Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


had massive malware plus antivirus 2010, still a rootkit

  • This topic is locked This topic is locked
15 replies to this topic

#1 MadAsHell83


  • Members
  • 20 posts
  • Gender:Male
  • Location:22601
  • Local time:09:58 PM

Posted 01 October 2010 - 09:57 PM

Well, im working on another computer, it had all kinds of junk on it as far as malware and spyware and such, plus Antivirus 2010. Ive used the usual arsenal of programs, Malwarebytes, superantispyware,ccleaner, hijackthis, and i have ran combofix but im not familiar with reading the logs and fixing stuff with it. the machine is running xp sp3, and i have installed Avast antivirus home. ive ran mbam, superanti, and avast until it stopped picking things up, ive looked through the hijackthis logs for the out of the ordinary files and such and fixed that, so now im not pickup anything with these scanners, but i still get the popups on ie8, mainly what ive noticed going to oddball news sites, i havent really noticed any redirects just popups. so i figured i would run combofix and see what was going on, first attempt it said it had detected rootkit activity, restarted the machine and it was able to complete the scan. so i have a recent combofix log and i havent changed anything since the scan, if anyone would be able to help me out with this i would greatly appreciate it. thanks for your time.


BC AdBot (Login to Remove)


#2 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:01:58 AM

Posted 07 October 2010 - 07:45 PM


Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 MadAsHell83

  • Topic Starter

  • Members
  • 20 posts
  • Gender:Male
  • Location:22601
  • Local time:09:58 PM

Posted 07 October 2010 - 10:22 PM

sweet i appreciate any help that you can give me!

#4 MadAsHell83

  • Topic Starter

  • Members
  • 20 posts
  • Gender:Male
  • Location:22601
  • Local time:09:58 PM

Posted 08 October 2010 - 03:57 PM

im definately here.

#5 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:01:58 AM

Posted 08 October 2010 - 07:14 PM

First up, a little warning...

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.

Now we can use the fact that Combofix ran to glean some info from it.

Please go to Start >Run > and copy/paste the following, then press Enter


A log file should open. Please post that in your next reply.
Posted Image
m0le is a proud member of UNITE

#6 MadAsHell83

  • Topic Starter

  • Members
  • 20 posts
  • Gender:Male
  • Location:22601
  • Local time:09:58 PM

Posted 08 October 2010 - 08:50 PM

here you go, thanks a million

2010-10-02 01:49:25 . 2010-10-02 01:49:26 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593}.reg.dat
2010-10-02 01:37:35 . 2010-10-02 01:37:35 886 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_ZWANGISRCH_SERVICE.reg.dat
2010-10-02 01:37:11 . 2010-10-04 04:50:00 4,614 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-10-02 01:00:18 . 2010-10-04 04:39:35 204 ----a-w- C:\Qoobox\Quarantine\catchme.log
2010-09-28 04:06:43 . 2010-09-29 01:04:01 2,302 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp.reg.vir
2010-09-28 03:03:33 . 2010-09-28 03:03:34 54,016 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\ukodoa.sys.vir
2010-09-15 18:00:06 . 2010-09-28 02:36:47 701 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\.wtav.vir
2009-05-18 22:09:39 . 2009-05-18 22:09:56 16,742,799 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\vlc-0.9.9-win32.exe.vir

#7 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:01:58 AM

Posted 08 October 2010 - 09:08 PM

Let's dig for a rootkit then
  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\


Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#8 MadAsHell83

  • Topic Starter

  • Members
  • 20 posts
  • Gender:Male
  • Location:22601
  • Local time:09:58 PM

Posted 08 October 2010 - 09:40 PM

first is the tssdkiller log

2010/10/08 22:31:56.0291 TDSS rootkit removing tool Oct 4 2010 09:06:59
2010/10/08 22:31:56.0291 ================================================================================
2010/10/08 22:31:56.0301 SystemInfo:
2010/10/08 22:31:56.0301
2010/10/08 22:31:56.0301 OS Version: 5.1.2600 ServicePack: 3.0
2010/10/08 22:31:56.0301 Product type: Workstation
2010/10/08 22:31:56.0301 ComputerName: GIDNEY1
2010/10/08 22:31:56.0301 UserName: Gidney
2010/10/08 22:31:56.0301 Windows directory: C:\WINDOWS
2010/10/08 22:31:56.0301 System windows directory: C:\WINDOWS
2010/10/08 22:31:56.0301 Processor architecture: Intel x86
2010/10/08 22:31:56.0301 Number of processors: 1
2010/10/08 22:31:56.0301 Page size: 0x1000
2010/10/08 22:31:56.0301 Boot type: Normal boot
2010/10/08 22:31:56.0301 ================================================================================
2010/10/08 22:31:56.0681 Initialize success
2010/10/08 22:32:01.0959 ================================================================================
2010/10/08 22:32:01.0959 Scan started
2010/10/08 22:32:01.0959 Mode: Manual;
2010/10/08 22:32:01.0959 ================================================================================
2010/10/08 22:32:03.0130 Aavmker4 (8d488938e2f7048906f1fbd3af394887) C:\WINDOWS\system32\drivers\Aavmker4.sys
2010/10/08 22:32:03.0621 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/08 22:32:03.0872 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2010/10/08 22:32:04.0182 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/10/08 22:32:04.0543 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/10/08 22:32:05.0053 aliadwdm (065a6d38a79216592de03f3525d6296e) C:\WINDOWS\system32\drivers\ac97ali.sys
2010/10/08 22:32:05.0274 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2010/10/08 22:32:05.0594 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
2010/10/08 22:32:06.0445 aswFsBlk (a0d86b8ac93ef95620420c7a24ac5344) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2010/10/08 22:32:06.0676 aswMon2 (7d880c76a285a41284d862e2d798ec0d) C:\WINDOWS\system32\drivers\aswMon2.sys
2010/10/08 22:32:06.0886 aswRdr (69823954bbd461a73d69774928c9737e) C:\WINDOWS\system32\drivers\aswRdr.sys
2010/10/08 22:32:07.0136 aswSP (7ecc2776638b04553f9a85bd684c3abf) C:\WINDOWS\system32\drivers\aswSP.sys
2010/10/08 22:32:07.0377 aswTdi (095ed820a926aa8189180b305e1bcfc9) C:\WINDOWS\system32\drivers\aswTdi.sys
2010/10/08 22:32:07.0617 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/08 22:32:07.0877 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/08 22:32:08.0268 ati2mtag (83f24e252908e59c4a7ef203bf7f4c02) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/10/08 22:32:08.0618 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/08 22:32:08.0879 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/08 22:32:09.0199 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/08 22:32:09.0670 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/08 22:32:09.0960 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/08 22:32:10.0191 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/08 22:32:10.0561 Cdr4_xp (8b53c2b18868ac39c6642956dd9438d9) C:\WINDOWS\system32\drivers\Cdr4_xp.sys
2010/10/08 22:32:10.0812 Cdralw2k (ffc0d096168891f875adc1cf510acf32) C:\WINDOWS\system32\drivers\Cdralw2k.sys
2010/10/08 22:32:11.0372 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/08 22:32:11.0733 cdudf_xp (d7de1dde4ab12353b7770bea483c3d22) C:\WINDOWS\system32\drivers\cdudf_xp.sys
2010/10/08 22:32:12.0063 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/10/08 22:32:12.0354 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/10/08 22:32:13.0025 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/08 22:32:13.0315 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/08 22:32:13.0676 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/10/08 22:32:13.0936 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/08 22:32:14.0156 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/08 22:32:14.0707 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/08 22:32:14.0978 dvd_2K (a4addd84ea3175b40abf4592a70408c4) C:\WINDOWS\system32\drivers\dvd_2K.sys
2010/10/08 22:32:15.0298 FA312 (aa855fb8a866281aacb393c1feab91ae) C:\WINDOWS\system32\DRIVERS\FA312nd5.sys
2010/10/08 22:32:15.0548 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/08 22:32:15.0819 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/10/08 22:32:16.0069 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/08 22:32:16.0309 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/10/08 22:32:16.0720 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/10/08 22:32:16.0950 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/08 22:32:17.0231 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/08 22:32:17.0541 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/08 22:32:17.0832 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/10/08 22:32:18.0162 HSFHWALI (479d9d93af53338db162a9ab23776a63) C:\WINDOWS\system32\DRIVERS\HSFHWALI.sys
2010/10/08 22:32:18.0573 HSF_DP (9b731969ba86d9a3ca55638264603e12) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2010/10/08 22:32:18.0943 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/08 22:32:19.0414 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/10/08 22:32:19.0724 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/08 22:32:20.0085 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/10/08 22:32:20.0335 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/08 22:32:20.0606 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/08 22:32:20.0866 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/08 22:32:21.0156 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/08 22:32:21.0407 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/08 22:32:21.0757 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/08 22:32:22.0008 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/08 22:32:22.0248 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/08 22:32:22.0629 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/08 22:32:23.0039 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/10/08 22:32:23.0310 mmc_2K (cc550087d266b9eef9d0d280e4858761) C:\WINDOWS\system32\drivers\mmc_2K.sys
2010/10/08 22:32:23.0640 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/08 22:32:23.0900 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/08 22:32:24.0141 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/10/08 22:32:24.0381 motccgp (201bfc4ef8b33d02d133fbf6535e515b) C:\WINDOWS\system32\DRIVERS\motccgp.sys
2010/10/08 22:32:24.0722 motccgpfl (d0242a3832eb7c97801bb25889561e23) C:\WINDOWS\system32\DRIVERS\motccgpfl.sys
2010/10/08 22:32:24.0952 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\WINDOWS\system32\DRIVERS\motmodem.sys
2010/10/08 22:32:25.0192 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/08 22:32:25.0473 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/08 22:32:25.0783 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/08 22:32:26.0114 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/08 22:32:26.0404 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/08 22:32:26.0704 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/08 22:32:26.0925 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/08 22:32:27.0155 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/08 22:32:27.0405 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/08 22:32:27.0736 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/08 22:32:28.0046 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/08 22:32:28.0297 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/08 22:32:28.0687 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/08 22:32:28.0888 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/08 22:32:29.0148 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/08 22:32:29.0428 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/08 22:32:29.0769 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/08 22:32:30.0119 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/08 22:32:30.0480 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/08 22:32:30.0830 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/08 22:32:31.0071 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/08 22:32:31.0321 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/08 22:32:31.0651 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/10/08 22:32:31.0892 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/08 22:32:32.0162 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/08 22:32:32.0453 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/08 22:32:32.0903 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2010/10/08 22:32:33.0184 PCTCore (167b2fea66dde6925766d1a81a1affc0) C:\WINDOWS\system32\drivers\PCTCore.sys
2010/10/08 22:32:33.0604 pctgntdi (d15669bd3e1cf18f00b46a7949ea541f) C:\WINDOWS\system32\drivers\pctgntdi.sys
2010/10/08 22:32:33.0895 pctplsg (95a8562701e6b4494993847f85b2d60e) C:\WINDOWS\system32\drivers\pctplsg.sys
2010/10/08 22:32:34.0756 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/08 22:32:35.0006 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/10/08 22:32:35.0317 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/08 22:32:35.0687 pwd_2k (e5890ffa25637c01322e89a8f1449c63) C:\WINDOWS\system32\drivers\pwd_2k.sys
2010/10/08 22:32:35.0938 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/10/08 22:32:36.0448 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/08 22:32:36.0749 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/08 22:32:36.0999 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/08 22:32:37.0240 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/08 22:32:37.0510 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/08 22:32:37.0770 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/08 22:32:38.0031 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/08 22:32:38.0331 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/08 22:32:38.0632 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/10/08 22:32:38.0842 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2010/10/08 22:32:39.0142 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/08 22:32:39.0423 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/10/08 22:32:39.0743 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/10/08 22:32:39.0963 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/10/08 22:32:40.0494 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/08 22:32:40.0795 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/08 22:32:41.0085 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/08 22:32:41.0396 StreamDispatcher (d69904a55aaace06b244e33824da89b7) C:\WINDOWS\system32\DRIVERS\strmdisp.sys
2010/10/08 22:32:41.0776 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/08 22:32:42.0026 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/08 22:32:42.0587 SynTP (23fe1f173996b8bad4b9ed74003676d8) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2010/10/08 22:32:42.0808 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/08 22:32:43.0168 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/08 22:32:43.0569 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/08 22:32:43.0839 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/08 22:32:44.0099 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/08 22:32:44.0390 TfFsMon (d2a1cd31200a6c9d3dfad022503e4836) C:\WINDOWS\system32\drivers\TfFsMon.sys
2010/10/08 22:32:44.0660 TfNetMon (3e3a544d10b0ac1c4c133048f84390ac) C:\WINDOWS\system32\drivers\TfNetMon.sys
2010/10/08 22:32:44.0921 TfSysMon (706be7328a35c39dbe449e10c1ac6a38) C:\WINDOWS\system32\drivers\TfSysMon.sys
2010/10/08 22:32:45.0602 UdfReadr_xp (d4ef99cbce8ae48f9fa408e6fe1c99a1) C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
2010/10/08 22:32:45.0852 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/08 22:32:46.0192 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/08 22:32:46.0503 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/08 22:32:46.0773 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/08 22:32:47.0024 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/10/08 22:32:47.0264 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/10/08 22:32:47.0584 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/10/08 22:32:47.0835 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/08 22:32:48.0075 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/10/08 22:32:48.0436 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/08 22:32:48.0816 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/08 22:32:49.0097 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2010/10/08 22:32:49.0477 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/08 22:32:49.0828 winachsf (3a2c273922037971f9e7a0ab549b8b0e) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2010/10/08 22:32:50.0288 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/10/08 22:32:50.0599 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/10/08 22:32:50.0849 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/10/08 22:32:50.0999 \HardDisk0\MBR - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/10/08 22:32:51.0019 ================================================================================
2010/10/08 22:32:51.0019 Scan finished
2010/10/08 22:32:51.0019 ================================================================================
2010/10/08 22:32:51.0089 Detected object count: 1
2010/10/08 22:33:12.0430 \HardDisk0\MBR - will be cured after reboot
2010/10/08 22:33:12.0430 Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) - User select action: Cure
2010/10/08 22:33:16.0356 Deinitialize success

and next the mbrcheck log

MBRCheck, version 1.2.3
© 2010, AD

Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 138):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF83A3000 \WINDOWS\system32\KDCOM.DLL
0xF82B3000 \WINDOWS\system32\BOOTVID.dll
0xF7E62000 fltmgr.sys
0xF7E34000 ACPI.sys
0xF7E23000 pci.sys
0xF7EA3000 isapnp.sys
0xF82B7000 compbatt.sys
0xF83A7000 aliide.sys
0xF7E05000 pcmcia.sys
0xF7EB3000 MountMgr.sys
0xF7DE6000 ftdisk.sys
0xF83A9000 dmload.sys
0xF7DC0000 dmio.sys
0xF82BF000 ACPIEC.sys
0xF812B000 PartMgr.sys
0xF7EC3000 VolSnap.sys
0xF7DA8000 atapi.sys
0xF7ED3000 disk.sys
0xF7D96000 sr.sys
0xF7D5F000 PCTCore.sys
0xF7D4E000 TfSysMon.sys
0xF7D3D000 TfFsMon.sys
0xF8133000 PxHelp20.sys
0xF7D26000 KSecDD.sys
0xF7C99000 Ntfs.sys
0xF7C6C000 NDIS.sys
0xF7C52000 Mup.sys
0xF8023000 \SystemRoot\system32\DRIVERS\amdk7.sys
0xF7B32000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF7B1E000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF81BB000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF7AFA000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7AC1000 \SystemRoot\system32\drivers\ac97ali.sys
0xF7A9D000 \SystemRoot\system32\drivers\portcls.sys
0xF8033000 \SystemRoot\system32\drivers\drmk.sys
0xF7A7A000 \SystemRoot\system32\drivers\ks.sys
0xF8043000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF81C3000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7A4C000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF83BD000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF81CB000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF81D3000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF7A38000 \SystemRoot\system32\DRIVERS\parport.sys
0xF8053000 \SystemRoot\system32\DRIVERS\serial.sys
0xF8363000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF7A0C000 \SystemRoot\system32\DRIVERS\HSFHWALI.sys
0xF7908000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xF786D000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF81DB000 \SystemRoot\System32\Drivers\Modem.SYS
0xF8063000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF785C000 \SystemRoot\System32\Drivers\Cdr4_xp.SYS
0xF8073000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF8083000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF81E3000 \SystemRoot\System32\Drivers\Cdralw2k.SYS
0xF783F000 \SystemRoot\System32\Drivers\pwd_2k.SYS
0xF836F000 \SystemRoot\system32\DRIVERS\FA312nd5.sys
0xF8373000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF8518000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF8093000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF8377000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF7800000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF80A3000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF80B3000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF81EB000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF77EF000 \SystemRoot\system32\DRIVERS\psched.sys
0xF80C3000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF81F3000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF81FB000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF80D3000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF83C1000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF7780000 \SystemRoot\system32\DRIVERS\update.sys
0xF838B000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF8203000 \SystemRoot\System32\Drivers\mmc_2K.SYS
0xF7F33000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7F63000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7827000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF83D1000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF84BE000 \SystemRoot\System32\Drivers\Null.SYS
0xF83D3000 \SystemRoot\System32\Drivers\Beep.SYS
0xF8243000 \SystemRoot\System32\drivers\vga.sys
0xF83D5000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF83D7000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF33E5000 \SystemRoot\System32\Drivers\cdudf_xp.SYS
0xF824B000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF8253000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF339E000 \SystemRoot\System32\Drivers\UdfReadr_xp.SYS
0xF7518000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF3379000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF3320000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF7F83000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xF325A000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF3223000 \??\C:\WINDOWS\system32\drivers\pctgntdi.sys
0xF31D3000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF31B1000 \SystemRoot\System32\drivers\afd.sys
0xF7F93000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF7500000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xF318F000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xF825B000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xF3164000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF30F4000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7FA3000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7FB3000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF826B000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF30A5000 \SystemRoot\System32\Drivers\aswSP.SYS
0xF828B000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xF3081000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF3069000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF8413000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF321B000 \SystemRoot\System32\drivers\Dxapi.sys
0xF8163000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF85E6000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF048000 \SystemRoot\System32\ati2cqag.dll
0xBF080000 \SystemRoot\System32\ati3d1ag.dll
0xF3217000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xF3005000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xF2DD2000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xF2C3A000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF28CD000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF840B000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xF2890000 \SystemRoot\system32\drivers\wdmaud.sys
0xF2AF2000 \SystemRoot\system32\drivers\sysaudio.sys
0xF2842000 \SystemRoot\system32\drivers\kmixer.sys
0xF29AE000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xF26CB000 \SystemRoot\system32\DRIVERS\srv.sys
0xF8283000 \SystemRoot\system32\DRIVERS\strmdisp.sys
0xF2342000 \SystemRoot\System32\Drivers\HTTP.sys
0xF829B000 \SystemRoot\System32\Drivers\aswRdr.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 33):
0 System Idle Process
4 System
540 C:\WINDOWS\system32\smss.exe
588 csrss.exe
612 C:\WINDOWS\system32\winlogon.exe
656 C:\WINDOWS\system32\services.exe
668 C:\WINDOWS\system32\lsass.exe
820 C:\WINDOWS\system32\ati2evxx.exe
836 C:\WINDOWS\system32\svchost.exe
904 svchost.exe
944 C:\WINDOWS\system32\svchost.exe
1024 svchost.exe
1132 svchost.exe
1216 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1408 C:\WINDOWS\explorer.exe
1568 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
1576 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
1584 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
1592 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1616 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
1640 C:\WINDOWS\system32\carpserv.exe
1656 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
1704 C:\WINDOWS\system32\ctfmon.exe
272 C:\WINDOWS\system32\spoolsv.exe
440 svchost.exe
556 C:\WINDOWS\system32\dlcxcoms.exe
632 C:\Program Files\Java\jre6\bin\jqs.exe
712 C:\WINDOWS\system32\svchost.exe
1356 C:\WINDOWS\system32\MsPMSPSv.exe
1332 C:\WINDOWS\system32\wuauclt.exe
2148 wmiprvse.exe
2344 alg.exe
2932 C:\Documents and Settings\Gidney\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: IC25N040ATMR04-0, Rev: MO2OAD5A

Size Device Name MBR Status
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


the computer started way faster than i have ever seen it after it rebooted.

#9 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:01:58 AM

Posted 09 October 2010 - 03:33 AM

Yes, that's fixed your Master Boot Record (MBR) which the TDSS rootkit had modified.

Please run MBAM

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Then run the PC through ESET's online scanner
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#10 MadAsHell83

  • Topic Starter

  • Members
  • 20 posts
  • Gender:Male
  • Location:22601
  • Local time:09:58 PM

Posted 09 October 2010 - 11:53 PM

ok so both malwarebytes and the eset scanner came up empty handed, i hope this is a good thing, thewierd news site pop up has seemed to subside, the only other thing is the time is on a 24 hour clock even thought its set up for a 12 hour clock, maybe thats because combofix is still installed on the computer? so shall we dig deeper since these scans have produced nothing or should we consider it a clean machine? thanks for you time and all of your help so far, you have showed me a couple new tools to add to my arsenal.

#11 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:01:58 AM

Posted 10 October 2010 - 03:26 AM

Combofix sets a number of defaults to change it back follow the instructions below.

Click "Start," then "Control Panel." Next, select "Date, Time, Language and Regional Options."

Click "Regional and Language Options" and go to the "Regional Options" tab and click "Customize." Next, select the "Time" tab and click the arrow next to "Time format."

Select the time format "h:mm:ss tt" to set the 12-hour format. When finished, click "Apply" and then "OK."

It looks good, I would like to run one further scan with Superantispyware

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Posted Image
m0le is a proud member of UNITE

#12 MadAsHell83

  • Topic Starter

  • Members
  • 20 posts
  • Gender:Male
  • Location:22601
  • Local time:09:58 PM

Posted 10 October 2010 - 11:25 PM

sweet that fixed the time issue, and here is the superantispyware log that you requested.

SUPERAntiSpyware Scan Log

Generated 10/10/2010 at 12:57 PM

Application Version : 4.44.1000

Core Rules Database Version : 5506
Trace Rules Database Version: 3318

Scan type : Complete Scan
Total Scan Time : 01:11:06

Memory items scanned : 425
Memory threats detected : 0
Registry items scanned : 5011
Registry threats detected : 0
File items scanned : 38578
File threats detected : 42

Adware.Tracking Cookie
C:\Documents and Settings\Gidney\Cookies\gidney@apmebf[1].txt
C:\Documents and Settings\Gidney\Cookies\gidney@eset.122.2o7[1].txt
C:\Documents and Settings\Gidney\Cookies\gidney@mediaplex[2].txt
C:\Documents and Settings\Gidney\Cookies\gidney@at.atwola[1].txt
C:\Documents and Settings\Gidney\Cookies\gidney@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Gidney\Cookies\gidney@atwola[1].txt
C:\Documents and Settings\Gidney\Cookies\gidney@hitbox[2].txt
C:\Documents and Settings\Gidney\Cookies\gidney@tacoda[2].txt
C:\Documents and Settings\Gidney\Cookies\gidney@doubleclick[1].txt
C:\Documents and Settings\Gidney\Cookies\gidney@collective-media[2].txt
C:\Documents and Settings\Gidney\Cookies\gidney@advertising[1].txt
C:\Documents and Settings\Gidney\Cookies\gidney@ehg-eset.hitbox[1].txt
media.scanscout.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\PEFWH25C ]
secure-us.imrworldwide.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\PEFWH25C ]
core.insightexpressai.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\ZQ3JFNM9 ]
media.scanscout.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\ZQ3JFNM9 ]
secure-us.imrworldwide.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\ZQ3JFNM9 ]
C:\Documents and Settings\NetworkService\Cookies\system@247realmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@adbrite[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@adecn[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.undertone[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@adserver.adtechus[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@apmebf[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@bizzclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@casalemedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@cdn.jemamedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@collective-media[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@enhance[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@fastclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@oasn04.247realmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@revsci[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ru4[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@statcounter[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[2].txt

#13 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:01:58 AM

Posted 11 October 2010 - 01:23 PM

That's showing only tracking cookies.

Any issues left on the PC now?
Posted Image
m0le is a proud member of UNITE

#14 MadAsHell83

  • Topic Starter

  • Members
  • 20 posts
  • Gender:Male
  • Location:22601
  • Local time:09:58 PM

Posted 11 October 2010 - 08:17 PM

no sir everything is good now, and i fixed the time, i certainly do appreciate all of your help and you have definately taught me some new tricks for the trade, again i thank you! thumbup.gif

#15 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:01:58 AM

Posted 12 October 2010 - 02:43 PM

Glad I could help. We must do a clean up before you go

You're clean. Good stuff! thumbup2.gif

Let's do some clearing up

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.

We Need to Clean Up our Mess
Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

Here's some advice on how you can keep your PC clean

Use and update your AntiVirus Software

You must have a good antivirus. There are plenty to choose from but I personally recommend the free options of Avast and Avira Antivir. If you want to purchase a security program then I recommend any of the following: AVG, Norton, McAfee, Kaspersky and ESET Nod32.

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.

Make sure your applications have all of their updates

Use this next program to check for updates for programs already on your system. Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically, make sure that updates on any that are flagged are carried out as soon as possible

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Finally, here's a treasure trove of antivirus, antimalware and antispyware resources

That's it MadAsHell83, happy surfing!


Posted Image
m0le is a proud member of UNITE

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users