Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirect - Rootkit?


  • This topic is locked This topic is locked
12 replies to this topic

#1 MohZ

MohZ

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 05 October 2010 - 10:45 AM

Win XP SP3
IE
I did not install anything at the time of infection (10/01, AM). I was looking online for a printer part so probably got this from an unknown site. Did not notice it until later in the afternoon when a svchost.exe was running at 95% and net activity was continuous. Locked up when I disconnected the network cable. Upon reboot, I ran MalwareBytes and it found two files and one reg entry, all flagged as Trojan. Removed those. Tried the browser and was redirected. Then, unfortunately, I ran Combofix (found this site much later). Anyway it found Rootkit activity, re-booted, cleaned it up, but it came back. I tried this twice. Then I found this site. Since then, I ran:
-ATF (cleaned all)
-DeFogger
-DDS (logs attached)
-RootKit Unhooker (log attached)
-GMER (log attached)

Please advise as to what the next step should be and let me know if I have forgotten to attach anything important.
Thanks

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:06 AM

Posted 12 October 2010 - 11:46 AM

Hello MohZ ,



Sorry for the delay. sad.gif If you still need help, please post a new DDS/HijackThis log and I'll be happy to look at it. smile.gif

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 MohZ

MohZ
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 13 October 2010 - 10:19 AM

Thanks tea
Poking around I found some posts where the experts preferred the logs to be posted rather than attached. Please let me know if I should attach them instead. Here are brand new DDS and HJT logs. It may be worth noting that I have been using this workstation offline and except for being a bit slow sometimes it runs OK. However, as soon as I connect the net cable I get the redirects while browsing. Thanks again for your time.

DDS (Ver_10-03-17.01) - NTFSx86
Run by akiel at 10:03:14.31 on Wed 10/13/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.467 [GMT -5:00]

AV: Sunbelt VIPRE *On-access scanning enabled* (Outdated) {964FCE60-0B18-4D30-ADD6-EB178909041C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Sunbelt Software\SBEAgent\SBAMSvc.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Sunbelt Software\SBEAgent\SBAMTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
E:\MALWARE\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.drudgereport.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SBAMTray] c:\program files\sunbelt software\sbeagent\SBAMTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1252433550361
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {A6B29613-A294-42F0-B4BB-86454D14351A} = 192.168.0.11,192.168.0.1,209.150.200.10,64.65.128.6
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2010-2-17 13360]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-10-13 95024]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2010-2-17 203056]
R2 HPWebJetadmin;HP Web Jetadmin;c:\program files\hp web jetadmin\hpwebjetd.exe [2010-7-14 13312]
R2 SBAMSvc;VIPRE Enterprise Agent;c:\program files\sunbelt software\sbeagent\SBAMSvc.exe [2010-1-4 1012080]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-2-17 69936]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

=============== Created Last 30 ================

2010-10-04 22:41:57 0 ----a-w- c:\documents and settings\akieo\defogger_reenable
2010-10-04 18:42:01 0 d-----w- C:\HappyFunTimes17967H
2010-10-04 17:59:51 0 d-----w- C:\HappyFunTimes
2010-10-04 17:03:15 0 d-sha-r- C:\cmdcons
2010-10-04 16:59:59 77312 ----a-w- c:\windows\MBR.exe
2010-10-04 16:59:59 256512 ----a-w- c:\windows\PEV.exe
2010-10-04 16:43:11 0 d-----w- c:\docume~1\akieo\applic~1\Malwarebytes
2010-10-04 16:35:46 0 d-----w- c:\program files\Trend Micro
2010-10-04 16:08:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-04 16:08:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-04 16:08:56 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-04 16:08:56 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-04 15:57:12 98816 ----a-w- c:\windows\sed.exe
2010-10-04 15:57:12 161792 ----a-w- c:\windows\SWREG.exe
2010-10-04 15:56:51 0 d-----w- C:\HappyFun
2010-10-04 15:56:50 389120 ----a-w- c:\windows\system32\CF11280.exe
2010-09-15 21:42:34 0 d-----w- C:\HP LJ9040-9050 MFPpcl5
2010-09-15 21:42:17 0 d-----w- C:\HP LJ9040-9050 MFPps
2010-09-15 19:55:42 0 d-----w- C:\HP LJ9040-9050 MFP

==================== Find3M ====================

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 10:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2008-12-03 21:20:07 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008120320081204\index.dat

============= FINISH: 10:04:54.12 ===============

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:02:24 AM, on 10/13/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17080)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\SBEAgent\SBAMSvc.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Sunbelt Software\SBEAgent\SBAMTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\SBEAgent\SBAMTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-4260144647-1992702267-3339043536-500\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User '?')
O4 - HKUS\S-1-5-21-919815456-1204180249-1606240830-1045\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User '?')
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: http://192.168.0.114
O15 - Trusted IP range: http://192.168.0.039
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1252433550361
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = valstarprinters.local
O17 - HKLM\Software\..\Telephony: DomainName = valstarprinters.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6B29613-A294-42F0-B4BB-86454D14351A}: NameServer = 192.168.0.11,192.168.0.1,209.150.200.10,64.65.128.6
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = valstarprinters.local
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: HP Web Jetadmin (HPWebJetadmin) - Apache Software Foundation - C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: VIPRE Enterprise Agent (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\SBEAgent\SBAMSvc.exe

--
End of file - 6513 bytes

Attached Files



#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:06 AM

Posted 13 October 2010 - 12:57 PM

Hello,

A couple of things that might make this easier....there are 3 instances of Windows updates running at once. For the time being, disable them and see if that helps with the slowness issue. You'll want to re enable them when we're done here. Do you run through a router? You mentioned that the redirects happen when you're online, which makes sense....if you do run a router, disconnect it from the computer completely, reset it and put a password on it and let me know if the redirects stop.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 MohZ

MohZ
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 13 October 2010 - 04:42 PM

I disabled the automatic updates and killed the wuauclt.exe. Is that sufficient?
I do run through a router along with about 10 other workstations. So far (10 days) only one (mine) is having problems. There is a password on the router which I don't have but may be able to get in a day or two, so at the moment I cannot reset it. I have been disconnected from it for a week. I don't want to screw anything up for all the users not having problems, so given that the others are not having any problems and the router is and has been password protected,
is a reset necessary? I'm not trying to second guess; I'm just hesitant to call the admin guy unless absolutely necessary due to his availability and expense. Yes, I'm cheap, but I also want to know how to fix this thing myself.

Also, I forgot to mention that the MalwareBytes report stated as trojan: 6to4v32.dll in the system32 folder and 6to4 in HKLM\System\CurrentControlSet\Services\, as well as some file in temp I forgot to write down.

Thanks in advance for not losing patience with me.

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:06 AM

Posted 13 October 2010 - 05:32 PM

Hello,

No....don't bother. Also, since this is clearly a business computer, I must recommend that you use your IT guy. It isn't a matter of patience; I don't want to go against any policies that might be in place regarding the network and have anyone in trouble, like myself or BC. smile.gif

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 MohZ

MohZ
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 14 October 2010 - 12:55 AM

tea,
I know how my situation sounds but it is quite different than you think. Our IT guy is not ours. He's not on our payroll, nor do we have a contract. I was actually encouraged to fix this on my own (so to speak) by my boss (the owner). We're very small and only hired the IT guy to set up our new (6 months ago) server and router. We were running NT on...I think it was a P3 until then. Now, I'm kind of the IT guy - a hack at best, but we get by. I just assumed the router password would be the same as the old one, which I have, but does me no good. No one else will touch the system and I think it is all very interesting, even the malware. Everyone here is in the loop and knows what is going on currently because I want them to watch their workstations to make sure this does not spread. I have manually removed viruses before but I just can't seem to find where this one is hiding.
Anyway, if you're still willing to help me (us) out I'd be much appreciative - and would blame no one but ME for any problems that might crop up (we have no policies written or otherwise, which is probably how I got infected). If not, I'll go it alone and I understand your position.
Thanks for your time - you guys are a great resource and are all very much appreciated!

MohZ

Oh, and best of luck with the dental thing. The bold red font makes it look painful. Ugh

Edited by MohZ, 14 October 2010 - 12:59 AM.


#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:06 AM

Posted 14 October 2010 - 07:26 AM

Hello,

Thanks for the good wishes. I'm dreading it, considering what is going to be done.....you'd think someone who had 6 kids could handle THIS, but I'm super squeamish about the dentist. crazy.gif

I noticed Vipre is outdated. I recommend removing it all together, to be honest. Though it is, for the most part, a good product, I have seen it cause some pretty wild damage on a normal system and wouldn't want it to happen to you. There are free ones (You said you guys were cheap!! laugh.gif ) that are just as good, and actually better, than a lot of paid ones. AVG, Avira OR Avast are good FREE antivirus. I use Avira myself.


Download TDSSKiller and save it to your Desktop.
  • Extract the file and run it.
  • Once completed it will create a log in the root directory (usually C:\).
  • Please post the contents of that log in your next reply.

I'll be here as soon as I can manage tomorrow.

Thanks,
tea


Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 MohZ

MohZ
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 15 October 2010 - 08:36 AM

tea,
I hope your mouth is all better now and that it was not too terrifying to fix.
Thank you soooo much for helping. Vipre was installed along with the server. I have never really trusted it and it is good to hear AVG is among the best - I use that at home. I might give that Avira a try here.
I ran the TDSSKiller and I seem to be running fine now. Do I need to do something else just to be sure?
THANK YOU

2010/10/14 14:23:31.0171 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
2010/10/14 14:23:31.0171 ================================================================================
2010/10/14 14:23:31.0171 SystemInfo:
2010/10/14 14:23:31.0171
2010/10/14 14:23:31.0171 OS Version: 5.1.2600 ServicePack: 3.0
2010/10/14 14:23:31.0171 Product type: Workstation
2010/10/14 14:23:31.0171 ComputerName: TECHRMXP2
2010/10/14 14:23:31.0171 UserName: akiel
2010/10/14 14:23:31.0171 Windows directory: C:\WINDOWS
2010/10/14 14:23:31.0171 System windows directory: C:\WINDOWS
2010/10/14 14:23:31.0171 Processor architecture: Intel x86
2010/10/14 14:23:31.0171 Number of processors: 2
2010/10/14 14:23:31.0171 Page size: 0x1000
2010/10/14 14:23:31.0171 Boot type: Normal boot
2010/10/14 14:23:31.0171 ================================================================================
2010/10/14 14:23:31.0390 Initialize success
2010/10/14 14:23:34.0609 ================================================================================
2010/10/14 14:23:34.0609 Scan started
2010/10/14 14:23:34.0609 Mode: Manual;
2010/10/14 14:23:34.0609 ================================================================================
2010/10/14 14:23:35.0468 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/14 14:23:35.0531 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/10/14 14:23:35.0671 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/10/14 14:23:35.0734 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/10/14 14:23:35.0906 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/14 14:23:35.0937 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/14 14:23:35.0968 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/14 14:23:36.0093 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/14 14:23:36.0171 b57w2k (3a3a82ffd268bcfb7ae6a48cecf00ad9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2010/10/14 14:23:36.0234 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/14 14:23:36.0812 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/14 14:23:36.0953 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/10/14 14:23:37.0281 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/14 14:23:37.0343 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/14 14:23:37.0406 cdrbsdrv (351735695e9ead93de6af85d8beb1ca8) C:\WINDOWS\system32\drivers\cdrbsdrv.sys
2010/10/14 14:23:37.0484 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/14 14:23:37.0515 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2010/10/14 14:23:37.0734 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/14 14:23:37.0828 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/14 14:23:37.0875 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/10/14 14:23:37.0890 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/14 14:23:37.0953 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/14 14:23:38.0046 Dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
2010/10/14 14:23:38.0109 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
2010/10/14 14:23:38.0156 dot4ufd (0a57b5876530febb4ebf6ad501864f96) C:\WINDOWS\system32\DRIVERS\hppaufd0.sys
2010/10/14 14:23:38.0187 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys
2010/10/14 14:23:38.0250 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/14 14:23:38.0312 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/14 14:23:38.0328 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/10/14 14:23:38.0421 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/14 14:23:38.0625 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/10/14 14:23:38.0734 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/10/14 14:23:38.0828 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/14 14:23:38.0859 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/14 14:23:38.0937 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/14 14:23:39.0000 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/10/14 14:23:39.0140 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/14 14:23:39.0312 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
2010/10/14 14:23:39.0437 ialm (0294a30b302ca71a2c26e582dda93486) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2010/10/14 14:23:39.0484 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/14 14:23:39.0562 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/10/14 14:23:39.0609 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/10/14 14:23:39.0656 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/14 14:23:39.0734 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/14 14:23:39.0781 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/14 14:23:39.0843 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/14 14:23:39.0875 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/14 14:23:39.0953 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/14 14:23:39.0968 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/14 14:23:40.0000 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/10/14 14:23:40.0062 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/14 14:23:40.0093 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/14 14:23:40.0187 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/14 14:23:40.0296 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/14 14:23:40.0359 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/14 14:23:40.0437 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/10/14 14:23:40.0484 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/14 14:23:40.0562 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/14 14:23:40.0593 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/14 14:23:40.0625 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/14 14:23:40.0671 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/14 14:23:40.0703 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/14 14:23:40.0750 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/14 14:23:40.0796 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/14 14:23:40.0843 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/10/14 14:23:40.0937 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/14 14:23:40.0984 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/10/14 14:23:41.0062 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/14 14:23:41.0109 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/10/14 14:23:41.0187 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/14 14:23:41.0218 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/14 14:23:41.0234 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/14 14:23:41.0265 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/14 14:23:41.0328 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/14 14:23:41.0359 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/14 14:23:41.0390 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/14 14:23:41.0468 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/14 14:23:41.0500 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/14 14:23:41.0546 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/14 14:23:41.0562 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/14 14:23:41.0640 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/10/14 14:23:41.0687 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/14 14:23:41.0734 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/14 14:23:41.0750 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/14 14:23:41.0781 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/10/14 14:23:41.0843 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/10/14 14:23:42.0046 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/14 14:23:42.0093 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/10/14 14:23:42.0125 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/14 14:23:42.0406 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/14 14:23:42.0531 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/14 14:23:42.0546 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/14 14:23:42.0562 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/14 14:23:42.0609 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/14 14:23:42.0640 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/14 14:23:42.0718 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/10/14 14:23:42.0781 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/14 14:23:42.0828 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/14 14:23:43.0015 sbaphd (633b92550b29b09647e5d06f7f376d69) C:\WINDOWS\system32\drivers\sbaphd.sys
2010/10/14 14:23:43.0062 sbapifs (545f05311f9653c17fd43d024985f787) C:\WINDOWS\system32\drivers\sbapifs.sys
2010/10/14 14:23:43.0093 SBRE (4019149e4e296072831c8855605d9fdc) C:\WINDOWS\system32\drivers\SBREdrv.sys
2010/10/14 14:23:43.0140 sbtis (cf0ae6434a4c37a1232cfd71a31813b4) C:\WINDOWS\system32\drivers\sbtis.sys
2010/10/14 14:23:43.0218 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/14 14:23:43.0343 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
2010/10/14 14:23:43.0375 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/10/14 14:23:43.0406 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/10/14 14:23:43.0453 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/10/14 14:23:43.0578 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/10/14 14:23:43.0656 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
2010/10/14 14:23:43.0734 sonypvs1 (dfadfc2c86662f40759bf02add27d569) C:\WINDOWS\system32\DRIVERS\sonypvs1.sys
2010/10/14 14:23:44.0031 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/14 14:23:44.0125 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/14 14:23:44.0187 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/14 14:23:44.0234 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/10/14 14:23:44.0281 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/14 14:23:44.0328 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/14 14:23:44.0421 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/14 14:23:44.0515 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/14 14:23:44.0562 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/14 14:23:44.0609 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/14 14:23:44.0640 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/14 14:23:44.0703 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/14 14:23:44.0750 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/14 14:23:44.0796 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/10/14 14:23:44.0843 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/14 14:23:44.0875 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/10/14 14:23:44.0906 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/14 14:23:44.0953 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/10/14 14:23:45.0000 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/14 14:23:45.0093 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/10/14 14:23:45.0156 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/10/14 14:23:45.0250 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/14 14:23:45.0296 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/14 14:23:45.0328 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/14 14:23:45.0421 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/10/14 14:23:45.0468 \HardDisk0\MBR - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/10/14 14:23:45.0468 ================================================================================
2010/10/14 14:23:45.0468 Scan finished
2010/10/14 14:23:45.0468 ================================================================================
2010/10/14 14:23:45.0468 Detected object count: 1
2010/10/14 15:06:28.0062 \HardDisk0\MBR - will be cured after reboot
2010/10/14 15:06:28.0062 Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) - User select action: Cure


#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:06 AM

Posted 15 October 2010 - 10:24 AM

Hello,

Excellent to know. thumbup2.gif I know you were paying attention to this, since you're trying to learn it. You had the latest and nastiest version of the TDSS rootkit, tdl4. You can Google it and see why you were having the problems you were. What I would like for you to do now is go to Microsoft and get the updates Windows was trying to install through all of this. THEN go back and turn on auto updates. Since there were 3 of them going before in the logs you would probably bog down again if you simply turned the auto updates back on.

I see you have Malwarebytes....have a run with it and post the report, if there is anything to post. Usually when you have just this infection there isn't, but if you had anything else piggybacking in we need to know it.

You can delete all the other tools used. Let me know how you come out. smile.gif

Thanks,
tea

Oh....After 3 hours in the chair they didn't finish, but got the majority done. I have one word for yesterday. PAIN! laugh.gif I took what the dentist prescribed and got a really good sleep out of the deal, and feel some better today. Thank you for asking. smile.gif
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 MohZ

MohZ
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 18 October 2010 - 10:17 AM

Thanks tea
I ran the updates and everything seems to be running fine. Malwarebytes did find something. I have since removed it and rebooted twice, running a scan each time and it came up clean both times. I will be switching AV programs and keeping everything updated from here on out.

Thank you so much for helping out. I appreciate it more than I am able to express here. Unless you think I need to run anything else, this can be closed. Hope you had a good pain-free weekend and you're fully recovered!

Thanks
MohZ

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4870

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

10/18/2010 9:13:45 AM
mbam-log-2010-10-18 (09-13-45).txt

Scan type: Quick scan
Objects scanned: 181857
Time elapsed: 8 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.


#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:06 AM

Posted 18 October 2010 - 10:24 AM

Hi there,

The weekend was MUCH better.....still a twinge every now and then, but I'll take it. thumbup2.gif

You're most welcome, and I'm glad all is well. thumbup.gif Were you able to get all the Windows updates?


Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:06 AM

Posted 22 October 2010 - 02:52 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users