2>&1


QUOTE
takeown /f "%systemroot%\system32\drivers\afd.sys" /a >>log.txt 2>&1
del /a/f/q c:\windows\system32\drivers\afd.sys
xcopy /h /v /y C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18000_none_d7e842925e6d1f50\afd.sys c:\windows\system32\drivers >>log.txt 2>&1
sc config afd start= system >>log.txt 2>&1


1. Run step1.bat as Admin then reboot the computer
2. Run step2.batch as Admin and reboot the computer
3. After doing this run TDLfix as Admin type mbr and press Enter to make the log to post it here.


#13 Hhar

Hhar
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 11 May 2010 - 05:43 AM

Encountered problems on step 3: The TDLfix window returns mbr.exe is not a valid internal/external command etc..
A window pops up saying that it cant find mbr.log

EDIT: Btw Norton warned me about TDLfix when it finished downloading but i choose it as a trusted file so i guessed it wouldnt interfere.

Edited by Hhar, 11 May 2010 - 05:51 AM.


#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:27 PM

Posted 11 May 2010 - 05:49 AM

Could the rootkit have removed the mbr.exe? Could you please check to see if mbr.exe is in Windows directory?

If there is no mbr.exe in the Windows directory, the rootkit has removed it. Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

Then run TDLfix.exe with mbr directive.


#15 Hhar

Hhar
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 11 May 2010 - 05:59 AM

Found MBR.DLL and MBR.INI but no mbr.exe.

Downloaded mbr.exe and now it worked.
QUOTE
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll prosync1.sys storport.sys nvstor32.sys
kernel: MBR read successfully
user & kernel MBR OK





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users