Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit.Win32.TDSS.tdl4


  • This topic is locked This topic is locked
41 replies to this topic

#1 Ralien

Ralien

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 26 September 2010 - 09:16 PM

I am being redirected from google and getting random pop ups. Also open in new tab is acting as open in new window.

When I ran dds it came back with:
L!This program cannot be run in DOS mode.

when I ran gmer it said:
gmer.exe has stoped working

I am running 32 bit Windows vista home premium sp2 with MCafee antivirus plus. However real time scanning is disabled and I am unable to enable it.

I tried to fix it, in this order, with system restore, rkill, Malwarebytes, Combofix, and TDSSKiller. TDSSKiller is what said I have Rootkit.Win32.TDSS.tdl4 but it was unable to remove it.

Attached is combofix log.

Thanks for your help.

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:10 AM

Posted 01 October 2010 - 01:15 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
  1. Do not run any other tool untill instructed to do so!
  2. Please Do not Attach logs or put in code boxes.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.log from RKUnHooker
      3.let me know of any problems you may have had

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Ralien

Ralien
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 02 October 2010 - 12:50 AM

Gringo,
Thanks for helping.

Since my first post some of the things that have popped up are TosIPCSrv.exe has stopped working and a fake Windows Security alert with and address of hxxp://wuhakym.co.cc/?id=06abQDcx

Defogger worked fine

When I ran dds it came up with a txt file that again said:
This program cannot be run in DOS mode. It included alot of seamingly random charachters I included a portion of it below. In total it is a 513kb .txt file of jibberish. I did not get an Attach.txt

RKUnhooker worked fine attached is the log.




PORTION of dds log
MZ   @  !L!This program cannot be run in DOS mode.

$ PE L +I  2 n Z   @     0  f          .code     PEC2FO .rsrc    $R Pd5 d% 3PECompact2 VK ўoTN<N<T#=L34w
lTS`M6lՍ[NPHr_0)a ؾ,f)|Bţ3]ˣoKjvh-Pw4l4` \3nfwp"nseXcDgϨ|0 O E J\#2\bN\Mk(^EK] m
<_@tHw,K{YwCdAEj]vWbڰ.ϓcF (C&{;yU2)[)g*uŊ0ʫ䜁M呎s

Attached Files


Edited by gringo_pr, 02 October 2010 - 01:09 AM.


#4 Ralien

Ralien
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 02 October 2010 - 01:02 AM

Gringo,
I did not think to try a different downlaod link for dds. A different one worked attached are the logs.
Thanks,

Attached Files



#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:10 AM

Posted 02 October 2010 - 01:11 AM

Greetings

In total it is a 513kb .txt file of jibberishit is an issue with autocad

One or more of the identified infections is Known as a Backdoor Trojan. - TDSS rootkit <--please read

What this virus does do.
QUOTE
Functionality
The functionality that the Trojan exhibits implies that it has been designed with profit-making as its primary objective. Making money from the Web typically involves generating Web traffic, installing pay-per-install software and also by generating sales leads for other Web sites and services of a dubious nature. It tries to achieve its objective by employing an array of techniques to try and make the user participate in these income-generating activities.


What the virus can do.
QUOTE
Backdoor.Tidserv is a Trojan horse that uses an advanced rootkit to hide itself. It also displays advertisements, redirects user search results, and opens a back door on the compromised computer.


This "could" allow hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can clean this machine but I cannot guarantee that it will be 100% secure afterwards. "If you would like to continue, then follow the steps below, otherwise please let me know"

I Would like you to do the following.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"
    In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 Ralien

Ralien
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 02 October 2010 - 10:52 AM

When I ran ComboFix I got an alert "Como Fix has detected the presence of rootkit activity and needs to restart the machine"
I clicked ok and it ran upon start up. Log is attached.

After a quick check I am still being redirected and experiencing some slowness. Also when I click open in new tab it is still sometimes opening in new window.

Thanks,

Attached Files



#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:10 AM

Posted 02 October 2010 - 11:18 AM

ComboFix 10-10-01.06 - Gato Negro 10/02/2010 8:22.3.2 - x86
Microsoft Windows Vista Home Premium 6.0.6002.2.1252.1.1033.18.2941.2136 [GMT -7:00]
Running from: c:\users\Gato Negro\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2010-09-02 to 2010-10-02 )))))))))))))))))))))))))))))))
.

2010-10-02 15:35 . 2010-10-02 15:37 -------- d-----w- c:\users\Gato Negro\AppData\Local\temp
2010-10-02 15:35 . 2010-10-02 15:35 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-10-02 15:35 . 2010-10-02 15:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-25 23:43 . 2010-09-25 23:43 -------- d-----w- C:\$RECYCLE(0).BIN
2010-09-25 23:43 . 2010-09-26 00:53 -------- d-----w- c:\users\Gato Negro\AppData\Local\temp(222)
2010-09-20 06:16 . 2010-09-20 06:16 -------- d-----w- c:\programdata\Kaspersky Lab
2010-09-12 05:48 . 2010-09-12 05:48 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-09-10 23:48 . 2010-09-10 23:48 -------- d-----w- c:\users\Gato Negro\AppData\Local\temp(13)
2010-09-06 06:56 . 2010-09-06 06:56 -------- d-----w- c:\users\Gato Negro\AppData\Roaming\DivX
2010-09-06 06:55 . 2010-09-06 06:57 -------- d-----w- c:\program files\DivX
2010-09-06 06:54 . 2010-09-06 06:57 -------- d-----w- c:\programdata\DivX
2010-09-03 02:57 . 2010-09-26 04:51 -------- d-----w- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-29 03:52 . 2009-07-01 22:24 1356 ----a-w- c:\users\Gato Negro\AppData\Local\d3d9caps.dat
2010-09-26 05:01 . 2008-12-10 19:26 -------- d-----w- c:\programdata\Microsoft Help
2010-09-26 04:55 . 2010-04-08 00:55 -------- d-----w- c:\program files\DVDFab 7
2010-09-26 04:55 . 2009-12-21 00:12 47360 ----a-w- c:\users\Gato Negro\AppData\Roaming\pcouffin.sys
2010-09-26 04:55 . 2009-12-21 00:12 47360 ----a-w- c:\users\Gato Negro\AppData\Roaming\pcouffin.sys
2010-09-26 04:55 . 2009-12-20 06:57 -------- d-----w- c:\users\Gato Negro\AppData\Roaming\Vso
2010-09-26 04:54 . 2009-07-01 20:29 -------- d-----w- c:\program files\Sony
2010-09-26 04:50 . 2010-01-09 04:20 -------- d-----w- c:\users\Gato Negro\AppData\Roaming\SanDisk
2010-09-26 04:47 . 2008-02-13 02:03 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-26 01:03 . 2010-03-18 08:25 -------- d-----w- c:\program files\Smart Projects
2010-09-26 01:03 . 2009-07-04 03:42 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-26 01:03 . 2008-12-11 05:17 -------- d-----w- c:\program files\Common Files\McAfee
2010-09-25 20:21 . 2010-09-25 04:22 112 ----a-w- c:\programdata\CH15KyW6W.dat
2010-09-06 20:01 . 2008-02-13 02:32 -------- d-----w- c:\program files\Google
2010-09-02 08:07 . 2008-02-13 01:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-24 21:57 . 2010-05-30 07:22 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-08-24 21:57 . 2010-05-30 07:21 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-08-24 21:57 . 2010-05-30 07:21 64304 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2010-08-24 21:57 . 2010-05-30 07:21 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-08-24 21:57 . 2010-05-30 07:21 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-08-24 21:57 . 2010-05-30 07:21 312904 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-08-24 21:57 . 2010-05-30 07:21 164808 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2010-08-24 21:57 . 2010-05-30 07:21 152992 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-08-24 21:57 . 2010-04-14 19:50 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-08-24 21:57 . 2008-06-27 14:08 386712 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-08-16 10:03 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-08-16 07:09 . 2008-01-21 02:23 57400 ----a-w- c:\windows\system32\drivers\mountmgr.sys
2010-08-16 06:24 . 2010-08-16 06:24 -------- d-----w- c:\users\Gato Negro\AppData\Roaming\McAfee
2010-08-16 06:23 . 2008-12-11 05:17 -------- d-----w- c:\program files\McAfee
2010-08-16 06:23 . 2008-12-11 03:54 -------- d-----w- c:\programdata\McAfee
2010-08-16 00:06 . 2010-08-06 02:45 120 ----a-w- c:\users\Gato Negro\AppData\Local\Udakujomura.dat
2010-08-16 00:06 . 2010-08-06 02:45 0 ----a-w- c:\users\Gato Negro\AppData\Local\Rbogomigobaba.bin
2010-08-08 01:01 . 2010-08-08 01:01 -------- d-----w- c:\users\Gato Negro\AppData\Roaming\Malwarebytes
2010-08-08 01:01 . 2010-08-08 01:01 -------- d-----w- c:\programdata\Malwarebytes
2010-07-12 06:00 . 2010-07-12 06:00 36864 ----a-w- c:\users\Gato Negro\AppData\Roaming\Autodesk\DWG TrueView 2011\R8\enu\ContextualTabSelectorRules.dll
2010-07-12 06:00 . 2008-12-10 21:00 146760 ----a-w- c:\users\Gato Negro\AppData\Local\GDIPFONTCACHEV1.DAT
2008-12-10 20:59 . 2008-12-10 20:59 15 --sh--r- c:\windows\System32\drivers\fbd.sys
2008-12-10 20:59 . 2008-12-10 20:59 5 --sh--r- c:\windows\System32\drivers\taishop.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-01-30 430080]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-18 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-01-22 712704]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"NDSTray.exe"="NDSTray.exe" [BU]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-30 4911104]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-25 1193848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2007-04-04 21:41 970752 ----a-w- c:\program files\Common Files\Adobe\Updater\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
2007-10-26 01:41 413696 ----a-w- c:\program files\Camera Assistant Software for Toshiba\traybar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 19:35 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4195582489-672837306-1476075362-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2007-10-30 937984]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-08-24 84264]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2007-09-01 20352]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-08-24 64304]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-08-24 164808]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2007-12-25 40960]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-08-24 188136]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-08-24 141792]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-08-24 55840]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-08-24 312904]


--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/?_bc=1
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - hxxp://www.cooliris.com/shared/plinstll.cab
.
.
------- File Associations -------
.
.scr=DWGTrueViewScriptFile
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-02 08:37
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????#&W?????h?????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x8696CC76]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x807cfd24
\Driver\ACPI -> acpi.sys @ 0x82a08d68
\Driver\atapi -> ataport.SYS @ 0x82b24a2c
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-10-02 08:40:38
ComboFix-quarantined-files.txt 2010-10-02 15:40
ComboFix2.txt 2010-09-26 06:31
ComboFix3.txt 2010-09-25 23:43
ComboFix4.txt 2010-09-25 17:11
ComboFix5.txt 2010-10-02 15:07

Pre-Run: 50,073,903,104 bytes free
Post-Run: 50,583,289,856 bytes free

- - End Of File - - 6FBFF02E4E3C61FDFF2866B6B44D512B

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:10 AM

Posted 02 October 2010 - 11:20 AM

Hello

please run this for me


tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Ralien

Ralien
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 02 October 2010 - 10:19 PM

When I ran TDSSKiller it did not tell me I had a problem until the very end when it said:
- ! Malicious objects
- Rootkit.Win.32.TDSS.tdl4 Cure
MBR
Name: \HardDisk0\MBR

It said this would be cured after reboot. (If it helps) This is exactly what said in the past and the problem never went away.

Also during the reboot I got a Blue Screen that flashed to quick for me to read and then I was given the option to start normaly or in safe mode. I chose normal and the cycle repeated Blue Screen and start up options. This time I chose safe mode and it started.

Also when windows did start up in safe mode system properties was open on the computer name tab.

In safe mode so far I have not been redirected from the google search page.

Log below.
Thanks,

2010/10/02 19:48:41.0061 TDSS rootkit removing tool 2.4.3.0 Sep 27 2010 15:28:54
2010/10/02 19:48:41.0061 ================================================================================
2010/10/02 19:48:41.0061 SystemInfo:
2010/10/02 19:48:41.0061
2010/10/02 19:48:41.0061 OS Version: 6.0.6002 ServicePack: 2.0
2010/10/02 19:48:41.0061 Product type: Workstation
2010/10/02 19:48:41.0061 ComputerName: GATONEGRO
2010/10/02 19:48:41.0062 UserName: Gato Negro
2010/10/02 19:48:41.0062 Windows directory: C:\Windows
2010/10/02 19:48:41.0062 System windows directory: C:\Windows
2010/10/02 19:48:41.0062 Processor architecture: Intel x86
2010/10/02 19:48:41.0062 Number of processors: 2
2010/10/02 19:48:41.0062 Page size: 0x1000
2010/10/02 19:48:41.0062 Boot type: Normal boot
2010/10/02 19:48:41.0062 ================================================================================
2010/10/02 19:48:41.0636 Initialize success
2010/10/02 19:49:10.0119 ================================================================================
2010/10/02 19:49:10.0119 Scan started
2010/10/02 19:49:10.0119 Mode: Manual;
2010/10/02 19:49:10.0119 ================================================================================
2010/10/02 19:49:11.0559 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2010/10/02 19:49:11.0685 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
2010/10/02 19:49:11.0801 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
2010/10/02 19:49:11.0837 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
2010/10/02 19:49:11.0878 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
2010/10/02 19:49:12.0068 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\Windows\system32\drivers\Afc.sys
2010/10/02 19:49:12.0235 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
2010/10/02 19:49:12.0461 AgereSoftModem (ce91b158fa490cf4c4d487a4130f4660) C:\Windows\system32\DRIVERS\AGRSM.sys
2010/10/02 19:49:12.0645 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
2010/10/02 19:49:12.0935 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2010/10/02 19:49:13.0051 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
2010/10/02 19:49:13.0110 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
2010/10/02 19:49:13.0210 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
2010/10/02 19:49:13.0328 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
2010/10/02 19:49:13.0388 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\DRIVERS\amdk8.sys
2010/10/02 19:49:13.0545 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
2010/10/02 19:49:13.0634 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
2010/10/02 19:49:13.0692 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2010/10/02 19:49:13.0852 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
2010/10/02 19:49:13.0962 athr (8be56f8300e1c37b578da23c71816b7a) C:\Windows\system32\DRIVERS\athr.sys
2010/10/02 19:49:14.0226 atikmdag (22d300f835600c9c634860cf2912f9cf) C:\Windows\system32\DRIVERS\atikmdag.sys
2010/10/02 19:49:14.0404 AtiPcie (4aa1eb65481c392955939e735d27118b) C:\Windows\system32\DRIVERS\AtiPcie.sys
2010/10/02 19:49:14.0975 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2010/10/02 19:49:15.0090 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
2010/10/02 19:49:15.0171 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
2010/10/02 19:49:15.0370 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2010/10/02 19:49:15.0421 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2010/10/02 19:49:15.0504 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2010/10/02 19:49:15.0554 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2010/10/02 19:49:15.0674 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2010/10/02 19:49:15.0698 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2010/10/02 19:49:15.0847 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2010/10/02 19:49:16.0150 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2010/10/02 19:49:16.0359 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2010/10/02 19:49:16.0565 cfwids (426ee59b25988bb3382fc0a3655deaa2) C:\Windows\system32\drivers\cfwids.sys
2010/10/02 19:49:16.0863 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
2010/10/02 19:49:16.0998 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2010/10/02 19:49:17.0138 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
2010/10/02 19:49:17.0288 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
2010/10/02 19:49:17.0369 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
2010/10/02 19:49:17.0476 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
2010/10/02 19:49:17.0714 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
2010/10/02 19:49:17.0946 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
2010/10/02 19:49:18.0203 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2010/10/02 19:49:18.0308 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2010/10/02 19:49:18.0371 DXGKrnl (5c7e2097b91d689ded7a6ff90f0f3a25) C:\Windows\System32\drivers\dxgkrnl.sys
2010/10/02 19:49:18.0473 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
2010/10/02 19:49:18.0637 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2010/10/02 19:49:18.0875 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
2010/10/02 19:49:19.0009 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
2010/10/02 19:49:19.0173 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2010/10/02 19:49:19.0234 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2010/10/02 19:49:19.0337 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
2010/10/02 19:49:19.0571 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2010/10/02 19:49:19.0680 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2010/10/02 19:49:19.0770 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
2010/10/02 19:49:19.0979 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2010/10/02 19:49:20.0221 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2010/10/02 19:49:20.0346 FwLnk (cbc22823628544735625b280665e434e) C:\Windows\system32\DRIVERS\FwLnk.sys
2010/10/02 19:49:20.0462 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
2010/10/02 19:49:20.0510 GEARAspiWDM (4ac51459805264affd5f6fdfb9d9235f) C:\Windows\system32\Drivers\GEARAspiWDM.sys
2010/10/02 19:49:20.0604 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2010/10/02 19:49:20.0776 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2010/10/02 19:49:20.0846 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2010/10/02 19:49:20.0920 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2010/10/02 19:49:21.0059 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2010/10/02 19:49:21.0143 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
2010/10/02 19:49:21.0323 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
2010/10/02 19:49:21.0396 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
2010/10/02 19:49:21.0578 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2010/10/02 19:49:21.0664 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
2010/10/02 19:49:21.0776 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2010/10/02 19:49:21.0976 IntcAzAudAddService (8a4341616976e47712b60f18c7049dcc) C:\Windows\system32\drivers\RTKVHDA.sys
2010/10/02 19:49:22.0174 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
2010/10/02 19:49:22.0225 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2010/10/02 19:49:22.0405 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2010/10/02 19:49:22.0512 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
2010/10/02 19:49:22.0545 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2010/10/02 19:49:22.0582 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2010/10/02 19:49:22.0623 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
2010/10/02 19:49:22.0727 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2010/10/02 19:49:22.0820 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2010/10/02 19:49:22.0920 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2010/10/02 19:49:23.0608 jswpslwf (7e72514a3a1c5a9f3bff0660b3866c2b) C:\Windows\system32\DRIVERS\jswpslwf.sys
2010/10/02 19:49:23.0874 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2010/10/02 19:49:24.0062 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\drivers\kbdhid.sys
2010/10/02 19:49:24.0122 KR10I (e8ca038f51f7761bd6e3a3b0b8014263) C:\Windows\system32\drivers\kr10i.sys
2010/10/02 19:49:24.0168 KR10N (6a4adb9186dd0e114e623daf57e42b31) C:\Windows\system32\drivers\kr10n.sys
2010/10/02 19:49:24.0320 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2010/10/02 19:49:24.0488 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2010/10/02 19:49:24.0556 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
2010/10/02 19:49:24.0590 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
2010/10/02 19:49:24.0662 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
2010/10/02 19:49:24.0769 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2010/10/02 19:49:25.0010 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
2010/10/02 19:49:25.0169 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
2010/10/02 19:49:25.0273 mfeapfk (5bd0c401a8ee4a54f6176c0a10d595ae) C:\Windows\system32\drivers\mfeapfk.sys
2010/10/02 19:49:25.0314 mfeavfk (f3bb4dc61b4dc662bdc778cf1634fae1) C:\Windows\system32\drivers\mfeavfk.sys
2010/10/02 19:49:25.0514 mfebopk (b1498db38d129ed31650422fc8bab9c5) C:\Windows\system32\drivers\mfebopk.sys
2010/10/02 19:49:25.0580 mfefirek (51e9ccea45c78858a229afb6e682cf41) C:\Windows\system32\drivers\mfefirek.sys
2010/10/02 19:49:25.0660 mfehidk (32f7298664874715ce469a79078853c4) C:\Windows\system32\drivers\mfehidk.sys
2010/10/02 19:49:25.0786 mfenlfk (e920bfd5837aed4aef903cf1c7d3949e) C:\Windows\system32\DRIVERS\mfenlfk.sys
2010/10/02 19:49:25.0849 mferkdet (858337b64484cd80eee7d2eba5ac61bc) C:\Windows\system32\drivers\mferkdet.sys
2010/10/02 19:49:25.0917 mfewfpk (dcfbf068951fb4086c6aef99c6330516) C:\Windows\system32\drivers\mfewfpk.sys
2010/10/02 19:49:25.0987 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2010/10/02 19:49:26.0093 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2010/10/02 19:49:26.0175 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2010/10/02 19:49:26.0217 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2010/10/02 19:49:26.0275 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2010/10/02 19:49:26.0392 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
2010/10/02 19:49:26.0427 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2010/10/02 19:49:26.0477 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2010/10/02 19:49:26.0527 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2010/10/02 19:49:26.0661 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
2010/10/02 19:49:26.0725 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2010/10/02 19:49:26.0761 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2010/10/02 19:49:26.0812 msahci (28023e86f17001f7cd9b15a5bc9ae07d) C:\Windows\system32\drivers\msahci.sys
2010/10/02 19:49:26.0902 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
2010/10/02 19:49:26.0999 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2010/10/02 19:49:27.0082 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2010/10/02 19:49:27.0225 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2010/10/02 19:49:27.0295 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2010/10/02 19:49:27.0384 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2010/10/02 19:49:27.0440 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2010/10/02 19:49:27.0558 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2010/10/02 19:49:27.0629 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2010/10/02 19:49:27.0705 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2010/10/02 19:49:27.0845 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2010/10/02 19:49:28.0058 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2010/10/02 19:49:28.0204 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2010/10/02 19:49:28.0317 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2010/10/02 19:49:28.0430 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2010/10/02 19:49:28.0561 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2010/10/02 19:49:28.0648 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2010/10/02 19:49:28.0744 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2010/10/02 19:49:29.0111 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2010/10/02 19:49:29.0246 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2010/10/02 19:49:29.0288 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2010/10/02 19:49:29.0388 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2010/10/02 19:49:29.0508 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2010/10/02 19:49:29.0591 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\Windows\system32\DRIVERS\NuidFltr.sys
2010/10/02 19:49:29.0660 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2010/10/02 19:49:29.0769 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
2010/10/02 19:49:29.0826 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
2010/10/02 19:49:29.0867 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
2010/10/02 19:49:30.0002 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
2010/10/02 19:49:30.0168 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2010/10/02 19:49:30.0255 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2010/10/02 19:49:30.0326 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2010/10/02 19:49:30.0480 pccsmcfd (fd2041e9ba03db7764b2248f02475079) C:\Windows\system32\DRIVERS\pccsmcfd.sys
2010/10/02 19:49:30.0592 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2010/10/02 19:49:30.0663 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
2010/10/02 19:49:30.0786 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
2010/10/02 19:49:30.0859 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\Windows\system32\Drivers\pcouffin.sys
2010/10/02 19:49:30.0984 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2010/10/02 19:49:31.0106 pfc (444f122e68db44c0589227781f3c8b3f) C:\Windows\system32\drivers\pfc.sys
2010/10/02 19:49:31.0329 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2010/10/02 19:49:31.0394 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
2010/10/02 19:49:31.0503 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2010/10/02 19:49:31.0631 PxHelp20 (f7bb4e7a7c02ab4a2672937e124e306e) C:\Windows\system32\Drivers\PxHelp20.sys
2010/10/02 19:49:31.0760 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
2010/10/02 19:49:31.0849 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2010/10/02 19:49:31.0936 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2010/10/02 19:49:32.0014 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2010/10/02 19:49:32.0055 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2010/10/02 19:49:32.0148 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2010/10/02 19:49:32.0219 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2010/10/02 19:49:32.0333 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2010/10/02 19:49:32.0418 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2010/10/02 19:49:32.0508 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
2010/10/02 19:49:32.0583 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2010/10/02 19:49:32.0659 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2010/10/02 19:49:32.0833 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2010/10/02 19:49:32.0935 RTL8169 (13e97cf38286b8a1d7605d3175db28ee) C:\Windows\system32\DRIVERS\Rtlh86.sys
2010/10/02 19:49:32.0981 RTSTOR (d1fb9a678bd6c2b1129fcb09d5feb6dd) C:\Windows\system32\drivers\RTSTOR.SYS
2010/10/02 19:49:33.0089 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2010/10/02 19:49:33.0165 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2010/10/02 19:49:33.0231 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2010/10/02 19:49:33.0283 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2010/10/02 19:49:33.0398 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2010/10/02 19:49:33.0477 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
2010/10/02 19:49:33.0516 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
2010/10/02 19:49:33.0551 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
2010/10/02 19:49:33.0577 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2010/10/02 19:49:33.0639 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
2010/10/02 19:49:33.0746 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
2010/10/02 19:49:33.0787 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
2010/10/02 19:49:33.0908 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2010/10/02 19:49:34.0061 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2010/10/02 19:49:34.0266 srv (96a5e2c642af8f591a7366429809506b) C:\Windows\system32\DRIVERS\srv.sys
2010/10/02 19:49:34.0348 srv2 (71da2d64880c97e5ffc3c81761632751) C:\Windows\system32\DRIVERS\srv2.sys
2010/10/02 19:49:34.0404 srvnet (0c5ab1892ae0fa504218db094bf6d041) C:\Windows\system32\DRIVERS\srvnet.sys
2010/10/02 19:49:34.0567 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2010/10/02 19:49:34.0639 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2010/10/02 19:49:34.0688 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2010/10/02 19:49:34.0723 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2010/10/02 19:49:34.0800 SynTP (70534d1e4f9ac990536d5fb5b550b3de) C:\Windows\system32\DRIVERS\SynTP.sys
2010/10/02 19:49:35.0090 Tcpip (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\drivers\tcpip.sys
2010/10/02 19:49:35.0445 Tcpip6 (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\DRIVERS\tcpip.sys
2010/10/02 19:49:35.0588 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
2010/10/02 19:49:35.0644 tdcmdpst (1825bceb47bf41c5a9f0e44de82fc27a) C:\Windows\system32\DRIVERS\tdcmdpst.sys
2010/10/02 19:49:35.0690 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2010/10/02 19:49:35.0721 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2010/10/02 19:49:35.0876 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2010/10/02 19:49:35.0966 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2010/10/02 19:49:36.0330 tos_sps32 (1ea5f27c29405bf49799feca77186da9) C:\Windows\system32\DRIVERS\tos_sps32.sys
2010/10/02 19:49:36.0471 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2010/10/02 19:49:36.0609 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2010/10/02 19:49:36.0654 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2010/10/02 19:49:36.0728 TVALZ (792a8b80f8188aba4b2be271583f3e46) C:\Windows\system32\DRIVERS\TVALZ_O.SYS
2010/10/02 19:49:36.0795 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
2010/10/02 19:49:36.0852 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2010/10/02 19:49:37.0028 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
2010/10/02 19:49:37.0084 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
2010/10/02 19:49:37.0132 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2010/10/02 19:49:37.0171 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2010/10/02 19:49:37.0273 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2010/10/02 19:49:37.0404 USB28xxBGA (c4a35e4c2b25f7adb4fb3e857962bb02) C:\Windows\system32\DRIVERS\emBDA.sys
2010/10/02 19:49:37.0456 USB28xxOEM (66f75d5b2a16db59fbd42e2922d2cd6f) C:\Windows\system32\DRIVERS\emOEM.sys
2010/10/02 19:49:37.0607 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2010/10/02 19:49:37.0689 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2010/10/02 19:49:37.0766 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2010/10/02 19:49:37.0813 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2010/10/02 19:49:37.0919 usbohci (ce697fee0d479290d89bec80dfe793b7) C:\Windows\system32\DRIVERS\usbohci.sys
2010/10/02 19:49:37.0952 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\drivers\usbprint.sys
2010/10/02 19:49:38.0003 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2010/10/02 19:49:38.0046 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2010/10/02 19:49:38.0188 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
2010/10/02 19:49:38.0267 UVCFTR (8c5094a8ab24de7496c7c19942f2df04) C:\Windows\system32\Drivers\UVCFTR_S.SYS
2010/10/02 19:49:38.0319 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
2010/10/02 19:49:38.0398 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2010/10/02 19:49:38.0517 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
2010/10/02 19:49:38.0554 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
2010/10/02 19:49:38.0593 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
2010/10/02 19:49:38.0696 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2010/10/02 19:49:38.0922 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2010/10/02 19:49:39.0064 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
2010/10/02 19:49:39.0201 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
2010/10/02 19:49:39.0347 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2010/10/02 19:49:39.0450 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/10/02 19:49:39.0471 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/10/02 19:49:39.0626 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
2010/10/02 19:49:39.0763 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2010/10/02 19:49:39.0935 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\drivers\wmiacpi.sys
2010/10/02 19:49:40.0111 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
2010/10/02 19:49:40.0167 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2010/10/02 19:49:40.0265 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2010/10/02 19:49:40.0362 \HardDisk0\MBR - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/10/02 19:49:40.0370 ================================================================================
2010/10/02 19:49:40.0370 Scan finished
2010/10/02 19:49:40.0370 ================================================================================
2010/10/02 19:49:40.0392 Detected object count: 1
2010/10/02 19:51:31.0494 \HardDisk0\MBR - will be cured after reboot
2010/10/02 19:51:31.0494 Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) - User select action: Cure
2010/10/02 19:52:06.0204 Deinitialize success


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:10 AM

Posted 02 October 2010 - 10:30 PM

I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

CODE
File::
c:\users\Gato Negro\AppData\Local\Rbogomigobaba.bin
c:\users\Gato Negro\AppData\Local\Udakujomura.dat


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"
    In your next post I need the following
    1. report from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now after running the script?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Ralien

Ralien
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 02 October 2010 - 11:50 PM

Because of the same earlier note of Blue screen I ran combofix in safe mode. I made the file and added it to combo fix. Combo fix started and said it needed to update. I updated it and it ran correctly. I did not add the file to combofix again after the update as I assumed it was still there. If that is not true let me know and I will do it again.

After combofix ran I restarted the computer to see if it would run better and not have the blue screen problem. It did not work, I got the same problem of a blue screen and the startup options. I had to start it in safe mode again.

Mcafee AntiVirus Plus is still experiencing problems with real time scanning staying enabled.

Thanks for your continuing help,

ComboFix 10-10-01.07 - Gato Negro 10/02/2010 21:28:46.4.2 - x86 NETWORK
Microsoft Windows Vista Home Premium 6.0.6002.2.1252.1.1033.18.2941.2468 [GMT -7:00]
Running from: c:\users\Gato Negro\Desktop\ComboFix.exe
Command switches used :: c:\users\Gato Negro\Desktop\CFScript.txt.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\users\Gato Negro\AppData\Local\Rbogomigobaba.bin"
"c:\users\Gato Negro\AppData\Local\Udakujomura.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Gato Negro\AppData\Local\Rbogomigobaba.bin
c:\users\Gato Negro\AppData\Local\Udakujomura.dat

.
((((((((((((((((((((((((( Files Created from 2010-09-03 to 2010-10-03 )))))))))))))))))))))))))))))))
.

2010-10-03 04:35 . 2010-10-03 04:36 -------- d-----w- c:\users\Gato Negro\AppData\Local\temp
2010-10-03 04:35 . 2010-10-03 04:35 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-10-03 04:35 . 2010-10-03 04:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-10-03 04:16 . 2010-10-03 04:16 -------- d-----w- C:\32788R22FWJFW
2010-09-25 23:43 . 2010-09-25 23:43 -------- d-----w- C:\$RECYCLE(0).BIN
2010-09-25 23:43 . 2010-09-26 00:53 -------- d-----w- c:\users\Gato Negro\AppData\Local\temp(222)
2010-09-20 06:16 . 2010-09-20 06:16 -------- d-----w- c:\programdata\Kaspersky Lab
2010-09-12 05:48 . 2010-09-12 05:48 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-09-10 23:48 . 2010-09-10 23:48 -------- d-----w- c:\users\Gato Negro\AppData\Local\temp(13)
2010-09-06 06:56 . 2010-09-06 06:56 -------- d-----w- c:\users\Gato Negro\AppData\Roaming\DivX
2010-09-06 06:55 . 2010-09-06 06:57 -------- d-----w- c:\program files\DivX
2010-09-06 06:54 . 2010-09-06 06:57 -------- d-----w- c:\programdata\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-29 03:52 . 2009-07-01 22:24 1356 ----a-w- c:\users\Gato Negro\AppData\Local\d3d9caps.dat
2010-09-26 05:01 . 2008-12-10 19:26 -------- d-----w- c:\programdata\Microsoft Help
2010-09-26 04:55 . 2010-04-08 00:55 -------- d-----w- c:\program files\DVDFab 7
2010-09-26 04:55 . 2009-12-21 00:12 47360 ----a-w- c:\users\Gato Negro\AppData\Roaming\pcouffin.sys
2010-09-26 04:55 . 2009-12-21 00:12 47360 ----a-w- c:\users\Gato Negro\AppData\Roaming\pcouffin.sys
2010-09-26 04:55 . 2009-12-20 06:57 -------- d-----w- c:\users\Gato Negro\AppData\Roaming\Vso
2010-09-26 04:54 . 2009-07-01 20:29 -------- d-----w- c:\program files\Sony
2010-09-26 04:51 . 2010-09-03 02:57 -------- d-----w- c:\program files\QuickTime
2010-09-26 04:50 . 2010-01-09 04:20 -------- d-----w- c:\users\Gato Negro\AppData\Roaming\SanDisk
2010-09-26 04:47 . 2008-02-13 02:03 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-26 01:03 . 2010-03-18 08:25 -------- d-----w- c:\program files\Smart Projects
2010-09-26 01:03 . 2009-07-04 03:42 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-26 01:03 . 2008-12-11 05:17 -------- d-----w- c:\program files\Common Files\McAfee
2010-09-25 20:21 . 2010-09-25 04:22 112 ----a-w- c:\programdata\CH15KyW6W.dat
2010-09-06 20:01 . 2008-02-13 02:32 -------- d-----w- c:\program files\Google
2010-09-02 08:07 . 2008-02-13 01:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-24 21:57 . 2010-05-30 07:22 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-08-24 21:57 . 2010-05-30 07:21 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-08-24 21:57 . 2010-05-30 07:21 64304 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2010-08-24 21:57 . 2010-05-30 07:21 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-08-24 21:57 . 2010-05-30 07:21 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-08-24 21:57 . 2010-05-30 07:21 312904 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-08-24 21:57 . 2010-05-30 07:21 164808 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2010-08-24 21:57 . 2010-05-30 07:21 152992 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-08-24 21:57 . 2010-04-14 19:50 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-08-24 21:57 . 2008-06-27 14:08 386712 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-08-16 10:03 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-08-16 07:09 . 2008-01-21 02:23 57400 ----a-w- c:\windows\system32\drivers\mountmgr.sys
2010-08-16 06:24 . 2010-08-16 06:24 -------- d-----w- c:\users\Gato Negro\AppData\Roaming\McAfee
2010-08-16 06:23 . 2008-12-11 05:17 -------- d-----w- c:\program files\McAfee
2010-08-16 06:23 . 2008-12-11 03:54 -------- d-----w- c:\programdata\McAfee
2010-08-08 01:01 . 2010-08-08 01:01 -------- d-----w- c:\users\Gato Negro\AppData\Roaming\Malwarebytes
2010-08-08 01:01 . 2010-08-08 01:01 -------- d-----w- c:\programdata\Malwarebytes
2010-07-12 06:00 . 2010-07-12 06:00 36864 ----a-w- c:\users\Gato Negro\AppData\Roaming\Autodesk\DWG TrueView 2011\R8\enu\ContextualTabSelectorRules.dll
2010-07-12 06:00 . 2008-12-10 21:00 146760 ----a-w- c:\users\Gato Negro\AppData\Local\GDIPFONTCACHEV1.DAT
1601-01-01 00:00 . 1601-01-01 00:00 0 --sha-w- c:\windows\System32\temppf.sys
2008-12-10 20:59 . 2008-12-10 20:59 15 --sh--r- c:\windows\System32\drivers\fbd.sys
2008-12-10 20:59 . 2008-12-10 20:59 5 --sh--r- c:\windows\System32\drivers\taishop.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-01-30 430080]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-18 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-01-22 712704]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"NDSTray.exe"="NDSTray.exe" [BU]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-30 4911104]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-25 1193848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2007-04-04 21:41 970752 ----a-w- c:\program files\Common Files\Adobe\Updater\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
2007-10-26 01:41 413696 ----a-w- c:\program files\Camera Assistant Software for Toshiba\traybar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 19:35 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4195582489-672837306-1476075362-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2007-12-25 40960]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 271480]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-08-24 55840]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2007-10-30 937984]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-08-24 84264]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2007-09-01 20352]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-08-24 64304]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-08-24 164808]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-08-24 188136]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-08-24 141792]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-08-24 312904]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - ECACHE
*NewlyCreated* - PXHELP20

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/?_bc=1
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - hxxp://www.cooliris.com/shared/plinstll.cab
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-02 21:36
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i?????#&W?????h?????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mfeavfk01]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-10-02 21:37:23
ComboFix-quarantined-files.txt 2010-10-03 04:37
ComboFix2.txt 2010-10-02 15:40
ComboFix3.txt 2010-09-26 06:31
ComboFix4.txt 2010-09-25 23:43
ComboFix5.txt 2010-10-03 04:16

Pre-Run: 53,522,677,760 bytes free
Post-Run: 53,497,262,080 bytes free

- - End Of File - - F13B0E241ECEB73A1CD3AB535D220208


#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:10 AM

Posted 02 October 2010 - 11:59 PM

Looks like it worked this time how are things running now?

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs
    1. click on start
    2. then go to settings
    3. after that you need control panel
    4. look for the icon add/remove programs
    click on the following programs

    Java™ 6 Update 3

    and click on remove

Install Java:

Please go here to install Java
  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clear your Java Cache
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :
    Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis
  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"
    In your next post I need the following
    1. Log From MBAM
    2. report from Hijackthis
    3. let me know of any problems you may have had
    4. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Ralien

Ralien
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 03 October 2010 - 02:00 PM

I continue to get a blue screen and am unable to start normally. The blue screen is quick and all I have caught off it is "Windows has encountered a problem..... If this is the first time......."

I safe mode I was unable to uninstall Java I got a message that said:
Windows installer service could not be accessed. This can occur if the windows installer is not correctly installed.

Should I continue with the rest of the instructions and then try to uninstall Java at the end? Or should I do something else first?
Thanks,

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:10 AM

Posted 03 October 2010 - 02:05 PM

Hello

I need to know what the bluescreen says please do the following

Go to Start -> Control Panel -> System
Go to Advanced
Under the Startup and Recovery section, click Settings...
Under System Failure un-check "Automatically restart"


then start in normal mode and write down what the blue screen says


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Ralien

Ralien
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 03 October 2010 - 04:44 PM

The restart continued after unchecking the box. So I took a video of it and transcribed it.
It said:

A problem has been detected and windows has been shut down to prevent damage to your computer.

If this is the first time you've seen this error screen, restart your computer. If this screen appears again, follow these steps:

Check to see if you have adequate disk space. If a driver is identified in the stop message, disable the driver or check with the manufacturer for driver updates. Try changing video adapters.

Check with your hardware vendor for any BIOS updates. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical information:

*** STOP: 0x0000008E (0xC0000005, 0x82635CC7, 0x9C2E791C, 0x00000000)

Collecting data for crash dump...
Initializing disk for crash dump...




I have 50.8 GB free of 147GB on C: Drive and 1.32GB free of 1.46GB on Toshiba System Volume.
Thanks,




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users