Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible TDSS Rootkit Infection


  • This topic is locked This topic is locked
14 replies to this topic

#1 tps

tps

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 02 October 2010 - 07:53 PM

Thanks in advance for any help provided. MalwareBytes AntiMalware runs, but closes after 2 seconds, then the executable won't run again, error message stating "you may not have sufficient privileges to run the specified file". System was infected with AntiVirus 2010, and although that no longer pops up, I'm still not 100% clean. Windows Update will not connect to MS's update site. Kaspersky tool reports that I am infected with some variant of TDSS.Rootkit on the MBR, and claims that it would be removed at the next reboot, but after rebooting, the scan reports the infection is still there. I am unable to turn on the Windows Firewall.

Update: AVG just popped up saying it picked up a Trojan horse generic19.AHPV in C:\Windows\Fonts\lmW03Qk.com - it sent it to the vault. It flagged 2 other files as having the same trojan, but said the object was inaccessible and failed to quarantine or delete it.


DDS (Ver_10-03-17.01) - NTFSx86
Run by claire at 15:17:40.79 on Sat 10/02/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1514 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Analog Devices\Core\smax4pnp .exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\KasperskyVRT\setup_9.0.0.722_29.09.2010_00-29\setup_9.0.0.722_29.09.2010_00-29.exe
C:\Program Files\Lexmark 3400 Series\lxcymon .exe
C:\Program Files\Lexmark 3400 Series\ezprint .exe
C:\PROGRA~1\AVG\AVG9\avgtray .exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Documents and Settings\All Users\Application Data\4Gi5Hq4p.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Documents and Settings\claire\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://webmail.rcn.com/login.php
mStart Page = hxxp://www.dell4me.com/myway
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [lxcymon.exe] "c:\program files\lexmark 3400 series\lxcymon.exe"
mRun: [EzPrint] "c:\program files\lexmark 3400 series\ezprint.exe"
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
StartupFolder: c:\docume~1\claire\startm~1\programs\startup\setup_~1.lnk - c:\kasperskyvrt\setup_9.0.0.722_29.09.2010_00-29\startup.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: musicmatch.com\online
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 17230142;17230142 Boot Guard Driver;c:\windows\system32\drivers\17230142.sys [2010-9-29 37392]
R0 32664142;32664142 Boot Guard Driver;c:\windows\system32\drivers\32664142.sys [2010-9-28 37392]
R1 17230141;17230141;c:\windows\system32\drivers\17230141.sys [2010-9-29 128016]
R1 32664141;32664141;c:\windows\system32\drivers\32664141.sys [2010-9-28 128016]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-9-22 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-9-22 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-9-22 243024]
R1 setup_9.0.0.722_29.09.2010_00-29drv;setup_9.0.0.722_29.09.2010_00-29drv;c:\windows\system32\drivers\1723014.sys [2010-9-29 315408]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-9-22 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-9-22 308136]
R3 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
R3 mvb35316;mvb35316;c:\windows\system32\drivers\mvb35316.sys [2004-8-10 12800]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-3-4 1251720]

=============== Created Last 30 ================

2010-10-02 19:16:25 0 ----a-w- c:\documents and settings\claire\defogger_reenable
2010-10-02 19:05:42 112 ----a-w- c:\docume~1\alluse~1\applic~1\AQt5srRe2.dat
2010-10-02 19:05:40 72706 ----a-w- c:\docume~1\alluse~1\applic~1\4Gi5Hq4p.exe
2010-10-02 18:48:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-02 18:48:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-02 18:48:46 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-29 21:15:55 37392 ----a-w- c:\windows\system32\drivers\17230142.sys
2010-09-29 21:15:55 128016 ----a-w- c:\windows\system32\drivers\17230141.sys
2010-09-29 21:15:54 315408 ----a-w- c:\windows\system32\drivers\1723014.sys
2010-09-29 21:15:54 0 d-----w- C:\KasperskyVRT
2010-09-28 22:35:42 37392 ----a-w- c:\windows\system32\drivers\32664142.sys
2010-09-28 22:35:42 315408 ----a-w- c:\windows\system32\drivers\3266414.sys
2010-09-28 22:35:42 128016 ----a-w- c:\windows\system32\drivers\32664141.sys
2010-09-28 22:35:41 0 d-----w- c:\program files\Virus Removal Tool.old
2010-09-28 04:19:44 0 d-----w- C:\ComboFix
2010-09-28 04:19:35 0 d-----w- c:\docume~1\claire\applic~1\AVG9
2010-09-28 03:03:45 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-28 00:06:58 0 d-sha-r- C:\cmdcons
2010-09-28 00:03:04 98816 ----a-w- c:\windows\sed.exe
2010-09-28 00:03:04 77312 ----a-w- c:\windows\MBR.exe
2010-09-28 00:03:04 256512 ----a-w- c:\windows\PEV.exe
2010-09-28 00:03:04 161792 ----a-w- c:\windows\SWREG.exe
2010-09-23 00:30:11 6784 ----a-w- c:\windows\system32\drivers\serscan.sys
2010-09-23 00:30:11 6784 ----a-w- c:\windows\system32\dllcache\serscan.sys
2010-09-23 00:30:11 25600 ----a-w- c:\windows\system32\dllcache\dc210_32.dll
2010-09-23 00:30:11 25600 ----a-w- c:\windows\system32\dc210_32.dll
2010-09-23 00:30:10 80896 ----a-w- c:\windows\system32\dllcache\dc210usd.dll
2010-09-23 00:30:10 80896 ----a-w- c:\windows\system32\dc210usd.dll
2010-09-23 00:28:20 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-09-23 00:28:19 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-09-23 00:18:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Kodak
2010-09-22 22:28:37 0 d-----w- c:\docume~1\claire\applic~1\Malwarebytes
2010-09-22 22:28:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-22 22:22:40 0 d-----w- C:\$AVG
2010-09-22 22:21:14 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-09-22 22:21:14 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-09-22 22:21:04 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-09-22 22:20:52 0 d-----w- c:\windows\system32\drivers\Avg
2010-09-22 22:20:26 0 d-----w- c:\program files\AVG
2010-09-22 22:20:24 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-09-18 22:39:10 54156 ---ha-w- c:\windows\QTFont.qfn
2010-09-18 22:39:10 1409 ----a-w- c:\windows\QTFont.for

==================== Find3M ====================

2010-10-02 19:04:04 94208 ----a-w- c:\windows\fonts\ImW03Qk.com
2010-09-18 17:36:04 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 15:18:42.01 ===============



EDIT: paste log for research

Attached Files


Edited by etavares, 09 October 2010 - 06:01 AM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:33 AM

Posted 08 October 2010 - 06:04 PM

Hi...are you still having trouble? Please reply back in the next 3 days and let me know.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 tps

tps
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 08 October 2010 - 08:29 PM

QUOTE(etavares @ Oct 8 2010, 07:04 PM) View Post
Hi...are you still having trouble? Please reply back in the next 3 days and let me know.



I am. Please advise.

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:33 AM

Posted 09 October 2010 - 05:57 AM

Hello, tps.
My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.
  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!

OK, we need to look for one type of infection first with that error message. If it is this one particular rootkit, we can fix it easily if it's not too embedded. If it has put tentacles into a lot of things, it may not be possible to fix. Let's take a look.



Step 1

Download and run Win32kDiag:
  1. Download Win32kDiag from any of the following locations and save it to your Desktop.
  2. Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
  3. When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
  4. Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

Download and run a batch file (peek.bat):
  1. Download peek.bat from the download link below and save it to your Desktop.
  2. Double-click peek.bat to run it. A black Command Prompt window will appear shortly: the program is running.
  3. Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.

etavares

Edited by etavares, 09 October 2010 - 05:58 AM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 tps

tps
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 09 October 2010 - 08:44 AM

Thanks etavares. Here is the info you requested:

W32KDiag.txt:


Running from: C:\Documents and Settings\claire\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\claire\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\system32\dumprep.exe

[1] 2004-08-04 06:00:00 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\system32\dumprep.exe ()

[1] 2004-08-04 06:00:00 10752 C:\i386\dumprep.exe (Microsoft Corporation)





Finished!


------------------------------
Log.txt:


Volume in drive C has no label.
Volume Serial Number is 288F-8206

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 06:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 06:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 06:00 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ERDNT\cache

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ERDNT\cache

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ERDNT\cache

04/13/2008 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/13/2008 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
12 File(s) 2,576,896 bytes
0 Dir(s) 61,605,584,896 bytes free


#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:33 AM

Posted 10 October 2010 - 06:44 AM

Hello, tps.
Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 tps

tps
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 10 October 2010 - 11:50 AM

Here is the log file you requested. I am still seeing the issue where MalwareBytes AntiMalware exits only 2 seconds into a scan. After MBAM closes, mbam.exe will no longer run, with the error message saying "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

Thank you for your continued support.

ComboFix.txt:

ComboFix 10-10-09.06 - claire 10/10/2010 12:24:34.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1607 [GMT -4:00]
Running from: c:\documents and settings\claire\Desktop\etavaresCF.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-09-10 to 2010-10-10 )))))))))))))))))))))))))))))))
.

2010-10-02 18:48 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-02 18:48 . 2010-10-02 18:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-02 18:48 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-29 21:15 . 2009-10-22 17:54 37392 ----a-w- c:\windows\system32\drivers\17230142.sys
2010-09-29 21:15 . 2009-09-25 21:59 128016 ----a-w- c:\windows\system32\drivers\17230141.sys
2010-09-29 21:15 . 2010-10-02 18:59 -------- d-----w- C:\KasperskyVRT
2010-09-29 21:15 . 2009-10-10 03:31 315408 ----a-w- c:\windows\system32\drivers\1723014.sys
2010-09-28 22:35 . 2009-10-22 17:54 37392 ----a-w- c:\windows\system32\drivers\32664142.sys
2010-09-28 22:35 . 2009-10-10 03:31 315408 ----a-w- c:\windows\system32\drivers\3266414.sys
2010-09-28 22:35 . 2009-09-25 21:59 128016 ----a-w- c:\windows\system32\drivers\32664141.sys
2010-09-28 22:35 . 2010-09-29 20:51 -------- d-----w- c:\program files\Virus Removal Tool.old
2010-09-28 04:19 . 2010-09-28 04:45 -------- d-----w- C:\ComboFix
2010-09-28 04:19 . 2010-09-28 04:19 -------- d-----w- c:\documents and settings\claire\Application Data\AVG9
2010-09-28 00:44 . 2010-09-28 00:44 -------- d-----w- c:\documents and settings\Administrator
2010-09-23 00:30 . 2001-08-18 02:36 25600 ----a-w- c:\windows\system32\dllcache\dc210_32.dll
2010-09-23 00:30 . 2001-08-18 02:36 25600 ----a-w- c:\windows\system32\dc210_32.dll
2010-09-23 00:30 . 2001-08-17 17:53 6784 ----a-w- c:\windows\system32\drivers\serscan.sys
2010-09-23 00:30 . 2001-08-17 17:53 6784 ----a-w- c:\windows\system32\dllcache\serscan.sys
2010-09-23 00:30 . 2001-08-18 02:36 80896 ----a-w- c:\windows\system32\dllcache\dc210usd.dll
2010-09-23 00:30 . 2001-08-18 02:36 80896 ----a-w- c:\windows\system32\dc210usd.dll
2010-09-23 00:28 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-09-23 00:28 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-09-23 00:18 . 2010-09-23 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2010-09-22 22:28 . 2010-09-22 22:28 -------- d-----w- c:\documents and settings\claire\Application Data\Malwarebytes
2010-09-22 22:28 . 2010-09-22 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-22 22:22 . 2010-09-22 22:22 -------- d-----w- C:\$AVG
2010-09-22 22:21 . 2010-09-22 22:21 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-09-22 22:21 . 2010-09-22 22:21 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-09-22 22:21 . 2010-09-22 22:21 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-09-22 22:21 . 2010-09-22 22:21 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-09-22 22:20 . 2010-10-02 22:58 -------- d-----w- c:\windows\system32\drivers\Avg
2010-09-22 22:20 . 2010-09-22 22:20 -------- d-----w- c:\program files\AVG
2010-09-22 22:20 . 2010-10-06 18:28 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-09-18 22:39 . 2010-09-18 22:39 1409 ----a-w- c:\windows\QTFont.for
2010-09-18 22:11 . 2010-09-18 22:42 -------- d-----w- c:\documents and settings\claire\Local Settings\Application Data\Google
2010-09-18 22:09 . 2010-09-18 22:42 -------- d-----w- c:\program files\Google
2010-09-13 23:38 . 2010-09-13 23:38 -------- d-s---w- c:\documents and settings\NetworkService\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
CODE
<pre>
c:\program files\Analog Devices\Core\smax4pnp .exe
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Lexmark 3400 Series\ezprint .exe
c:\program files\Lexmark 3400 Series\lxcymon .exe
c:\program files\Lexmark Fax Solutions\fm3032 .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

c:\documents and settings\claire\Start Menu\Programs\Startup\
setup_9.0.0.722_29.09.2010_00-29.lnk - c:\kasperskyvrt\setup_9.0.0.722_29.09.2010_00-29\startup.exe [2010-9-29 72208]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-10-23 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-09-22 22:21 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 15:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 15:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2005-09-09 00:20 8192 ----a-w- c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
2001-01-23 16:52 36864 ----a-w- c:\windows\system32\spool\drivers\w32x86\2\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-10-23 04:59 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
c:\program files\Java\j2re1.4.2_03\bin\jusched.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NSCService"=3 (0x3)
"Symantec Core LC"=2 (0x2)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 17230142;17230142 Boot Guard Driver;c:\windows\system32\drivers\17230142.sys [9/29/2010 5:15 PM 37392]
R0 32664142;32664142 Boot Guard Driver;c:\windows\system32\drivers\32664142.sys [9/28/2010 6:35 PM 37392]
R1 17230141;17230141;c:\windows\system32\drivers\17230141.sys [9/29/2010 5:15 PM 128016]
R1 32664141;32664141;c:\windows\system32\drivers\32664141.sys [9/28/2010 6:35 PM 128016]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/22/2010 6:21 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/22/2010 6:21 PM 243024]
R1 setup_9.0.0.722_29.09.2010_00-29drv;setup_9.0.0.722_29.09.2010_00-29drv;c:\windows\system32\drivers\1723014.sys [9/29/2010 5:15 PM 315408]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [9/22/2010 6:20 PM 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [9/22/2010 6:20 PM 308136]
R3 mvb35316;mvb35316;c:\windows\system32\drivers\mvb35316.sys [8/10/2004 1:51 PM 12800]
S3 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = https://webmail.rcn.com/login.php
mStart Page = hxxp://www.dell4me.com/myway
Trusted Zone: musicmatch.com\online
.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A657C76]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74c6852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf744abb0
PacketIndicateHandler -> NDIS.sys @ 0xf7439a0d
SendHandler -> NDIS.sys @ 0xf744db40
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ContentFilter]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ContentIndex]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Cpqarray]
"ImagePath"="\SystemRoot\system32\DRIVERS\cpqarray.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\CryptSvc]
"ServiceDll"="%SystemRoot%\System32\cryptsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\dac2w2k]
"ImagePath"="\SystemRoot\system32\DRIVERS\dac2w2k.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\dac960nt]
"ImagePath"="\SystemRoot\system32\DRIVERS\dac960nt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\DcomLaunch]
"ServiceDll"="%SystemRoot%\system32\rpcss.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Dhcp]
"ServiceDll"="%SystemRoot%\System32\dhcpcsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Disk]
"ImagePath"="system32\DRIVERS\disk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\dmadmin]
"ImagePath"="%SystemRoot%\System32\dmadmin.exe /com"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\dmboot]
"ImagePath"="System32\drivers\dmboot.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\dmio]
"ImagePath"="System32\drivers\dmio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\dmload]
"ImagePath"="System32\drivers\dmload.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\dmserver]
"ServiceDll"="%SystemRoot%\System32\dmserver.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\DMusic]
"ImagePath"="system32\drivers\DMusic.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Dnscache]
"ServiceDll"="%SystemRoot%\System32\dnsrslvr.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Dot3svc]
"ServiceDll"="%SystemRoot%\System32\dot3svc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\dpti2o]
"ImagePath"="\SystemRoot\system32\DRIVERS\dpti2o.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\drmkaud]
"ImagePath"="system32\drivers\drmkaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\drvmcdb]
"ImagePath"="system32\drivers\drvmcdb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\drvncdb]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\drvnddm]
"ImagePath"="system32\drivers\drvnddm.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\E100B]
"ImagePath"="system32\DRIVERS\e100b325.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\EapHost]
"ServiceDll"="%SystemRoot%\System32\eapsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ERSvc]
"ServiceDll"="%SystemRoot%\System32\ersvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Eventlog]
"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\EventSystem]
"ServiceDll"="c:\windows\system32\es.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Fastfat]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\FastUserSwitchingCompatibility]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Fax]
"ImagePath"="%systemroot%\system32\fxssvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Fdc]
"ImagePath"="system32\DRIVERS\fdc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Fips]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Flpydisk]
"ImagePath"="system32\DRIVERS\flpydisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\FltMgr]
"ImagePath"="system32\drivers\fltmgr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Fs_Rec]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Ftdisk]
"ImagePath"="system32\DRIVERS\ftdisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Gpc]
"ImagePath"="system32\DRIVERS\msgpc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\helpsvc]
"ServiceDll"="%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\HidServ]
"ServiceDll"=" %SystemRoot%\System32\hidserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\HidUsb]
"ImagePath"="system32\DRIVERS\hidusb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\hkmsvc]
"ServiceDll"="%SystemRoot%\System32\kmsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\hpn]
"ImagePath"="\SystemRoot\system32\DRIVERS\hpn.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\HSFHWBS2]
"ImagePath"="system32\DRIVERS\HSFHWBS2.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\HSF_DP]
"ImagePath"="system32\DRIVERS\HSF_DP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\HTTP]
"ImagePath"="System32\Drivers\HTTP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\HTTPFilter]
"ServiceDll"="%SystemRoot%\System32\w3ssl.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\i2omgmt]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\i2omp]
"ImagePath"="\SystemRoot\system32\DRIVERS\i2omp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\i8042prt]
"ImagePath"="system32\DRIVERS\i8042prt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ialm]
"ImagePath"="system32\DRIVERS\ialmnt5.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ILADFtmi]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Imapi]
"ImagePath"="system32\DRIVERS\imapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ImapiService]
"ImagePath"="%systemroot%\system32\imapi.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\inetaccs]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ini910u]
"ImagePath"="\SystemRoot\system32\DRIVERS\ini910u.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Inport]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\IntelIde]
"ImagePath"="system32\DRIVERS\intelide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\intelppm]
"ImagePath"="system32\DRIVERS\intelppm.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Ip6Fw]
"ImagePath"="system32\drivers\ip6fw.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\IpFilterDriver]
"ImagePath"="system32\DRIVERS\ipfltdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\IpInIp]
"ImagePath"="system32\DRIVERS\ipinip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\IpNat]
"ImagePath"="system32\DRIVERS\ipnat.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\IPSec]
"ImagePath"="system32\DRIVERS\ipsec.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\IRENUM]
"ImagePath"="system32\DRIVERS\irenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ISAPISearch]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\isapnp]
"ImagePath"="system32\DRIVERS\isapnp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Kbdclass]
"ImagePath"="system32\DRIVERS\kbdclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\kbdhid]
"ImagePath"="system32\DRIVERS\kbdhid.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\kmixer]
"ImagePath"="system32\drivers\kmixer.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\KSecDD]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\lanmanserver]
"ServiceDll"="%SystemRoot%\System32\srvsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\lanmanworkstation]
"ServiceDll"="%SystemRoot%\System32\wkssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\lbrtfdc]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ldap]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\LexBceS]
"ImagePath"="c:\windows\system32\LEXBCES.EXE"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\LicenseService]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\LmHosts]
"ServiceDll"="%SystemRoot%\System32\lmhsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\lxcy_device]
"ImagePath"="c:\windows\system32\lxcycoms.exe -service"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\mdmxsdk]
"ImagePath"="system32\DRIVERS\mdmxsdk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Messenger]
"ServiceDll"="%SystemRoot%\System32\msgsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\mnmdd]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\mnmsrvc]
"ImagePath"="c:\windows\system32\mnmsrvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Modem]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MODEMCSA]
"ImagePath"="system32\drivers\MODEMCSA.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Mouclass]
"ImagePath"="system32\DRIVERS\mouclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\mouhid]
"ImagePath"="system32\DRIVERS\mouhid.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MountMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\mraid35x]
"ImagePath"="\SystemRoot\system32\DRIVERS\mraid35x.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MRxDAV]
"ImagePath"="system32\DRIVERS\mrxdav.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MRxSmb]
"ImagePath"="system32\DRIVERS\mrxsmb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MSDTC]
"ImagePath"="c:\windows\system32\msdtc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Msfs]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MSIServer]
"ImagePath"="%systemroot%\system32\msiexec.exe /V"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MSKSSRV]
"ImagePath"="system32\drivers\MSKSSRV.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MSPCLOCK]
"ImagePath"="system32\drivers\MSPCLOCK.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MSPQM]
"ImagePath"="system32\drivers\MSPQM.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\mssmbios]
"ImagePath"="system32\DRIVERS\mssmbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Mup]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\mvb35316]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\napagent]
"ServiceDll"="%SystemRoot%\System32\qagentrt.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NDIS]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NdisTapi]
"ImagePath"="system32\DRIVERS\ndistapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Ndisuio]
"ImagePath"="system32\DRIVERS\ndisuio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NdisWan]
"ImagePath"="system32\DRIVERS\ndiswan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NDProxy]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NetBIOS]
"ImagePath"="system32\DRIVERS\netbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NetBT]
"ImagePath"="system32\DRIVERS\netbt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NetDDE]
"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NetDDEdsdm]
"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Netlogon]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Netman]
"ServiceDll"="%SystemRoot%\System32\netman.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NetSvc]
"ImagePath"="c:\program files\Intel\PROSetWired\NCS\Sync\NetSvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Nla]
"ServiceDll"="%SystemRoot%\System32\mswsock.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Npfs]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Ntfs]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NtLmSsp]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NtmsSvc]
"ServiceDll"="%SystemRoot%\system32\ntmssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Null]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\nv]
"ImagePath"="system32\DRIVERS\nv4_mini.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NwlnkFlt]
"ImagePath"="system32\DRIVERS\nwlnkflt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NwlnkFwd]
"ImagePath"="system32\DRIVERS\nwlnkfwd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Parport]
"ImagePath"="system32\DRIVERS\parport.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PartMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ParVdm]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PCI]
"ImagePath"="system32\DRIVERS\pci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PCIDump]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PCIIde]
"ImagePath"="system32\DRIVERS\pciide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Pcmcia]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PDCOMP]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PDFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PDRELI]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PDRFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\perc2]
"ImagePath"="\SystemRoot\system32\DRIVERS\perc2.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\perc2hib]
"ImagePath"="\SystemRoot\system32\DRIVERS\perc2hib.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PerfDisk]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PerfNet]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PerfOS]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PerfProc]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PlugPlay]
"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PolicyAgent]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PptpMiniport]
"ImagePath"="system32\DRIVERS\raspptp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ProtectedStorage]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PSched]
"ImagePath"="system32\DRIVERS\psched.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Ptilink]
"ImagePath"="system32\DRIVERS\ptilink.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PxHelp20]
"ImagePath"="System32\Drivers\PxHelp20.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ql1080]
"ImagePath"="\SystemRoot\system32\DRIVERS\ql1080.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Ql10wnt]
"ImagePath"="\SystemRoot\system32\DRIVERS\ql10wnt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ql12160]
"ImagePath"="\SystemRoot\system32\DRIVERS\ql12160.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ql1240]
"ImagePath"="\SystemRoot\system32\DRIVERS\ql1240.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ql1280]
"ImagePath"="\SystemRoot\system32\DRIVERS\ql1280.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RasAcd]
"ImagePath"="system32\DRIVERS\rasacd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RasAuto]
"ServiceDll"="%SystemRoot%\System32\rasauto.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Rasl2tp]
"ImagePath"="system32\DRIVERS\rasl2tp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RasMan]
"ServiceDll"="%SystemRoot%\System32\rasmans.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RasPppoe]
"ImagePath"="system32\DRIVERS\raspppoe.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Raspti]
"ImagePath"="system32\DRIVERS\raspti.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Rdbss]
"ImagePath"="system32\DRIVERS\rdbss.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RDPCDD]
"ImagePath"="System32\DRIVERS\RDPCDD.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RDPDD]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\rdpdr]
"ImagePath"="system32\DRIVERS\rdpdr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RDPNP]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RDPWD]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RDSessMgr]
"ImagePath"="c:\windows\system32\sessmgr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\redbook]
"ImagePath"="system32\DRIVERS\redbook.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RemoteAccess]
"ServiceDll"="%SystemRoot%\System32\mprdim.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RpcLocator]
"ImagePath"="%SystemRoot%\system32\locator.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RpcSs]
"ServiceDll"="%SystemRoot%\System32\rpcss.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RSVP]
"ImagePath"="%SystemRoot%\system32\rsvp.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SamSs]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SCardSvr]
"ImagePath"="%SystemRoot%\System32\SCardSvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Schedule]
"ServiceDll"="%SystemRoot%\system32\schedsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ScsiPort]
"ImagePath"="%SystemRoot%\system32\drivers\scsiport.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Secdrv]
"ImagePath"="system32\DRIVERS\secdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\seclogon]
"ServiceDll"="%SystemRoot%\System32\seclogon.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\senfilt]
"ImagePath"="system32\drivers\senfilt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SENS]
"ServiceDll"="%SystemRoot%\system32\sens.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\serenum]
"ImagePath"="system32\DRIVERS\serenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Serial]
"ImagePath"="system32\DRIVERS\serial.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\setup_9.0.0.722_29.09.2010_00-29drv]
"ImagePath"="system32\DRIVERS\1723014.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Sfloppy]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess]
"ServiceDll"="%SystemRoot%\System32\ipnathlp.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ShellHWDetection]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Simbad]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\sisagp]
"ImagePath"="\SystemRoot\system32\DRIVERS\sisagp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\smwdm]
"ImagePath"="system32\drivers\smwdm.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Sparrow]
"ImagePath"="\SystemRoot\system32\DRIVERS\sparrow.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\splitter]
"ImagePath"="system32\drivers\splitter.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Spooler]
"ImagePath"="%SystemRoot%\system32\spoolsv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\sr]
"ImagePath"="system32\DRIVERS\sr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\srservice]
"ServiceDll"="%SystemRoot%\system32\srsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Srv]
"ImagePath"="system32\DRIVERS\srv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\sscdbhk5]
"ImagePath"="system32\drivers\sscdbhk5.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SSDPSRV]
"ServiceDll"="%SystemRoot%\System32\ssdpsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ssrtln]
"ImagePath"="system32\drivers\ssrtln.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\StillCam]
"ImagePath"="system32\DRIVERS\serscan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\stisvc]
"ServiceDll"="%SystemRoot%\system32\wiaservc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\swenum]
"ImagePath"="system32\DRIVERS\swenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\swmidi]
"ImagePath"="system32\drivers\swmidi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SwPrv]
"ImagePath"="c:\windows\system32\dllhost.exe /Processid:{A445BD1E-49EE-4607-B370-5CCA447377C4}"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\swwd]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Symantec Core LC]
"ImagePath"="\"c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\symc810]
"ImagePath"="\SystemRoot\system32\DRIVERS\symc810.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\symc8xx]
"ImagePath"="\SystemRoot\system32\DRIVERS\symc8xx.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\symlcbrd]
"ImagePath"="\??\c:\windows\system32\drivers\symlcbrd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\sym_hi]
"ImagePath"="\SystemRoot\system32\DRIVERS\sym_hi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\sym_u3]
"ImagePath"="\SystemRoot\system32\DRIVERS\sym_u3.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\sysaudio]
"ImagePath"="system32\drivers\sysaudio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SysmonLog]
"ImagePath"="%SystemRoot%\system32\smlogsvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\TapiSrv]
"ServiceDll"="%SystemRoot%\System32\tapisrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip]
"ImagePath"="system32\DRIVERS\tcpip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\TDPIPE]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\TDTCP]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\TermDD]
"ImagePath"="system32\DRIVERS\termdd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\TermService]
"ServiceDll"="%SystemRoot%\System32\termsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\tfsnboio]
"ImagePath"="system32\dla\tfsnboio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\tfsncofs]
"ImagePath"="system32\dla\tfsncofs.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\tfsndrct]
"ImagePath"="system32\dla\tfsndrct.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\tfsndres]
"ImagePath"="system32\dla\tfsndres.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\tfsnifs]
"ImagePath"="system32\dla\tfsnifs.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\tfsnopio]
"ImagePath"="system32\dla\tfsnopio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\tfsnpool]
"ImagePath"="system32\dla\tfsnpool.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\tfsnudf]
"ImagePath"="system32\dla\tfsnudf.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\tfsnudfa]
"ImagePath"="system32\dla\tfsnudfa.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Themes]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\TlntSvr]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\TosIde]
"ImagePath"="\SystemRoot\system32\DRIVERS\toside.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\TrkWks]
"ServiceDll"="%SystemRoot%\system32\trkwks.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\TSDDD]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Udfs]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ultra]
"ImagePath"="\SystemRoot\system32\DRIVERS\ultra.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Update]
"ImagePath"="system32\DRIVERS\update.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\upnphost]
"ServiceDll"="%SystemRoot%\System32\upnphost.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\UPS]
"ImagePath"="%SystemRoot%\System32\ups.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\usbccgp]
"ImagePath"="system32\DRIVERS\usbccgp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\usbehci]
"ImagePath"="system32\DRIVERS\usbehci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\usbhub]
"ImagePath"="system32\DRIVERS\usbhub.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\usbprint]
"ImagePath"="system32\DRIVERS\usbprint.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\usbscan]
"ImagePath"="system32\DRIVERS\usbscan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\USBSTOR]
"ImagePath"="system32\DRIVERS\USBSTOR.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\usbuhci]
"ImagePath"="system32\DRIVERS\usbuhci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\VgaSave]
"ImagePath"="\SystemRoot\System32\drivers\vga.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\viaagp]
"ImagePath"="\SystemRoot\system32\DRIVERS\viaagp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ViaIde]
"ImagePath"="\SystemRoot\system32\DRIVERS\viaide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\VolSnap]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\VSS]
"ImagePath"="%SystemRoot%\System32\vssvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\VxD]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\w32time]
"ServiceDll"="%systemroot%\system32\w32time.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\W3SVC]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Wanarp]
"ImagePath"="system32\DRIVERS\wanarp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\wanatw]
"ImagePath"="system32\DRIVERS\wanatw4.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WDICA]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\wdmaud]
"ImagePath"="system32\drivers\wdmaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WebClient]
"ServiceDll"="%SystemRoot%\System32\webclnt.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\winachsf]
"ImagePath"="system32\DRIVERS\HSF_CNXT.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\winmgmt]
"ServiceDll"="%SystemRoot%\system32\wbem\WMIsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Winsock]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WinSock2]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WinTrust]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WmdmPmSN]
"ServiceDll"="c:\windows\system32\mspmsnsv.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Wmi]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WmiApRpl]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WmiApSrv]
"ImagePath"="c:\windows\system32\wbem\wmiapsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WMPNetworkSvc]
"ImagePath"="\"c:\program files\Windows Media Player\WMPNetwk.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WS2IFSL]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\wscsvc]
"ServiceDll"="%SYSTEMROOT%\system32\wscsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\wuauserv]
"ServiceDll"="c:\windows\system32\wuauserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WudfPf]
"ImagePath"="system32\DRIVERS\WudfPf.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WudfRd]
"ImagePath"="system32\DRIVERS\wudfrd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WudfSvc]
"ServiceDll"="%SystemRoot%\System32\WUDFSvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WZCSVC]
"ServiceDll"="%SystemRoot%\System32\wzcsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\xmlprov]
"ServiceDll"="%SystemRoot%\System32\xmlprov.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\{913784C5-8861-430E-9B57-FB1F2E20A053}]
.
Completion time: 2010-10-10 12:40:43
ComboFix-quarantined-files.txt 2010-10-10 16:40
ComboFix2.txt 2010-09-28 04:45

Pre-Run: 61,778,493,440 bytes free
Post-Run: 61,825,855,488 bytes free

- - End Of File - - EA1F1A978C2CFEF71F06C28A40A25E8D

Attached Files


Edited by tps, 10 October 2010 - 11:54 AM.


#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:33 AM

Posted 11 October 2010 - 05:41 PM

Hello, tps.

Ok, you do have a backdoor file infector, in addition to TDSS. Both are backdoor malware.

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.






Step 1

Please download MBRCheck by ad_13 and save it to your desktop.

Double-click to run. A window will pop up. If it says 'non-standard' or 'infected' MBR code detected, please type 3 for Exit for now and press Enter.

It will save a logfile on your desktop that starts with MBR, then has the date, etc. Please copy and paste the contents of that log in your reply.



Step 2

Scan With RKUnHooker
  • Please Rootkit Unhooker and save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

QUOTE
"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 tps

tps
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 11 October 2010 - 06:27 PM

Thanks etavares. This system has been disconnected from the web for a while now. It's not my system, I'm trying to get it back to a working state for a family member, so I'm not sure if it has been used for online banking, but I will find out.

Here are the logs you requested:

MBRCheck:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000002d

Kernel Drivers (total 143):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0x8A6A5000 \WINDOWS\system32\KDCOM.DLL
0xF789B000 \WINDOWS\system32\BOOTVID.dll
0xF75A8000 ACPI.sys
0xF7987000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7597000 pci.sys
0xF75F7000 isapnp.sys
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7989000 intelide.sys
0xF7607000 MountMgr.sys
0xF74D8000 ftdisk.sys
0xF770F000 PartMgr.sys
0xF7617000 VolSnap.sys
0xF74C0000 atapi.sys
0xF7627000 disk.sys
0xF7637000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF74A0000 fltmgr.sys
0xF748E000 sr.sys
0xF7479000 drvmcdb.sys
0xF7717000 PxHelp20.sys
0xF7462000 KSecDD.sys
0xF7B52000 Ntfs.sys
0xF7435000 NDIS.sys
0xF741B000 Mup.sys
0xF7647000 32664142.sys
0xF7657000 17230142.sys
0xB9C5B000 \SystemRoot\System32\Drivers\mvb35316.SYS
0xBA7B8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB993C000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xB9928000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB9C53000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB9904000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xB9C4B000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB98D0000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
0xB98AD000 \SystemRoot\system32\DRIVERS\ks.sys
0xB97AE000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xB9707000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xB9AC2000 \SystemRoot\System32\Drivers\Modem.SYS
0xB96E1000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xB9ABA000 \SystemRoot\system32\DRIVERS\fdc.sys
0xBA7A8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xB9AB2000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB9AAA000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA798000 \SystemRoot\system32\DRIVERS\serial.sys
0xF792F000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB96CD000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA788000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF79BD000 \SystemRoot\system32\drivers\sscdbhk5.sys
0xBA778000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA768000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB968D000 \SystemRoot\system32\drivers\smwdm.sys
0xB9669000 \SystemRoot\system32\drivers\portcls.sys
0xBA758000 \SystemRoot\system32\drivers\drmk.sys
0xB95B6000 \SystemRoot\system32\drivers\senfilt.sys
0xF79BF000 \SystemRoot\system32\DRIVERS\serscan.sys
0xF7A77000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA748000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7937000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB959F000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA738000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7677000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB9AA2000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB958E000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7687000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB9A9A000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB9A92000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7697000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF79C1000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB9530000 \SystemRoot\system32\DRIVERS\update.sys
0xB9FFE000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB91B0000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB9180000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF79F9000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA7F4000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xBA006000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xBA7FC000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xAE7EE000 \SystemRoot\system32\DRIVERS\1723014.sys
0xF798B000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB8DEA000 \SystemRoot\System32\Drivers\Null.SYS
0xF798D000 \SystemRoot\System32\Drivers\Beep.SYS
0xF77AF000 \SystemRoot\system32\drivers\ssrtln.sys
0xF7797000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7807000 \SystemRoot\System32\drivers\vga.sys
0xF798F000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7991000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB9D17000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF780F000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA723000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAE5E8000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAE58F000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xAE555000 \SystemRoot\System32\Drivers\avgtdix.sys
0xAE507000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xAF434000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xAE476000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAE454000 \SystemRoot\System32\drivers\afd.sys
0xAF464000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAE429000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xAE3B9000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xAF414000 \SystemRoot\System32\Drivers\Fips.SYS
0xF773F000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xAE36A000 \SystemRoot\System32\Drivers\avgldx86.sys
0xA63B0000 \SystemRoot\system32\DRIVERS\32664141.sys
0xA5E90000 \SystemRoot\system32\DRIVERS\17230141.sys
0xA5E6C000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xAC15A000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA5E54000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xADB62000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xACFFC000 \SystemRoot\System32\drivers\Dxapi.sys
0xB9C83000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xB76A7000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF042000 \SystemRoot\System32\ialmdev5.DLL
0xBF077000 \SystemRoot\System32\ialmdd5.DLL
0xB88E1000 \SystemRoot\system32\drivers\drvnddm.sys
0xAC98F000 \SystemRoot\system32\dla\tfsndres.sys
0xA5E3E000 \SystemRoot\system32\dla\tfsnifs.sys
0xB7508000 \SystemRoot\system32\dla\tfsnopio.sys
0xADB54000 \SystemRoot\system32\dla\tfsnpool.sys
0xF775F000 \SystemRoot\system32\dla\tfsnboio.sys
0xB9160000 \SystemRoot\system32\dla\tfsncofs.sys
0xAC98E000 \SystemRoot\system32\dla\tfsndrct.sys
0xA5E25000 \SystemRoot\system32\dla\tfsnudf.sys
0xA5E0C000 \SystemRoot\system32\dla\tfsnudfa.sys
0xA97D7000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA5CC7000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA5CB2000 \SystemRoot\system32\drivers\wdmaud.sys
0xB9ACA000 \SystemRoot\system32\drivers\sysaudio.sys
0xA5D30000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA5ACA000 \SystemRoot\system32\DRIVERS\srv.sys
0xA6C91000 \??\C:\WINDOWS\system32\drivers\symlcbrd.sys
0xAC07A000 \??\C:\DOCUME~1\claire\LOCALS~1\Temp\mbr.sys
0xA7002000 \??\C:\DOCUME~1\claire\LOCALS~1\Temp\catchme.sys
0xA6DEF000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
0xA5589000 \SystemRoot\System32\Drivers\HTTP.sys
0xA6C59000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xA555E000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll
0x7C800000 \WINDOWS\system32\kernel32.dll

Processes (total 32):
0 System Idle Process
4 System
556 C:\WINDOWS\system32\smss.exe
620 csrss.exe
644 C:\WINDOWS\system32\winlogon.exe
688 C:\WINDOWS\system32\services.exe
700 C:\WINDOWS\system32\lsass.exe
868 C:\WINDOWS\system32\svchost.exe
936 svchost.exe
976 C:\WINDOWS\system32\svchost.exe
1048 svchost.exe
1128 C:\Program Files\AVG\AVG9\avgchsvx.exe
1136 C:\Program Files\AVG\AVG9\avgrsx.exe
1192 svchost.exe
1276 C:\Program Files\AVG\AVG9\avgcsrvx.exe
1620 C:\WINDOWS\system32\lexbces.exe
1692 C:\WINDOWS\system32\lexpps.exe
1720 C:\WINDOWS\system32\spoolsv.exe
1844 svchost.exe
1952 C:\Program Files\AVG\AVG9\avgwdsvc.exe
192 locator.exe
280 C:\WINDOWS\system32\svchost.exe
1040 C:\Program Files\AVG\AVG9\avgemc.exe
1312 C:\Program Files\AVG\AVG9\avgnsx.exe
2104 C:\Program Files\AVG\AVG9\avgcsrvx.exe
2672 alg.exe
2704 C:\WINDOWS\system32\wscntfy.exe
1420 C:\WINDOWS\explorer.exe
3556 C:\WINDOWS\system32\wuauclt.exe
4088 C:\WINDOWS\system32\wuauclt.exe
3784 C:\WINDOWS\system32\wuauclt.exe
1468 C:\Documents and Settings\claire\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02738a00 (NTFS)

PhysicalDrive0 Model Number: Maxtor6Y080L0, Rev: YAR41BW0

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Dell MBR code detected
SHA1: 84B95CE8A54B7C5C3AAF149934FC46FB70FF8365


Done!


RKUnhook:


RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xA5E90000 C:\WINDOWS\system32\DRIVERS\17230141.sys 5373952 bytes (Kaspersky Lab, Kaspersky Unified Driver)
0xA63B0000 C:\WINDOWS\system32\DRIVERS\32664141.sys 5373952 bytes (Kaspersky Lab, Kaspersky Unified Driver)
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2189184 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2189184 bytes
0x804D7000 RAW 2189184 bytes
0x804D7000 WMIxWDM 2189184 bytes
0xBF800000 Win32k 1851392 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB993C000 C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 1302528 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xB97AE000 C:\WINDOWS\system32\DRIVERS\HSF_DP.sys 1044480 bytes (Conexant Systems, Inc., HSF_DP driver)
0xBF077000 C:\WINDOWS\System32\ialmdd5.DLL 925696 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0xB95B6000 C:\WINDOWS\system32\drivers\senfilt.sys 733184 bytes (Creative Technology Ltd., Creative WDM Audio Driver)
0xB9707000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 684032 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xF7B52000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xAE3B9000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB9530000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xAE58F000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA5ACA000 C:\WINDOWS\system32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)
0xAE7EE000 C:\WINDOWS\system32\DRIVERS\1723014.sys 331776 bytes (Kaspersky Lab, Klif Mini-Filter [fre_wnet_x86])
0xA5589000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB968D000 C:\WINDOWS\system32\drivers\smwdm.sys 262144 bytes (Analog Devices, Inc., SoundMAX Integrated Digital Audio )
0xAE555000 C:\WINDOWS\System32\Drivers\avgtdix.sys 237568 bytes (AVG Technologies CZ, s.r.o., AVG Network connection watcher)
0xBF042000 C:\WINDOWS\System32\ialmdev5.DLL 217088 bytes (Intel Corporation, Component GHAL Driver)
0xAE36A000 C:\WINDOWS\System32\Drivers\avgldx86.sys 212992 bytes (AVG Technologies CZ, s.r.o., AVG AVI Loader Driver)
0xB98D0000 C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys 212992 bytes (Conexant Systems, Inc., HSF_HWB2 WDM driver)
0xF75A8000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA5CC7000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF7435000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xA555E000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xAE429000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xAE476000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB96E1000 C:\WINDOWS\system32\DRIVERS\e100b325.sys 155648 bytes (Intel Corporation, Intel® PRO/100 Adapter NDIS 5.1 driver)
0xAE507000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xA5E6C000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xB9669000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB9904000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB98AD000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xAE454000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xBF020000 C:\WINDOWS\System32\ialmdnt5.dll 139264 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0x806EE000 ACPI_HAL 131840 bytes
0x806EE000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF74A0000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF74D8000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF741B000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xA5E25000 C:\WINDOWS\system32\dla\tfsnudf.sys 102400 bytes (Sonic Solutions, Drive Letter Access Component)
0xA5E0C000 C:\WINDOWS\system32\dla\tfsnudfa.sys 102400 bytes (Sonic Solutions, Drive Letter Access Component)
0xF74C0000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xA5E54000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7462000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB959F000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA5E3E000 C:\WINDOWS\system32\dla\tfsnifs.sys 90112 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7479000 drvmcdb.sys 86016 bytes (Sonic Solutions, Device Driver)
0xA5CB2000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB96CD000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB9928000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xAE5E8000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF748E000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF7597000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB958E000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xAC15A000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA778000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA798000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xBA758000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA768000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB9ACA000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xB9180000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBF012000 C:\WINDOWS\System32\ialmrnt5.dll 57344 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xF7657000 17230142.sys 53248 bytes (Kaspersky Lab, Kaspersky Lab Boot Guard Driver)
0xF7647000 32664142.sys 53248 bytes (Kaspersky Lab, Kaspersky Lab Boot Guard Driver)
0xF7637000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA7A8000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xBA748000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7617000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF7677000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xAF414000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA788000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7607000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA738000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xB88E1000 C:\WINDOWS\system32\drivers\drvnddm.sys 40960 bytes (Sonic Solutions, Device Driver Manager)
0xF75F7000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xB91B0000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF7697000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF7627000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xBA7B8000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF7687000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xAF464000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA584A000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xB9160000 C:\WINDOWS\system32\dla\tfsncofs.sys 36864 bytes (Sonic Solutions, Drive Letter Access Component)
0xAF434000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xA7002000 C:\DOCUME~1\claire\LOCALS~1\Temp\catchme.sys 32768 bytes
0xB9AC2000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF780F000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xB9C4B000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xB9ABA000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF7797000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xB9C5B000 C:\WINDOWS\System32\Drivers\mvb35316.SYS 28672 bytes
0xF7707000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF775F000 C:\WINDOWS\system32\dla\tfsnboio.sys 28672 bytes (Sonic Solutions, Drive Letter Access Component)
0xA6C59000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF773F000 C:\WINDOWS\System32\Drivers\avgmfx86.sys 24576 bytes (AVG Technologies CZ, s.r.o., AVG Resident Shield Minifilter Driver)
0xB9AB2000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xAC07A000 C:\DOCUME~1\claire\LOCALS~1\Temp\mbr.sys 24576 bytes
0xB9AAA000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF77AF000 C:\WINDOWS\system32\drivers\ssrtln.sys 24576 bytes (Sonic Solutions, Shared Driver Component)
0xA6C91000 C:\WINDOWS\system32\drivers\symlcbrd.sys 24576 bytes (Symantec Corporation, Symantec Core Component)
0xB9C53000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF7807000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xBA006000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xB9D17000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF770F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xB9A9A000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7717000 PxHelp20.sys 20480 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xB9A92000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xB9AA2000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xB9C83000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xBA7F4000 C:\WINDOWS\system32\drivers\MODEMCSA.sys 16384 bytes (Microsoft Corporation, Unimodem CSA Filter)
0xB9FFE000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA97D7000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF792F000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xB7508000 C:\WINDOWS\system32\dla\tfsnopio.sys 16384 bytes (Sonic Solutions, Drive Letter Access Component)
0xF789B000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xACFFC000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xBA7FC000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xA5D30000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xF7937000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBA723000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF798D000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xADB62000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF798B000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7989000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF798F000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xA6DEF000 C:\WINDOWS\system32\Drivers\PROCEXP113.SYS 8192 bytes
0xF7991000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF79BF000 C:\WINDOWS\system32\DRIVERS\serscan.sys 8192 bytes (Microsoft Corporation, Serial Imaging Device Driver)
0xF79BD000 C:\WINDOWS\system32\drivers\sscdbhk5.sys 8192 bytes (Sonic Solutions, Shared Driver Component)
0xF79C1000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xADB54000 C:\WINDOWS\system32\dla\tfsnpool.sys 8192 bytes (Sonic Solutions, Drive Letter Access Component)
0xF79F9000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7987000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x8A6A5000 C:\WINDOWS\system32\KDCOM.DLL 7040 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7A77000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xB76A7000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xB8DEA000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7A4F000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xAC98E000 C:\WINDOWS\system32\dla\tfsndrct.sys 4096 bytes (Sonic Solutions, Drive Letter Access Component)
0xAC98F000 C:\WINDOWS\system32\dla\tfsndres.sys 4096 bytes (Sonic Solutions, Drive Letter Access Component)
!!!!!!!!!!!Hidden driver: 0x8A657ABF ?_empty_? 1345 bytes
==============================================
>Stealth
==============================================
0xF74C0000 WARNING: suspicious driver modification [atapi.sys::0x8A657ABF]


#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:33 AM

Posted 12 October 2010 - 04:59 PM

Hello, tps.


Step 1
  1. Download TDSSKiller.exe and save it to your desktop.
  2. Double-click TDSSKiller.exe to run it.
  3. Under "Objects to scan" ensure both "Services and Drivers" and "Boot Sectors" are checked.
  4. Click Start scan and allow it to scan for Malicious objects.
  5. If malicious objects are found, the default action will be Cure, ensure Cure is selected then click Continue.
  6. If suspicious objects are detected, the default action will be Skip, ensure Skip is selected then click Continue.
  7. It may ask you to reboot the computer to complete the process. Click on Reboot Now and allow the computer to reboot.
  8. A log will be created on your root (usually C:) drive. The log is like UtilityName.Version_Date_Time_log.txt.
    for example, C:\TDSSKiller.2.4.1.2_20.04.2010_15.31.43_log.txt
  9. If no reboot is required, click on Report. A log file should appear.
  10. Please post the contents of the logfile in your next reply

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 tps

tps
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 12 October 2010 - 05:42 PM

Thank etavares. Here is the log file from TDSSKiller.exe:


2010/10/12 18:04:51.0406 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
2010/10/12 18:04:51.0406 ================================================================================
2010/10/12 18:04:51.0406 SystemInfo:
2010/10/12 18:04:51.0406
2010/10/12 18:04:51.0406 OS Version: 5.1.2600 ServicePack: 3.0
2010/10/12 18:04:51.0406 Product type: Workstation
2010/10/12 18:04:51.0406 ComputerName: BARRYCPU
2010/10/12 18:04:51.0406 UserName: claire
2010/10/12 18:04:51.0406 Windows directory: C:\WINDOWS
2010/10/12 18:04:51.0406 System windows directory: C:\WINDOWS
2010/10/12 18:04:51.0406 Processor architecture: Intel x86
2010/10/12 18:04:51.0406 Number of processors: 1
2010/10/12 18:04:51.0406 Page size: 0x1000
2010/10/12 18:04:51.0406 Boot type: Normal boot
2010/10/12 18:04:51.0406 ================================================================================
2010/10/12 18:04:51.0640 Initialize success
2010/10/12 18:05:01.0640 ================================================================================
2010/10/12 18:05:01.0640 Scan started
2010/10/12 18:05:01.0640 Mode: Manual;
2010/10/12 18:05:01.0640 ================================================================================
2010/10/12 18:05:02.0406 17230141 (7dd41b7ac1fbb1dbf20bb1f4e4fbe58c) C:\WINDOWS\system32\DRIVERS\17230141.sys
2010/10/12 18:05:02.0593 17230142 (a305fad3719c5db0c13d1c2bfd08a04d) C:\WINDOWS\system32\DRIVERS\17230142.sys
2010/10/12 18:05:02.0796 32664141 (7dd41b7ac1fbb1dbf20bb1f4e4fbe58c) C:\WINDOWS\system32\DRIVERS\32664141.sys
2010/10/12 18:05:02.0953 32664142 (a305fad3719c5db0c13d1c2bfd08a04d) C:\WINDOWS\system32\DRIVERS\32664142.sys
2010/10/12 18:05:03.0187 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2010/10/12 18:05:03.0375 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/12 18:05:03.0546 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/10/12 18:05:03.0718 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2010/10/12 18:05:03.0812 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/10/12 18:05:03.0937 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/10/12 18:05:04.0078 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/10/12 18:05:04.0234 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2010/10/12 18:05:04.0375 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2010/10/12 18:05:04.0531 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2010/10/12 18:05:04.0687 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2010/10/12 18:05:04.0843 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2010/10/12 18:05:05.0000 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2010/10/12 18:05:05.0140 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2010/10/12 18:05:05.0296 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2010/10/12 18:05:05.0453 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2010/10/12 18:05:05.0593 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2010/10/12 18:05:05.0765 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2010/10/12 18:05:05.0921 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/12 18:05:06.0093 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/12 18:05:06.0281 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/12 18:05:06.0437 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/12 18:05:06.0687 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\system32\Drivers\avgldx86.sys
2010/10/12 18:05:06.0843 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\system32\Drivers\avgmfx86.sys
2010/10/12 18:05:07.0062 AvgTdiX (22e3b793c3e61720f03d3a22351af410) C:\WINDOWS\system32\Drivers\avgtdix.sys
2010/10/12 18:05:07.0234 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/12 18:05:07.0687 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2010/10/12 18:05:07.0828 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/12 18:05:07.0968 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2010/10/12 18:05:08.0109 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/12 18:05:08.0234 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/12 18:05:08.0453 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/12 18:05:08.0703 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2010/10/12 18:05:08.0859 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2010/10/12 18:05:09.0015 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2010/10/12 18:05:09.0171 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2010/10/12 18:05:09.0343 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/12 18:05:09.0531 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/12 18:05:09.0750 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/10/12 18:05:09.0890 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/12 18:05:10.0031 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/12 18:05:10.0203 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2010/10/12 18:05:10.0343 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/12 18:05:10.0531 drvmcdb (e814854e6b246ccf498874839ab64d77) C:\WINDOWS\system32\drivers\drvmcdb.sys
2010/10/12 18:05:10.0703 drvnddm (ee83a4ebae70bc93cf14879d062f548b) C:\WINDOWS\system32\drivers\drvnddm.sys
2010/10/12 18:05:10.0890 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/10/12 18:05:11.0078 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/12 18:05:11.0234 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/10/12 18:05:11.0390 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/12 18:05:11.0531 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/10/12 18:05:11.0703 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/10/12 18:05:11.0921 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/12 18:05:12.0078 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/12 18:05:12.0281 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/12 18:05:12.0437 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/10/12 18:05:12.0625 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2010/10/12 18:05:12.0812 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
2010/10/12 18:05:13.0015 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2010/10/12 18:05:13.0218 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/12 18:05:13.0375 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/10/12 18:05:13.0500 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2010/10/12 18:05:13.0718 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/10/12 18:05:13.0984 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2010/10/12 18:05:14.0187 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/12 18:05:14.0343 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2010/10/12 18:05:14.0500 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/10/12 18:05:14.0687 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/10/12 18:05:14.0843 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/10/12 18:05:15.0015 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/12 18:05:15.0203 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/12 18:05:15.0359 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/12 18:05:15.0546 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/12 18:05:15.0671 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/12 18:05:15.0843 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/12 18:05:16.0000 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/12 18:05:16.0171 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/10/12 18:05:16.0328 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/12 18:05:16.0484 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/12 18:05:16.0796 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/10/12 18:05:16.0953 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/12 18:05:17.0093 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/12 18:05:17.0234 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/10/12 18:05:17.0421 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/12 18:05:17.0593 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/10/12 18:05:17.0765 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/12 18:05:17.0937 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2010/10/12 18:05:18.0093 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/12 18:05:18.0265 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/12 18:05:18.0453 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/12 18:05:18.0609 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/12 18:05:18.0765 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/12 18:05:18.0937 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/12 18:05:19.0093 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/12 18:05:19.0296 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/12 18:05:19.0468 mvb35316 (dc993837129a691cfe842f04c87b91fb) C:\WINDOWS\system32\drivers\mvb35316.sys
2010/10/12 18:05:19.0656 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/12 18:05:19.0812 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/12 18:05:19.0968 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/12 18:05:20.0109 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/12 18:05:20.0250 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/12 18:05:20.0421 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/12 18:05:20.0625 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/12 18:05:20.0828 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/12 18:05:21.0078 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/12 18:05:21.0250 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/12 18:05:21.0437 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/10/12 18:05:21.0640 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/12 18:05:21.0812 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/12 18:05:21.0984 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/10/12 18:05:22.0218 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/12 18:05:22.0359 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/12 18:05:22.0546 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/12 18:05:22.0828 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/10/12 18:05:23.0000 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/10/12 18:05:23.0531 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2010/10/12 18:05:23.0687 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2010/10/12 18:05:23.0843 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/12 18:05:24.0000 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/10/12 18:05:24.0187 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/12 18:05:24.0281 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/10/12 18:05:24.0453 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2010/10/12 18:05:24.0609 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2010/10/12 18:05:24.0750 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2010/10/12 18:05:24.0906 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2010/10/12 18:05:25.0062 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2010/10/12 18:05:25.0281 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/12 18:05:25.0453 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/12 18:05:25.0640 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/12 18:05:25.0765 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/12 18:05:25.0937 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/12 18:05:26.0093 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/12 18:05:26.0250 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/10/12 18:05:26.0406 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/12 18:05:26.0578 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/12 18:05:26.0796 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/12 18:05:26.0984 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
2010/10/12 18:05:27.0203 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/10/12 18:05:27.0359 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/10/12 18:05:27.0546 setup_9.0.0.722_29.09.2010_00-29drv (66ef49622baa18e4d4f1fe4bae1d51b8) C:\WINDOWS\system32\DRIVERS\1723014.sys
2010/10/12 18:05:27.0718 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/10/12 18:05:28.0000 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2010/10/12 18:05:28.0156 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
2010/10/12 18:05:28.0328 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2010/10/12 18:05:28.0500 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/12 18:05:28.0671 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/12 18:05:28.0875 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/12 18:05:29.0046 sscdbhk5 (d7968049be0adbb6a57cee3960320911) C:\WINDOWS\system32\drivers\sscdbhk5.sys
2010/10/12 18:05:29.0328 ssrtln (c3ffd65abfb6441e7606cf74f1155273) C:\WINDOWS\system32\drivers\ssrtln.sys
2010/10/12 18:05:29.0500 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
2010/10/12 18:05:29.0687 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/12 18:05:29.0843 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/12 18:05:30.0015 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2010/10/12 18:05:30.0187 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2010/10/12 18:05:30.0343 symlcbrd (b226f8a4d780acdf76145b58bb791d5b) C:\WINDOWS\system32\drivers\symlcbrd.sys
2010/10/12 18:05:30.0500 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2010/10/12 18:05:30.0640 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2010/10/12 18:05:30.0796 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/12 18:05:31.0031 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/12 18:05:31.0234 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/12 18:05:31.0406 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/12 18:05:31.0578 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/12 18:05:31.0687 tfsnboio (30698355067d07da5f9eb81132c9fdd6) C:\WINDOWS\system32\dla\tfsnboio.sys
2010/10/12 18:05:31.0796 tfsncofs (fb9d825bb4a2abdf24600f7505050e2b) C:\WINDOWS\system32\dla\tfsncofs.sys
2010/10/12 18:05:31.0906 tfsndrct (cafd8cca11aa1e8b6d2ea1ba8f70ec33) C:\WINDOWS\system32\dla\tfsndrct.sys
2010/10/12 18:05:32.0015 tfsndres (8db1e78fbf7c426d8ec3d8f1a33d6485) C:\WINDOWS\system32\dla\tfsndres.sys
2010/10/12 18:05:32.0125 tfsnifs (b92f67a71cc8176f331b8aa8d9f555ad) C:\WINDOWS\system32\dla\tfsnifs.sys
2010/10/12 18:05:32.0296 tfsnopio (85985faa9a71e2358fcc2edefc2a3c5c) C:\WINDOWS\system32\dla\tfsnopio.sys
2010/10/12 18:05:32.0406 tfsnpool (bba22094f0f7c210567efdaf11f64495) C:\WINDOWS\system32\dla\tfsnpool.sys
2010/10/12 18:05:32.0531 tfsnudf (81340bef80b9811e98ce64611e67e3ff) C:\WINDOWS\system32\dla\tfsnudf.sys
2010/10/12 18:05:32.0703 tfsnudfa (c035fd116224ccc8325f384776b6a8bb) C:\WINDOWS\system32\dla\tfsnudfa.sys
2010/10/12 18:05:32.0859 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2010/10/12 18:05:33.0031 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/12 18:05:33.0171 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2010/10/12 18:05:33.0359 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/12 18:05:33.0546 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/12 18:05:33.0703 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/10/12 18:05:33.0843 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/12 18:05:33.0984 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/10/12 18:05:34.0140 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/10/12 18:05:34.0328 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/12 18:05:34.0484 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/10/12 18:05:34.0656 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/10/12 18:05:34.0843 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2010/10/12 18:05:35.0000 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/10/12 18:05:35.0140 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/12 18:05:35.0343 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/12 18:05:35.0718 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/12 18:05:35.0906 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2010/10/12 18:05:36.0093 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/10/12 18:05:36.0234 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/10/12 18:05:36.0312 \HardDisk0\MBR - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/10/12 18:05:36.0312 ================================================================================
2010/10/12 18:05:36.0312 Scan finished
2010/10/12 18:05:36.0312 ================================================================================
2010/10/12 18:05:36.0343 Detected object count: 1
2010/10/12 18:05:45.0531 \HardDisk0\MBR - will be cured after reboot
2010/10/12 18:05:45.0531 Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) - User select action: Cure
2010/10/12 18:05:58.0625 Deinitialize success

I ran the TDSSKIller.exe scan again after a reboot, and it returned clean. However, mbam.exe still closes after 2 seconds into the scan.

Edited by tps, 12 October 2010 - 05:46 PM.


#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:33 AM

Posted 12 October 2010 - 06:11 PM

Hello, tps.

You had the newest variant of the TDL/TDSS/Tidserv rootkit. It is a backdoor so I must warn you:

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.






Step 1

Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 tps

tps
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:33 AM

Posted 13 October 2010 - 04:09 PM

Thank you etavares. I will be taking your advice and re-fromatting the hard drive, re-installing the OS. Many thanks for all your help.

-T

#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:33 AM

Posted 13 October 2010 - 05:52 PM

Hello, tps.

Ok, thanks for letting me know. A very good and safe choice. I'll leave this open a few more days in case you have questions.




Here's a good article on how to reformat:
When Should I Format, How Should I Reinstall

Also, to protect yourself against malware and reduce your chance of reinfection in the future, I strongly recommend to have a look at following links (giving some advice and tips):
etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:33 AM

Posted 20 October 2010 - 05:32 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you are the topic starter, and need this topic reopened, please contact me via PM with the address of this thread.

Everyone else please begin a new topic.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users