Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with AlureonH - HELP!


  • Please log in to reply
8 replies to this topic

#1 penz

penz

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 02 October 2010 - 03:48 PM

Newbie needing some help here. OS: XP Browser IE.

Have run Microsoft Malicious Software Removal Tool - which has 'partially' removed AlureonH and scanned with AVG but there is no change as the whole thing seems to reinstall itself. It is still reinfecting, cutting off security updates, switching off sounds and redirecting the browser etc etc etc after a couple of previous attempts at removal

How do I get rid of this completely? Can anyone help me here. It's driving me nuts

Thanks Penz

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:30 PM

Posted 02 October 2010 - 08:39 PM

Hello penz. Run these and lt me know.

Please run the tool here How to remove Google Redirects

When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.


Now run TFC by OT
Please download TFC by Old Timer and save it to your desktop.
alternate download link
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.Download Link 1
Download Link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 penz

penz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 04 October 2010 - 03:20 PM

HI NJ
Thanks for the instructions - just one problem - Virus is now stopping me booting in normal mode - can I run this from safe mode? First problem is the Tdsskiller is being blocked from downloading - I will do as much as I can but am not I can get going yet - have been following instructions for gmer logs etc but cannot upload them to this site... I'm being blocked on all fronts here - any suggestions

Thanks for your time so far
Penz

Here's what I have so far following the other instructions (and my notes) However Cannot upload or cut and past any logs DSS Ark & Attach logs are all done but it won't let them upload or cut and paste inro the window!

Infected with AlureonH Virus: Problem with crashing, booting normally, blue screen warnings 'kwriipow.sys page fault in nonpaged area. Windows and Security updates all inaccessible. Slow loading (if at all) Normal boot only shows desktop picture - no icons or task bar - not all components loaded

Boots in safe mode but very unsteady getting this post up has taken about 4 hrs - screen freezing or hanging forcing reboot. When clicking 'post topic' it doesn't respond message 'Windows Explorer cannot connet with Internet - even though I AM connected on other tabs in same brwoser window

Have tried removal with Windows Maliocius software removal tool but virus reinstalls itself after windows 'partial removal' Generic hosting sytem 32 shuts down, then cuts out system resore and security software, then sound is shut down etc etc

Can you advise how I might be able to download the TDSSKiller file and get my logs posted to you??

Thanks Penz

Edited by penz, 04 October 2010 - 03:39 PM.


#4 penz

penz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 04 October 2010 - 05:30 PM

TDSS Log File as requested. Solved problem of download via flash drive & laptop. Thank for help so far.

2010/10/04 23:14:22.0062 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
2010/10/04 23:14:22.0062 ================================================================================
2010/10/04 23:14:22.0062 SystemInfo:
2010/10/04 23:14:22.0062
2010/10/04 23:14:22.0062 OS Version: 5.1.2600 ServicePack: 3.0
2010/10/04 23:14:22.0062 Product type: Workstation
2010/10/04 23:14:22.0062 ComputerName: MARK-6401FD266C
2010/10/04 23:14:22.0062 UserName: Mark
2010/10/04 23:14:22.0062 Windows directory: C:\WINDOWS
2010/10/04 23:14:22.0062 System windows directory: C:\WINDOWS
2010/10/04 23:14:22.0062 Processor architecture: Intel x86
2010/10/04 23:14:22.0062 Number of processors: 2
2010/10/04 23:14:22.0062 Page size: 0x1000
2010/10/04 23:14:22.0062 Boot type: Safe boot with network
2010/10/04 23:14:22.0062 ================================================================================
2010/10/04 23:14:22.0343 Initialize success
2010/10/04 23:14:32.0984 ================================================================================
2010/10/04 23:14:32.0984 Scan started
2010/10/04 23:14:32.0984 Mode: Manual;
2010/10/04 23:14:32.0984 ================================================================================
2010/10/04 23:14:34.0406 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/04 23:14:34.0468 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/10/04 23:14:34.0609 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/10/04 23:14:34.0671 AegisP (30bb1bde595ca65fd5549462080d94e5) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2010/10/04 23:14:34.0765 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/10/04 23:14:35.0218 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/04 23:14:35.0281 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/04 23:14:35.0421 ati2mtag (03621f7f968ff63713943405deb777f9) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/10/04 23:14:35.0531 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/04 23:14:35.0640 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/04 23:14:35.0734 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\system32\Drivers\avgldx86.sys
2010/10/04 23:14:35.0796 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\system32\Drivers\avgmfx86.sys
2010/10/04 23:14:35.0875 AvgTdiX (22e3b793c3e61720f03d3a22351af410) C:\WINDOWS\system32\Drivers\avgtdix.sys
2010/10/04 23:14:35.0937 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/04 23:14:36.0031 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/04 23:14:36.0125 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/04 23:14:36.0218 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/04 23:14:36.0281 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/04 23:14:36.0343 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2010/10/04 23:14:36.0515 cmdGuard (bbe9f023dfd2c4d2755da3fa47e4da08) C:\WINDOWS\system32\DRIVERS\cmdguard.sys
2010/10/04 23:14:36.0593 cmdHlp (c28401f73d23e8187096169a8e444c9b) C:\WINDOWS\system32\DRIVERS\cmdhlp.sys
2010/10/04 23:14:36.0593 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\cmdhlp.sys. Real md5: c28401f73d23e8187096169a8e444c9b, Fake md5: 45a1f7d2890681f22406458d93d03cc1
2010/10/04 23:14:36.0609 cmdHlp - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/10/04 23:14:36.0937 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/04 23:14:37.0031 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/04 23:14:37.0093 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/10/04 23:14:37.0140 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/04 23:14:37.0234 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/04 23:14:37.0375 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/04 23:14:37.0421 drvmcdb (24646242310499d75c6db4b32768a3b3) C:\WINDOWS\system32\drivers\drvmcdb.sys
2010/10/04 23:14:37.0500 drvnddm (2ff629c1c443e25d0149b9dfb77e43a8) C:\WINDOWS\system32\drivers\drvnddm.sys
2010/10/04 23:14:37.0578 E100B (95974e66d3de4951d29e28e8bc0b644c) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/10/04 23:14:37.0687 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/04 23:14:37.0750 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/10/04 23:14:37.0781 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/04 23:14:37.0812 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/10/04 23:14:37.0890 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/10/04 23:14:37.0921 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/04 23:14:37.0968 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/04 23:14:38.0015 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/04 23:14:38.0062 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/10/04 23:14:38.0125 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/10/04 23:14:38.0218 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2010/10/04 23:14:38.0281 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2010/10/04 23:14:38.0343 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2010/10/04 23:14:38.0390 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
2010/10/04 23:14:38.0453 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2010/10/04 23:14:38.0546 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/04 23:14:38.0718 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
2010/10/04 23:14:38.0781 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/04 23:14:38.0921 Inspect (343ac4733c1e8b7ab6454178e4fcd4ad) C:\WINDOWS\system32\DRIVERS\inspect.sys
2010/10/04 23:14:39.0000 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/10/04 23:14:39.0046 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/10/04 23:14:39.0093 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/04 23:14:39.0125 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/04 23:14:39.0187 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/04 23:14:39.0250 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/04 23:14:39.0343 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/04 23:14:39.0421 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/04 23:14:39.0484 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/04 23:14:39.0546 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/10/04 23:14:39.0640 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/04 23:14:39.0703 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/04 23:14:39.0828 Lavasoft Kernexplorer (32da3fde01f1bb080c2e69521dd8881e) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
2010/10/04 23:14:40.0000 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/10/04 23:14:40.0078 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/04 23:14:40.0156 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/04 23:14:40.0203 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/10/04 23:14:40.0234 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/04 23:14:40.0296 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/10/04 23:14:40.0328 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/04 23:14:40.0406 MpKsl0d588e7e (5f53edfead46fa7adb78eee9ecce8fdf) C:\WINDOWS\system32\MpEngineStore\MpKsl0d588e7e.sys
2010/10/04 23:14:40.0468 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/04 23:14:40.0531 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/04 23:14:40.0593 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/04 23:14:40.0656 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/04 23:14:40.0687 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/04 23:14:40.0734 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/04 23:14:40.0796 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/04 23:14:40.0843 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/04 23:14:40.0906 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/04 23:14:40.0937 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/04 23:14:41.0015 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/04 23:14:41.0046 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/04 23:14:41.0093 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/04 23:14:41.0140 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/04 23:14:41.0218 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/04 23:14:41.0328 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/04 23:14:41.0390 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/04 23:14:41.0531 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/04 23:14:41.0609 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/04 23:14:41.0671 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/04 23:14:41.0734 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
2010/10/04 23:14:41.0843 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2010/10/04 23:14:41.0890 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/04 23:14:41.0937 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/04 23:14:41.0984 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/04 23:14:42.0062 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/10/04 23:14:42.0140 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/10/04 23:14:42.0640 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/04 23:14:42.0687 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/10/04 23:14:42.0750 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/04 23:14:42.0828 PxHelp20 (7c81ae3c9b82ba2da437ed4d31bc56cf) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/10/04 23:14:43.0093 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/04 23:14:43.0171 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/04 23:14:43.0250 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/04 23:14:43.0296 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/04 23:14:43.0359 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/04 23:14:43.0406 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/04 23:14:43.0453 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/10/04 23:14:43.0546 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/04 23:14:43.0609 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/04 23:14:43.0750 RTL8187B (4e812ac89eec95aac9cacea29a0f8dc8) C:\WINDOWS\system32\DRIVERS\wg111v3.sys
2010/10/04 23:14:43.0875 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/04 23:14:43.0953 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2010/10/04 23:14:43.0984 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/10/04 23:14:44.0156 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/04 23:14:44.0218 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/04 23:14:44.0296 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/04 23:14:44.0343 sscdbhk5 (1cbd1b58a32de97899f5290b05f856db) C:\WINDOWS\system32\drivers\sscdbhk5.sys
2010/10/04 23:14:44.0390 ssrtln (7fb07ac152d7a87e66204860002bd9a4) C:\WINDOWS\system32\drivers\ssrtln.sys
2010/10/04 23:14:44.0468 STHDA (2a2dc39623adef8ab3703ab9fac4b440) C:\WINDOWS\system32\drivers\sthda.sys
2010/10/04 23:14:44.0562 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/04 23:14:44.0609 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/04 23:14:44.0906 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/04 23:14:45.0015 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/04 23:14:45.0078 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/04 23:14:45.0109 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/04 23:14:45.0171 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/04 23:14:45.0234 tfsnboio (c89daabdff5bd984181f45adf6ddb24a) C:\WINDOWS\system32\dla\tfsnboio.sys
2010/10/04 23:14:45.0281 tfsncofs (f093906c27fc9c59bd03d84807266107) C:\WINDOWS\system32\dla\tfsncofs.sys
2010/10/04 23:14:45.0312 tfsndrct (9294575cdad17d1dadfcd98a2ca26e7a) C:\WINDOWS\system32\dla\tfsndrct.sys
2010/10/04 23:14:45.0359 tfsndres (cdcc394cbaac183f9bdebf6d2f97c5c6) C:\WINDOWS\system32\dla\tfsndres.sys
2010/10/04 23:14:45.0406 tfsnifs (0a6c7c989dd76bb8989fd958ac5601d0) C:\WINDOWS\system32\dla\tfsnifs.sys
2010/10/04 23:14:45.0437 tfsnopio (92a17c0d73500f9b9c3028da9e4cdba6) C:\WINDOWS\system32\dla\tfsnopio.sys
2010/10/04 23:14:45.0500 tfsnpool (15ab1a2bb2b35eb1dcda39405114afc6) C:\WINDOWS\system32\dla\tfsnpool.sys
2010/10/04 23:14:45.0562 tfsnudf (370d2779668bf3b8d14f34356c41ab9c) C:\WINDOWS\system32\dla\tfsnudf.sys
2010/10/04 23:14:45.0609 tfsnudfa (4564799868c4bcdf28c8efc6d4c48c4b) C:\WINDOWS\system32\dla\tfsnudfa.sys
2010/10/04 23:14:45.0812 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/04 23:14:45.0906 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/04 23:14:46.0015 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/04 23:14:46.0046 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/10/04 23:14:46.0109 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/04 23:14:46.0171 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/10/04 23:14:46.0265 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/10/04 23:14:46.0296 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/04 23:14:46.0343 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/10/04 23:14:46.0375 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/10/04 23:14:46.0468 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/04 23:14:46.0546 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/04 23:14:46.0656 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/04 23:14:46.0765 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2010/10/04 23:14:47.0015 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/10/04 23:14:47.0078 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/10/04 23:14:47.0281 ================================================================================
2010/10/04 23:14:47.0281 Scan finished
2010/10/04 23:14:47.0281 ================================================================================
2010/10/04 23:14:47.0328 Detected object count: 1
2010/10/04 23:15:03.0765 cmdHlp (c28401f73d23e8187096169a8e444c9b) C:\WINDOWS\system32\DRIVERS\cmdhlp.sys
2010/10/04 23:15:03.0765 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\cmdhlp.sys. Real md5: c28401f73d23e8187096169a8e444c9b, Fake md5: 45a1f7d2890681f22406458d93d03cc1
2010/10/04 23:15:04.0234 Backup copy found, using it..
2010/10/04 23:15:04.0234 C:\WINDOWS\system32\DRIVERS\cmdhlp.sys - will be cured after reboot
2010/10/04 23:15:04.0234 Rootkit.Win32.TDSS.tdl3(cmdHlp) - User select action: Cure
2010/10/04 23:15:11.0265 Deinitialize success


MBAM log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4742

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

04/10/2010 23:46:22
mbam-log-2010-10-04 (23-46-22).txt

Scan type: Quick scan
Objects scanned: 150110
Time elapsed: 7 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Does this mean I'm finally free? Thanks for your time help & advice. Much appreciated

Edited by penz, 04 October 2010 - 05:56 PM.


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:30 PM

Posted 04 October 2010 - 09:07 PM

Good work with the USB,penz.. Looks good here. I would like to do an online scan before we mop up.
ESET
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the ESET Online Scanner button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Export to text file... to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Eset Smart Installer icon on your desktop.
  • Check the "YES, I accept the Terms of Use"
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push "List of found threats"
  • Push "Export to text file", and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the "<<Back" button.
  • Push Finish
In your next reply, please include the following:
  • Eset Scan Log


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 penz

penz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 06 October 2010 - 08:14 PM

Hi NJ

No ESET Log 'no threats found' - although not entirely convinced yet as very slow - processor cooling fan working overtime when there's nothing running, periodically not booting properly in normal mode and much hanging, Photoshop access denied 'wrong permissions, log in as administrator' (cured with sys restore) and lots of tracking cookies with my name on appearing when the browser is open but I'm not surfing (stopped by AVG)

However, BIG THANKS for all your help and for getting me out of that hole. I'll just have to see how it pans out over the next few days and hope the nasties have gone for good

One question - what's your view on Sandboxing - does this stop the crap getting in?

Regards and thanks once again Penz

Edited by penz, 06 October 2010 - 08:15 PM.


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:30 PM

Posted 06 October 2010 - 09:24 PM

Hello,thats's good. let's mop up and I'll answer your questions below.

EDIT: :thumbsup: I see you did a system restore. Before we create a new restore point...

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal/regular mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

><><><><><><><><><>

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:Sandboxie,offers good protection. It runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer Compatibility: Windows 2000/XP/Vista/Server 2003
If a trojan or virus infects you when browsing a bad site, it is contained within Sandboxie and does not infect your system. You can just delete all Sandboxie contents to get rid of it.

The level of protection also depends on your awareness about malware. If you do not know that you are infected and accidentally or intentionally save the modified data to your actual system folders, then you are infected.

Sandboxie FAQ

Good 3 part video review below.

Part 1
Part 2
Part 3


Now all that being said you should consider Building a second user account with NON-ADMINISTRATIVE access is one of the best ways to protect your home or corporate PC. See Harry Waldron's excellent article on it. >> L@@K

Edited by boopme, 06 October 2010 - 09:27 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 penz

penz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 09 October 2010 - 07:18 PM

Hi NJ

Finally here's the mbam log - I re-ran the rest as a precaution as well - everything seems clear now - thanks for all your help. I owe you a beer!

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4786

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/10/2010 00:47:30
mbam-log-2010-10-10 (00-47-30).txt

Scan type: Quick scan
Objects scanned: 151049
Time elapsed: 6 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:30 PM

Posted 09 October 2010 - 09:39 PM

Looks good.. :thumbsup:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users