Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Account permissions & program access


  • This topic is locked This topic is locked
11 replies to this topic

#1 Dave1ee

Dave1ee

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 07 October 2010 - 08:00 AM

Hi all this is an interesting one I havent seen one quite like this before.
A customer brought in a laptop with malware and trojans on it, Namely - Antivirus 2010 and rootkit TDSS (Alueron) in the CD driver, plus others.
These were removed by taking out the hard drive and running:
Spybot S&D
Malwarebytes
Microsoft Security Essentials
Kasperky virus removal
Trend Micro Housecall Scanner

Attempted to Run all of these when re-installed hard drive plus attempted to run rootkit revealer and autoruns as well.

But here is the rub the programs will install & some will start to run but then will either be killed/Stopped by some process I cant capture.

I cant get Hijack this to run or any other program I would normally use to do this either Access is denied or you do not have administrator permission.

Have even created new admin account and same occurs have tried to regain by taking ownership of files but no good.

Any ideas would be great. Just trying to not have to re-install but think I will have to.

Dave

Will not be back in shop till later today so think about it.

Edited by hamluis, 07 October 2010 - 09:36 AM.
Moved from XP to Am I Infected ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,404 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:11 PM

Posted 07 October 2010 - 11:50 AM

Hello and welcome. let's see if this gets us in. Reboot into safe mode with Networking.
Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

Now RKill....

Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply
Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.


Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal/regular mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Dave1ee

Dave1ee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 07 October 2010 - 03:48 PM

Sorry had to put this out quick this AM but it is a Windows XP SP-3 Dell Latitude D620 Laptop. Am going to start with your suggestions

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,404 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:11 PM

Posted 07 October 2010 - 06:34 PM

Ok, take your time.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Dave1ee

Dave1ee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 07 October 2010 - 06:58 PM

Hi I have run all the items in order you listed and had no possitive results to report. However the last step to run MBAM is the where things are just an indication that things are not well still. When I click on the program when 1st installed to run it it, it it just killed (as is spybot & HiJackThis. When I subsequently click on icon to start program I get "Windows cannot access the specified device, path, or file. You may not have the approriate permissions to access the item."
I have had this and also just the killing of programs while they are running. I.E. Spybot is killed while running etc.

RUBotted from trend Micro does run in the tray and is working as far as I can tell since it shows in task manager.

Dont see an attach file so here is TDSSkill log:

2010/10/07 18:04:18.0875 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
2010/10/07 18:04:18.0875 ================================================================================
2010/10/07 18:04:18.0875 SystemInfo:
2010/10/07 18:04:18.0875
2010/10/07 18:04:18.0875 OS Version: 5.1.2600 ServicePack: 3.0
2010/10/07 18:04:18.0875 Product type: Workstation
2010/10/07 18:04:18.0875 ComputerName: DELL-D620
2010/10/07 18:04:18.0875 UserName: Tech
2010/10/07 18:04:18.0875 Windows directory: C:\WINDOWS
2010/10/07 18:04:18.0875 System windows directory: C:\WINDOWS
2010/10/07 18:04:18.0875 Processor architecture: Intel x86
2010/10/07 18:04:18.0875 Number of processors: 2
2010/10/07 18:04:18.0875 Page size: 0x1000
2010/10/07 18:04:18.0875 Boot type: Normal boot
2010/10/07 18:04:18.0875 ================================================================================
2010/10/07 18:04:19.0015 Initialize success
2010/10/07 18:04:22.0218 ================================================================================
2010/10/07 18:04:22.0218 Scan started
2010/10/07 18:04:22.0218 Mode: Manual;
2010/10/07 18:04:22.0218 ================================================================================
2010/10/07 18:04:23.0125 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/07 18:04:23.0156 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/10/07 18:04:23.0234 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/10/07 18:04:23.0265 AFD (4d43e74f2a1239d53929b82600f1971c) C:\WINDOWS\System32\drivers\afd.sys
2010/10/07 18:04:23.0406 ApfiltrService (090880e9bf20f928bc341f96d27c019e) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
2010/10/07 18:04:23.0453 APPDRV (49a38b115d1502cfeb2aee248df15cd1) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
2010/10/07 18:04:23.0562 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/07 18:04:23.0593 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/07 18:04:23.0625 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/07 18:04:23.0671 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/07 18:04:23.0703 b57w2k (58911390115465bf6d8048f21f48655a) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2010/10/07 18:04:23.0750 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/07 18:04:23.0828 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
2010/10/07 18:04:23.0843 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
2010/10/07 18:04:23.0906 BTHPORT (51d05d5a8a7d93ab0b1a8d6a38db3ca4) C:\WINDOWS\system32\Drivers\BTHport.sys
2010/10/07 18:04:24.0046 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
2010/10/07 18:04:24.0343 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/07 18:04:24.0375 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/07 18:04:24.0437 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/07 18:04:24.0453 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/07 18:04:24.0546 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/10/07 18:04:24.0578 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/10/07 18:04:24.0640 cxrubd6d (d81c5712ef44babf7652e3623cef0436) C:\WINDOWS\system32\drivers\cxrubd6d.sys
2010/10/07 18:04:24.0703 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/07 18:04:24.0781 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/07 18:04:24.0859 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/10/07 18:04:24.0921 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/07 18:04:24.0968 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/07 18:04:25.0046 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/07 18:04:25.0093 el575nd5 (23f6b9cf432f492ebbd8105d78cb008c) C:\WINDOWS\system32\DRIVERS\el575nd5.sys
2010/10/07 18:04:25.0171 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/07 18:04:25.0218 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/10/07 18:04:25.0234 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/07 18:04:25.0250 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/10/07 18:04:25.0312 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/10/07 18:04:25.0343 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/07 18:04:25.0390 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/07 18:04:25.0437 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/07 18:04:25.0531 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/10/07 18:04:25.0656 HSF_DPV (e8ec1767ea315a39a0dd8989952ca0e9) C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys
2010/10/07 18:04:25.0703 HSXHWAZL (61478fa42ee04562e7f11f4dca87e9c8) C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
2010/10/07 18:04:25.0750 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/07 18:04:25.0828 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/10/07 18:04:26.0156 ialm (e8c7cc369c2fb657e0792af70df529e6) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2010/10/07 18:04:26.0375 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/07 18:04:26.0453 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/10/07 18:04:26.0484 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/10/07 18:04:26.0515 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/07 18:04:26.0531 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/07 18:04:26.0578 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/07 18:04:26.0609 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/07 18:04:26.0640 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/07 18:04:26.0703 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/07 18:04:26.0734 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/07 18:04:26.0781 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/07 18:04:26.0812 KSecDD (c6ebf1d6ad71df30db49b8d3287e1368) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/07 18:04:26.0890 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/10/07 18:04:26.0937 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/07 18:04:27.0046 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/07 18:04:27.0078 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/07 18:04:27.0093 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/07 18:04:27.0140 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/07 18:04:27.0203 MRxSmb (d09b9f0b9960dd41e73127b7814c115f) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/07 18:04:27.0250 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/07 18:04:27.0281 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/07 18:04:27.0296 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/07 18:04:27.0328 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/07 18:04:27.0343 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/07 18:04:27.0359 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/07 18:04:27.0390 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/07 18:04:27.0421 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/07 18:04:27.0453 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/07 18:04:27.0468 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/07 18:04:27.0484 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/07 18:04:27.0500 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/07 18:04:27.0531 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/07 18:04:27.0765 NETw4x32 (d57258165aba8162de8e29d71487fc4b) C:\WINDOWS\system32\DRIVERS\NETw4x32.sys
2010/10/07 18:04:27.0859 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/07 18:04:27.0906 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/07 18:04:27.0953 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/07 18:04:27.0984 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/07 18:04:28.0046 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/07 18:04:28.0109 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2010/10/07 18:04:28.0125 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/07 18:04:28.0156 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/07 18:04:28.0203 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/07 18:04:28.0234 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/10/07 18:04:28.0281 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2010/10/07 18:04:28.0421 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/07 18:04:28.0453 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/10/07 18:04:28.0484 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/07 18:04:28.0562 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/07 18:04:28.0578 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/07 18:04:28.0593 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/07 18:04:28.0609 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/07 18:04:28.0640 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/07 18:04:28.0656 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/07 18:04:28.0687 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/10/07 18:04:28.0718 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/07 18:04:28.0734 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/07 18:04:28.0828 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
2010/10/07 18:04:28.0890 SBRE (e121185abcc7f6f2875843ed3236d245) C:\WINDOWS\system32\drivers\SBREdrv.sys
2010/10/07 18:04:28.0937 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/07 18:04:28.0968 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/10/07 18:04:28.0984 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/10/07 18:04:29.0015 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/10/07 18:04:29.0078 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/07 18:04:29.0125 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/07 18:04:29.0171 Srv (422e4508508015c7d12f40bf9763f158) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/07 18:04:29.0234 StarOpen (f92254b0bcfcd10caac7bccc7cb7f467) C:\WINDOWS\system32\drivers\StarOpen.sys
2010/10/07 18:04:29.0343 STHDA (951801dfb54d86f611f0af47825476f9) C:\WINDOWS\system32\drivers\sthda.sys
2010/10/07 18:04:29.0468 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/07 18:04:29.0515 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/07 18:04:29.0625 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/07 18:04:29.0671 Tcpip (ad978a1b783b5719720cff204b666c8e) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/07 18:04:29.0718 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/07 18:04:29.0734 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/07 18:04:29.0765 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/07 18:04:29.0828 tmcomm (0de65bb8cb3452f3043bae8dd0af09f0) C:\WINDOWS\system32\drivers\tmcomm.sys
2010/10/07 18:04:29.0890 TMPassthru (690acb48dac04e44a3d5e7654ca3260d) C:\WINDOWS\system32\DRIVERS\TMPassthru.sys
2010/10/07 18:04:29.0906 TMPassthruMP (690acb48dac04e44a3d5e7654ca3260d) C:\WINDOWS\system32\DRIVERS\TMPassthru.sys
2010/10/07 18:04:29.0968 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/07 18:04:30.0062 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/07 18:04:30.0187 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/10/07 18:04:30.0218 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/07 18:04:30.0265 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/07 18:04:30.0281 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/10/07 18:04:30.0312 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/10/07 18:04:30.0375 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/07 18:04:30.0406 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/07 18:04:30.0468 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/07 18:04:30.0546 winachsf (ba6b6fb242a6ba4068c8b763063beb63) C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
2010/10/07 18:04:30.0703 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2010/10/07 18:04:30.0781 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/10/07 18:04:30.0796 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/10/07 18:04:31.0046 ================================================================================
2010/10/07 18:04:31.0046 Scan finished
2010/10/07 18:04:31.0046 ================================================================================
2010/10/07 18:05:01.0593 Deinitialize success

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,404 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:11 PM

Posted 07 October 2010 - 07:30 PM

SAS also failed to run?

Do this and try SAS and MBAM again.
Download FixPolicies.exe,by Bill Castner, MS-MVP to your Desktop.

Double-click FixPolicies.exe.
Click the Install button on the bottom toolbar. This will create a new folder called FixPolicies.
Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
A black box will briefly appear and then close.
The active malware may revert these changes at your next startup. You can safely run the utility again.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Dave1ee

Dave1ee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 08 October 2010 - 08:27 AM

Had Run Fixpolicies but did it again anyway. Yes, SAS has same issue but it doesn't load when icon is clicked. Error message is basically that "windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." of note also now I had created a second user called Tech with administrator privilages and the primary user account administrator disappeared from user account now.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,404 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:11 PM

Posted 08 October 2010 - 04:08 PM

Open Control Panel and go to Administrative Tools.
In Administrative tools open Local Security Policy.
Then in Local Security Policy right click Software Restriction Policies and click “New Software Rectriction Policy”.
Now Left click on software restriction policies and in the right-hand window you should see enforcement.
Double-click on enforcement and set the policy to apply to “ALL USERS EXCEPT LOCAL ADMINISTRATORS”
Now approve the changes and see if you are now able to install software.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Dave1ee

Dave1ee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 08 October 2010 - 11:16 PM

O.K. Did That no joy still same issues. I did find in the root folder a file named XXLGNZC.exe (C:\Docme~1\Tech\Locals~1\Temp\XXLGNZC.exe) and it is listed as a service but does not show up in MSCONFIG.

#10 Dave1ee

Dave1ee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 09 October 2010 - 09:42 AM

Another item of interest is that the Computer did have AVG AV on it but that was disabled by the Malware/ Trojans on the system. It continually shows up as being running although it has been uninstalled and I have even run the AVG remover tool from AVG. No luck. tried to re-install to see if that would change issue and no luck there either since it will not install correctly.

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,404 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:11 PM

Posted 09 October 2010 - 09:49 AM

How about this as we will need a deeper look into this machine if we can to remove this junk.

Can you open a different user acount or create one and then run DDS?
Click on Start, Then Control Panel
Click on Users
Create a new user account with Administrative Rights
Login as that user


Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,987 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:11 PM

Posted 12 October 2010 - 10:52 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic352811.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users