Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with win32/Alureon.H


  • Please log in to reply
19 replies to this topic

#1 trainingwheels

trainingwheels

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 27 May 2010 - 05:28 AM

I run Windows XP

The last coiuple of days I noticed:
No volume icon in the tray
Win display is in 'classic' mode only. No XP theme available
Internet connection fails due to missing internet settings
Web page redirects occur

I googled the symptoms and it appears it is due to a virus.

I ran Microsoft's Online scanner it detected win32/Alureon.H (but cannot remove it)

Help in its removal would be greatly appreciated.

Paul

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:01 PM

Posted 27 May 2010 - 11:22 AM

Hello and welcome...
Please follow our Removal Guide here How to remove the TDSS, TDL3, or Alureon rootkit

You will move to the Automated Removal Instructions

After you completed that, post your scan log here,let me know how things are.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 trainingwheels

trainingwheels
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 27 May 2010 - 06:49 PM

Hi boopme, and thanks for helping me out.

I have spent the last couple of days trawling the net looking for solutions. Have tried several on-line scanners - they either find nothing or find something and want a sale for a fix.

I ran TDSkiller and it found one problem and fixed it.

On reboot I noticed XP themes are back, along with the volume icon in the tray, so that was nice.

I ran MBAM full system scan. Took one hour. It found no probs, but prev scans also found no probs. After the scan I noticed a log file was not saved. The option to save a log was deselected. I will submit the log file for a QUICK SCAN then submit the log file for a FULL SCAN in an hour's time.

QUICK SCAN LOG:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4149

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

28/05/2010 9:35:14 AM
mbam-log-2010-05-28 (09-35-14).txt

Scan type: Quick scan
Objects scanned: 129822
Time elapsed: 4 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:01 PM

Posted 27 May 2010 - 07:16 PM

Hi, would you please post The Killer's log if possible. A log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

After posting the MBAM log I feel we should still run these as this is a gangerous malware that can steal personal info.

Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 trainingwheels

trainingwheels
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 27 May 2010 - 08:25 PM

OK, will do.

Standby.

#6 trainingwheels

trainingwheels
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 27 May 2010 - 08:32 PM

Here is the TDSSkiller log:

08:12:58:984 2500 TDSS rootkit removing tool 2.3.1.0 May 25 2010 12:52:14
08:12:58:984 2500 ================================================================================
08:12:58:984 2500 SystemInfo:

08:12:58:984 2500 OS Version: 5.1.2600 ServicePack: 3.0
08:12:58:984 2500 Product type: Workstation
08:12:58:984 2500 ComputerName: LUCCA
08:12:58:984 2500 UserName: Paul
08:12:58:984 2500 Windows directory: C:\WINDOWS
08:12:58:984 2500 Processor architecture: Intel x86
08:12:58:984 2500 Number of processors: 2
08:12:58:984 2500 Page size: 0x1000
08:12:58:984 2500 Boot type: Normal boot
08:12:58:984 2500 ================================================================================
08:12:59:375 2500 Initialize success
08:12:59:375 2500
08:12:59:375 2500 Scanning Services ...
08:13:00:421 2500 Raw services enum returned 357 services
08:13:00:437 2500
08:13:00:437 2500 Scanning Drivers ...
08:13:01:218 2500 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
08:13:01:265 2500 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
08:13:01:328 2500 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
08:13:01:359 2500 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
08:13:01:468 2500 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
08:13:01:546 2500 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
08:13:01:578 2500 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
08:13:01:625 2500 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
08:13:01:656 2500 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
08:13:01:703 2500 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
08:13:01:843 2500 BHDrvx86 (42c9ab61989e29953ce2d266f891ea50) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100429.001\BHDrvx86.sys
08:13:01:890 2500 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
08:13:01:984 2500 ccHP (e941e709847fa00e0dd6d58d2b8fb5e1) C:\WINDOWS\system32\drivers\NIS\1107000.00C\ccHPx86.sys
08:13:02:015 2500 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
08:13:02:062 2500 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
08:13:02:109 2500 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
08:13:02:250 2500 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
08:13:02:281 2500 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
08:13:02:343 2500 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
08:13:02:359 2500 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
08:13:02:406 2500 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
08:13:02:437 2500 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
08:13:02:500 2500 e1express (6f7ccd3c02b26d530900f06d98171a69) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
08:13:02:562 2500 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
08:13:02:609 2500 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
08:13:02:656 2500 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
08:13:02:687 2500 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
08:13:02:718 2500 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
08:13:02:750 2500 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
08:13:02:781 2500 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
08:13:02:828 2500 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
08:13:02:843 2500 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
08:13:02:859 2500 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
08:13:02:906 2500 grmnusb (6003bc70f1a8307262bd3c941bda0b7e) C:\WINDOWS\system32\drivers\grmnusb.sys
08:13:02:968 2500 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
08:13:03:000 2500 HECI (f971d05559ce11ee22af7a7dce6bcfad) C:\WINDOWS\system32\DRIVERS\HECI.sys
08:13:03:015 2500 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
08:13:03:062 2500 HSFHWBS2 (881d1c3a64904f4b6068013a99a5855b) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
08:13:03:093 2500 HSF_DP (8ed6714c8e754520dd8a939f91383ea0) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
08:13:03:171 2500 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
08:13:03:203 2500 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
08:13:03:328 2500 IDSxpx86 (6e42876010256ee5119baf0838574e0c) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100520.001\IDSxpx86.sys
08:13:03:359 2500 IKFileFlt (34f40507dddb19700914eb09862fc74d) C:\WINDOWS\system32\drivers\ikfileflt.sys
08:13:03:390 2500 IKFileSec (86882f5132bc9807863ee8f631a51b40) C:\WINDOWS\system32\drivers\ikfilesec.sys
08:13:03:421 2500 IkSysFlt (dbf937414b9630252cb48e6863139c54) C:\WINDOWS\system32\drivers\iksysflt.sys
08:13:03:484 2500 IKSysSec (57a34b3b557b924e7b6655ad20f031cc) C:\WINDOWS\system32\drivers\iksyssec.sys
08:13:03:515 2500 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
08:13:03:593 2500 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
08:13:03:609 2500 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
08:13:03:625 2500 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
08:13:03:656 2500 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
08:13:03:671 2500 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
08:13:03:703 2500 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
08:13:03:718 2500 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
08:13:03:765 2500 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
08:13:03:796 2500 Iviaspi (4ac11b2250106774f694df2db4ffed61) C:\WINDOWS\system32\drivers\iviaspi.sys
08:13:03:828 2500 iviVD (af6cf0142df2e442b3a846b2af8e72c4) C:\WINDOWS\system32\DRIVERS\iviVD.sys
08:13:03:859 2500 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
08:13:03:890 2500 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
08:13:03:937 2500 klmd23 (0b06b0a25e08df0d536402bce3bde61e) C:\WINDOWS\system32\drivers\klmd.sys
08:13:04:000 2500 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
08:13:04:015 2500 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
08:13:04:046 2500 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
08:13:04:093 2500 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
08:13:04:250 2500 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
08:13:04:421 2500 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
08:13:04:718 2500 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
08:13:04:875 2500 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
08:13:04:890 2500 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
08:13:04:953 2500 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
08:13:04:968 2500 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
08:13:05:000 2500 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
08:13:05:031 2500 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
08:13:05:046 2500 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
08:13:05:062 2500 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
08:13:05:093 2500 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
08:13:05:156 2500 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
08:13:05:203 2500 NAL (1e59aaed42a5e3a5ed86ec403f9c0776) C:\WINDOWS\system32\Drivers\iqvw32.sys
08:13:05:312 2500 NAVENG (83518e6cc82bdc3c3db0c12d1c9a2275) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100527.009\NAVENG.SYS
08:13:05:359 2500 NAVEX15 (85cf37740fe06c7a2eaa7f6c81f0819c) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100527.009\NAVEX15.SYS
08:13:05:453 2500 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
08:13:05:484 2500 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
08:13:05:515 2500 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
08:13:05:531 2500 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
08:13:05:546 2500 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
08:13:05:562 2500 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
08:13:05:578 2500 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
08:13:05:609 2500 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
08:13:05:625 2500 nltdi (19c50a0051fed34cc2544cd45114e4e5) C:\WINDOWS\system32\drivers\nltdi.sys
08:13:05:656 2500 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
08:13:05:718 2500 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
08:13:05:781 2500 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
08:13:05:984 2500 nv (406ddab2b05d94d4818e97ff050d1bc6) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
08:13:06:218 2500 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
08:13:06:265 2500 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
08:13:06:312 2500 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
08:13:06:343 2500 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
08:13:06:359 2500 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
08:13:06:390 2500 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
08:13:06:437 2500 pavboot (3adb8bd6154a3ef87496e8fce9c22493) C:\WINDOWS\system32\drivers\pavboot.sys
08:13:06:468 2500 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
08:13:06:500 2500 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
08:13:06:546 2500 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
08:13:06:687 2500 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
08:13:06:718 2500 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
08:13:06:750 2500 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
08:13:06:781 2500 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
08:13:06:859 2500 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
08:13:06:875 2500 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
08:13:06:890 2500 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
08:13:06:921 2500 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
08:13:06:937 2500 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
08:13:06:968 2500 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
08:13:07:000 2500 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
08:13:07:031 2500 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
08:13:07:093 2500 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
08:13:07:109 2500 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
08:13:07:140 2500 SASKUTIL (67d2688756dd304af655349baad82bff) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
08:13:07:171 2500 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
08:13:07:203 2500 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
08:13:07:218 2500 Serial (f5429e17805e2fdb187b3b21275bc879) C:\WINDOWS\system32\DRIVERS\serial.sys
08:13:07:218 2500 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\serial.sys. Real md5: f5429e17805e2fdb187b3b21275bc879, Fake md5: cca207a8896d4c6a0c9ce29a4ae411a7
08:13:07:218 2500 File "C:\WINDOWS\system32\DRIVERS\serial.sys" infected by TDSS rootkit ... 08:13:15:218 2500 Backup copy found, using it..
08:13:15:593 2500 will be cured on next reboot
08:13:15:671 2500 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
08:13:15:703 2500 sfng32 (5fe18fff6fbcf218290042009eab023d) C:\WINDOWS\system32\drivers\sfng32.sys
08:13:15:750 2500 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
08:13:15:781 2500 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
08:13:15:859 2500 SRTSP (ec5c3c6260f4019b03dfaa03ec8cbf6a) C:\WINDOWS\System32\Drivers\NIS\1107000.00C\SRTSP.SYS
08:13:15:890 2500 SRTSPX (55d5c37ed41231e3ac2063d16df50840) C:\WINDOWS\system32\drivers\NIS\1107000.00C\SRTSPX.SYS
08:13:15:937 2500 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
08:13:15:984 2500 SSFS0509 (e4c3b3a14fb2abf5ce1ff05418ba73c1) C:\WINDOWS\system32\Drivers\SSFS0509.SYS
08:13:16:015 2500 SSHRMD (251141fd898c0ef76976f51d39ea881d) C:\WINDOWS\system32\Drivers\SSHRMD.SYS
08:13:16:046 2500 SSIDRV (339e268e1f0df8868045977ccca6391f) C:\WINDOWS\system32\Drivers\SSIDRV.SYS
08:13:16:093 2500 SSKBFD (ca85b64bc98ababdd858143933b6fd4e) C:\WINDOWS\system32\Drivers\sskbfd.sys
08:13:16:171 2500 STHDA (784b73bd9d1c0fba6ca96e8976f4b0e6) C:\WINDOWS\system32\drivers\sthda.sys
08:13:16:218 2500 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
08:13:16:234 2500 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
08:13:16:500 2500 SymDS (56890bf9d9204b93042089d4b45ae671) C:\WINDOWS\system32\drivers\NIS\1107000.00C\SYMDS.SYS
08:13:16:562 2500 SymEFA (1c91df5188150510a6f0cf78f7d94b69) C:\WINDOWS\system32\drivers\NIS\1107000.00C\SYMEFA.SYS
08:13:16:609 2500 SymEvent (961b48b86f94d4cc8ceb483f8aa89374) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
08:13:16:625 2500 SymIRON (dc80fbf0a348e54853ef82eed4e11e35) C:\WINDOWS\system32\drivers\NIS\1107000.00C\Ironx86.SYS
08:13:16:671 2500 SYMTDI (41aad61f87ca8e3b5d0f7fe7fba0797d) C:\WINDOWS\System32\Drivers\NIS\1107000.00C\SYMTDI.SYS
08:13:16:703 2500 SynasUSB (418bd80a7fefaa3fcbd3dcfc021cb294) C:\WINDOWS\system32\drivers\SynasUSB.sys
08:13:16:750 2500 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
08:13:16:828 2500 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
08:13:16:875 2500 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
08:13:16:906 2500 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
08:13:16:937 2500 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
08:13:16:968 2500 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
08:13:17:015 2500 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
08:13:17:046 2500 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
08:13:17:078 2500 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
08:13:17:093 2500 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
08:13:17:125 2500 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
08:13:17:156 2500 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
08:13:17:156 2500 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
08:13:17:171 2500 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
08:13:17:187 2500 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
08:13:17:203 2500 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
08:13:17:250 2500 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
08:13:17:453 2500 winachsf (7dd2ec1efd9f48843ffc5815aebf1068) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
08:13:17:515 2500 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
08:13:17:546 2500 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
08:13:17:546 2500 Reboot required for cure complete..
08:13:18:375 2500 Cure on reboot scheduled successfully
08:13:18:375 2500
08:13:18:375 2500 Completed
08:13:18:375 2500
08:13:18:375 2500 Results:
08:13:18:375 2500 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
08:13:18:375 2500 File objects infected / cured / cured on reboot: 1 / 0 / 1
08:13:18:375 2500
08:13:18:468 2500 KLMD(ARK) unloaded successfully

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:01 PM

Posted 27 May 2010 - 08:50 PM

It was in your Modem driver so that's why you had connection issues..

This malware wirked to allow hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please change your passwords and it would be wise to contact those same financial institutions to apprise them of your situation.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 trainingwheels

trainingwheels
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 27 May 2010 - 11:06 PM

Ok, thanks for the heads up. I do not carry out financial transaction over the net for that very reason.

Gee that SupAntSpyW scan took forever - just under two hours. No threats found.

I have been using that prog for several months and a complete scan normally takes 10 min. That is with the default settings. I intend to continue to use the prog. Should I leave the settings as is or use the defaults like I have been normally?

Here is the SAS log file.

(The MBAM log will be an hour away)


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/28/2010 at 01:41 PM

Application Version : 4.35.1000

Core Rules Database Version : 5000
Trace Rules Database Version: 2812

Scan type : Complete Scan
Total Scan Time : 01:56:24

Memory items scanned : 268
Memory threats detected : 0
Registry items scanned : 6462
Registry threats detected : 0
File items scanned : 58237
File threats detected : 0

#9 trainingwheels

trainingwheels
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 28 May 2010 - 12:46 AM

Here is the log file from MBAM:

Looks nice and clean. Looks like we've had a win boopme. :thumbsup:

Complete Scan:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4150

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

28/05/2010 3:35:56 PM
mbam-log-2010-05-28 (15-35-56).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 187631
Time elapsed: 51 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

... back to you.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:01 PM

Posted 28 May 2010 - 10:25 AM

Hi, Yep it's good here..
We feel the settings we recommend are the best configuration to find malware in it's most likely hiding places. At least for the initial scan. Scaning routinely the quick scan is OK.

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 trainingwheels

trainingwheels
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 28 May 2010 - 07:17 PM

Have created a new restore point and deleted all but the latest as requested.

Thanks for your help. If ever you are passing through Newcastle Australia let me know so I can invite you over for a beer / coffee. :thumbsup:

One more thing before signing off:

I have noticed on my PC and my laptop that the log on Welcome screen is not displayed. I did a windows update last week on both machines, so I strongly suspect this to be the cause. When I go into Account Manager and select 'Show Welcome screen at log on' (or however it is worded) it accepts the request, but come log on it displays the small rectangular 'classic' logon box, on both machines. Any tips?

Cheers, TW

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:01 PM

Posted 28 May 2010 - 07:38 PM

We could try running SFC

Please run System File Checker sfc /scannow... For more information on this tool see How To Use Sfc.exe To Repair System Files

NOTE for Vista users..The command needs to be run from an elevated Command Prompt.
Click Start, type cmd into the Start/Search box,
right-click cmd.exe in the list above and select 'Run as Administrator'


You will need your operating system CD handy.

Open Windows Task Manager....by pressing CTRL+SHIFT+ESC

Then click File.. then New Task(Run)

In the box that opens type sfc /scannow ......There is a space between c and /

Click OK
Let it run and insert the XP CD when asked.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 trainingwheels

trainingwheels
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 28 May 2010 - 08:52 PM

Thanks for the tip. Will see how it goes later tonight.

#14 trainingwheels

trainingwheels
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 29 May 2010 - 09:42 PM

Did as instructed, the disc was accessed about 10 times, rebooted, no change, updated windows (the last 3 updates were re-downloaded), and unfortunately no change. Deselected 'show welcome screen', rebooted, reselected 'show welcome screen', rebooted, still no change. :thumbsup:

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:01 PM

Posted 01 June 2010 - 11:15 AM

Hello, sorry was away all weekend.. That was the best idea I had. You should ask this in XP at the top. They will have more ideas.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users