Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

YCemSCI.exe problem..Combofix will not stop trying to scan...help please


  • Please log in to reply
29 replies to this topic

#1 funlover

funlover

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:47 AM

Posted 22 November 2010 - 10:51 PM

I have been having problems for several days after a file named YCemSCI.exe appeared on my desktop. I ran Malwarebytes and it said it deleted 2, but I would have to restart to delete others. Kept restarting over and over and wouldn't let me open in safe mode. I finally did get back to windows and did a scan with Antivir. There were 2 detections and I had them quarantined.
The file was still on the desktop and a friend told me to download Combofix. I did and it also downloaded the recovery console. I started it over 2 hours ago and it still says scanning, but no stages are shown. Now I can't stop it even with task manager. Now I am on other computer and have read that I should never started it in the first place....help please...new user

Edited by boopme, 23 November 2010 - 12:02 AM.
Moved from XP to appropriate forum.


BC AdBot (Login to Remove)

 


#2 funlover

funlover
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:47 AM

Posted 22 November 2010 - 11:44 PM

I went to msconfig and asked to start up in safe mode. I ran scan with malwarebytes and it showed no detections. The file is still on my desktop so can I just delete it?

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:47 AM

Posted 23 November 2010 - 08:07 AM

You can try deleting it while in safe mode. Open Task Manager first and end the process if you see it running otherwise deletion will not work.

Malwarebytes Anti-Malware has a built-in FileAssassin feature for removing stubborn malware or other malicious files that it did not detect.
  • Go to the "More Tools" tab and click on the "Run Tool" button
  • Browse to the location of the file(s) to remove using the drop down box next to "Look in:" at the top.
  • When you find the file, click on it to highlight, then select Open.
  • You will be prompted with a message warning: This file will be permanently deleted. Are you sure you want to continue?. Click Yes.
  • If removal did not require a reboot, you will receive a message indicating the file was deleted successfully.
  • Click Ok and exit MBAM.
  • If prompted to reboot, then do so immediately.
-- If the file returns, then you probably have other malware on your system which is protecting or regenerating it.

Caution: Be careful what you delete. FileAssassin is a powerful program, designed to remove highly persistent files. Using it incorrectly could lead to serious problems with your operating system if removing a critical file.


a friend told me to download Combofix...Now I am on other computer and have read that I should never started it in the first place.

That is correct. Please read the pinned topic ComboFix usage, Questions, Help? - Look here.

Are you still have issues with ComboFix trying to scan?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 funlover

funlover
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:47 AM

Posted 23 November 2010 - 10:19 AM

Thank you for answering. Adter I opened in safe mode the first time, Combofix was closed and I haven't opened it again. I just followed your directions and deleted the file with assassin.
The other problem I am having since this all started, is that my computer doesn't boot up normally. I went into bios and set to boot to cdrom and tried to do recovery with my windows cd. I went through all the steps and after selecting R there would only be the cdrom drive showing as 1..no others. Also when I go back into bios and change back to start with hard drive, windows starts up without explorer..no icons. When starting up the windows that asks about do I want recovery comes up, but won't let me arrow up...at a loss what to do??

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:47 AM

Posted 23 November 2010 - 10:23 AM

Have you tried using Last Known Good Configuration or System Restore from a command prompt in Safe Mode to return to a previous state before the problems began?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 funlover

funlover
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:47 AM

Posted 23 November 2010 - 10:37 AM

Yes I did and was unable to arrow up to select. I would have thought that my keyboard wasn;t working, but it worked in bios. I press over and over and can never get it to come up. I have never had this problem before?

#7 funlover

funlover
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:47 AM

Posted 23 November 2010 - 10:52 AM

I download TDSSKiller from this computer and used a flash drive to install it on my other one. I ran it and it just now started up normally. It found and cured a file called rootkit.win32.tdss.tdl4. I hope that is the end of the problem. I want to say that yesterday finding this site is amazing....best site I have ever found for computer help. While searching posts, I read about TDSSKiller. Had never heard about it before. This is the first time in 16 years that I have had a problem with a virus or malware though. When I was browsing several days ago, I heard a beep from Antivir. I was in a hurry and it asked if i wanted to delete..clicked yes, but problems began. Almost scared to browse again. Of all things, i was looking for a grilled turkey recipe!! Thank you so much.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:47 AM

Posted 23 November 2010 - 10:52 AM

We posted at the same time so I did not see your last reply.

Edited by quietman7, 23 November 2010 - 10:55 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 funlover

funlover
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:47 AM

Posted 23 November 2010 - 10:55 AM

No it is USB

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:47 AM

Posted 23 November 2010 - 10:55 AM

Please post the complete results of your TDSSkiller scan for review.

After running TDSSkiller, a log file named TDSSKiller_version_date_time_log.txt will have been created and saved to the root directory (usually Local Disk C:). Open that file in notepad, then copy and paste the contents of that file in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 funlover

funlover
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:47 AM

Posted 23 November 2010 - 11:04 AM

Ok here it is

2010/11/23 09:34:28.0578 TDSS rootkit removing tool 2.4.8.0 Nov 17 2010 07:23:12
2010/11/23 09:34:28.0578 ================================================================================
2010/11/23 09:34:28.0578 SystemInfo:
2010/11/23 09:34:28.0578
2010/11/23 09:34:28.0578 OS Version: 5.1.2600 ServicePack: 3.0
2010/11/23 09:34:28.0578 Product type: Workstation
2010/11/23 09:34:28.0578 ComputerName: HELEN
2010/11/23 09:34:28.0578 UserName: Basler
2010/11/23 09:34:28.0578 Windows directory: C:\WINDOWS
2010/11/23 09:34:28.0578 System windows directory: C:\WINDOWS
2010/11/23 09:34:28.0578 Processor architecture: Intel x86
2010/11/23 09:34:28.0578 Number of processors: 2
2010/11/23 09:34:28.0578 Page size: 0x1000
2010/11/23 09:34:28.0578 Boot type: Normal boot
2010/11/23 09:34:28.0578 ================================================================================
2010/11/23 09:34:28.0953 Initialize success
2010/11/23 09:34:44.0984 ================================================================================
2010/11/23 09:34:44.0984 Scan started
2010/11/23 09:34:44.0984 Mode: Manual;
2010/11/23 09:34:44.0984 ================================================================================
2010/11/23 09:34:46.0984 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/11/23 09:34:47.0015 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/11/23 09:34:47.0078 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/11/23 09:34:47.0125 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/11/23 09:34:47.0296 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/11/23 09:34:47.0515 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/11/23 09:34:47.0578 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/11/23 09:34:47.0734 ati2mtag (0c2ca1c294938139829b1983a0c38b31) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/11/23 09:34:47.0890 AtiHdmiService (dc6957811ff95f2dd3004361b20d8d3f) C:\WINDOWS\system32\drivers\AtiHdmi.sys
2010/11/23 09:34:47.0984 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/11/23 09:34:48.0031 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/11/23 09:34:48.0156 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2010/11/23 09:34:48.0234 avgntflt (1eb7d72a82f94f7e9496d363fce00b68) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2010/11/23 09:34:48.0281 avipbb (f8c56231ed5ecf7d1b46b0330880ccef) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2010/11/23 09:34:48.0328 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/11/23 09:34:48.0484 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/11/23 09:34:48.0562 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/11/23 09:34:48.0609 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/11/23 09:34:48.0718 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/11/23 09:34:48.0765 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/11/23 09:34:48.0828 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/11/23 09:34:48.0875 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/11/23 09:34:48.0906 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/11/23 09:34:48.0937 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/11/23 09:34:48.0953 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/11/23 09:34:49.0031 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/11/23 09:34:49.0093 es1371 (24e564f710d887ecc75cfe59882ecc5d) C:\WINDOWS\system32\drivers\es1371mp.sys
2010/11/23 09:34:49.0140 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/11/23 09:34:49.0187 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/11/23 09:34:49.0265 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/11/23 09:34:49.0296 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/11/23 09:34:49.0343 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/11/23 09:34:49.0375 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/11/23 09:34:49.0421 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/11/23 09:34:49.0468 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2010/11/23 09:34:49.0500 gdrv (c6e3105b8c68c35cc1eb26a00fd1a8c6) C:\WINDOWS\gdrv.sys
2010/11/23 09:34:50.0578 GEARAspiWDM (ab8a6a87d9d7255c3884d5b9541a6e80) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/11/23 09:34:50.0640 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/11/23 09:34:50.0703 GVTDrv (689a8eef2a2d62b28a0a578a6196531c) C:\WINDOWS\system32\Drivers\GVTDrv.sys
2010/11/23 09:34:50.0781 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/11/23 09:34:50.0843 HidBatt (748031ff4fe45ccc47546294905feab8) C:\WINDOWS\system32\DRIVERS\HidBatt.sys
2010/11/23 09:34:50.0859 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/11/23 09:34:50.0937 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/11/23 09:34:51.0015 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/11/23 09:34:51.0078 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/11/23 09:34:51.0125 InCDfs (98e96b6f095e6289c3293b99d0f926b2) C:\WINDOWS\system32\drivers\InCDFs.sys
2010/11/23 09:34:51.0156 InCDPass (0b3e2517cf826020688650d46adf5b05) C:\WINDOWS\system32\drivers\InCDPass.sys
2010/11/23 09:34:51.0203 InCDrec (00ee363ea793a9d8dab5254acbd7d8e6) C:\WINDOWS\system32\drivers\InCDRec.sys
2010/11/23 09:34:51.0250 incdrm (d41ab5be8861aff53851594de58dddfa) C:\WINDOWS\system32\drivers\InCDRm.sys
2010/11/23 09:34:51.0421 IntcAzAudAddService (4aaa8312732655f93a254d1fa695eb79) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/11/23 09:34:51.0500 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/11/23 09:34:51.0546 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/11/23 09:34:51.0625 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/11/23 09:34:51.0671 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/11/23 09:34:51.0703 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/11/23 09:34:51.0734 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/11/23 09:34:51.0781 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/11/23 09:34:51.0828 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/11/23 09:34:51.0890 JRAID (b07084095f8c03aadb9811c9df14b5e4) C:\WINDOWS\system32\DRIVERS\jraid.sys
2010/11/23 09:34:51.0921 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/11/23 09:34:51.0968 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/11/23 09:34:52.0015 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/11/23 09:34:52.0062 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/11/23 09:34:52.0156 MaxtorFrontPanel1 (dad2801f46631b625fb4fb37265fbe6e) C:\WINDOWS\system32\DRIVERS\mxofwfp.sys
2010/11/23 09:34:52.0203 mbmiodrvr (290fb01f7f51eff0960599404a09f8d6) C:\WINDOWS\system32\mbmiodrvr.sys
2010/11/23 09:34:52.0343 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/11/23 09:34:52.0406 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/11/23 09:34:52.0468 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/11/23 09:34:52.0484 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/11/23 09:34:52.0546 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/11/23 09:34:52.0656 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/11/23 09:34:52.0734 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/11/23 09:34:52.0843 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/11/23 09:34:52.0890 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/11/23 09:34:52.0937 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/11/23 09:34:52.0968 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/11/23 09:34:53.0000 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/11/23 09:34:53.0046 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/11/23 09:34:53.0109 MXOPSWD (e3dec7ca28a9870e24fff4e467af7328) C:\WINDOWS\system32\DRIVERS\mxopswd.sys
2010/11/23 09:34:53.0171 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/11/23 09:34:53.0218 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/11/23 09:34:53.0234 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/11/23 09:34:53.0250 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/11/23 09:34:53.0281 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/11/23 09:34:53.0343 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/11/23 09:34:53.0359 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/11/23 09:34:53.0390 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/11/23 09:34:53.0484 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/11/23 09:34:53.0500 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/11/23 09:34:53.0546 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/11/23 09:34:53.0765 nv (9e143fb3ef13b7ec1c1dd06529debadd) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/11/23 09:34:54.0062 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/11/23 09:34:54.0109 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/11/23 09:34:54.0171 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/11/23 09:34:54.0234 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/11/23 09:34:54.0265 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/11/23 09:34:54.0312 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/11/23 09:34:54.0312 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/11/23 09:34:54.0359 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/11/23 09:34:54.0406 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/11/23 09:34:54.0500 pdiddcci (d1fc85a4880539657bb4d3775da0c541) C:\WINDOWS\system32\DRIVERS\pdiddcci.sys
2010/11/23 09:34:54.0546 PdiPorts (18ed1d71fef6f71d38c24263500bbd01) C:\WINDOWS\system32\Drivers\PdiPorts.sys
2010/11/23 09:34:54.0625 Pivot (943f840611d33832308ec5310b616b57) C:\WINDOWS\system32\drivers\pivot.sys
2010/11/23 09:34:54.0671 pivotmou (998c58295288eedfbfe95e7f6cc94df4) C:\WINDOWS\system32\drivers\pivotmou.sys
2010/11/23 09:34:54.0734 Point32 (e552d6598670b1e7655cb73d562e0cd9) C:\WINDOWS\system32\DRIVERS\point32.sys
2010/11/23 09:34:54.0781 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/11/23 09:34:54.0796 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/11/23 09:34:54.0812 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/11/23 09:34:54.0875 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/11/23 09:34:54.0906 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/11/23 09:34:55.0046 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/11/23 09:34:55.0125 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/11/23 09:34:55.0156 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/11/23 09:34:55.0187 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/11/23 09:34:55.0250 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/11/23 09:34:55.0281 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/11/23 09:34:55.0359 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/11/23 09:34:55.0406 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/11/23 09:34:55.0484 RTLE8023xp (f0a21c62b9b835e1c96268eaae31d239) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2010/11/23 09:34:55.0531 RTLTEAMING (68afbf8aeff22bba44b2ccbddad2e00f) C:\WINDOWS\system32\DRIVERS\RTLTEAMING.SYS
2010/11/23 09:34:55.0593 RTLVLAN (3f4274d54052158aeab974a523c768ea) C:\WINDOWS\system32\DRIVERS\RTLVLAN.SYS
2010/11/23 09:34:55.0640 RtNdPt5x (38e05c1e06172a08f26c8c383d724ef4) C:\WINDOWS\system32\DRIVERS\RtNdPt5x.sys
2010/11/23 09:34:55.0765 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/11/23 09:34:55.0828 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2010/11/23 09:34:55.0921 sbp2port (b244960e5a1db8e9d5d17086de37c1e4) C:\WINDOWS\system32\DRIVERS\sbp2port.sys
2010/11/23 09:34:55.0968 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/11/23 09:34:55.0984 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/11/23 09:34:56.0015 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/11/23 09:34:56.0046 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/11/23 09:34:56.0140 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/11/23 09:34:56.0171 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/11/23 09:34:56.0234 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/11/23 09:34:56.0328 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2010/11/23 09:34:56.0375 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/11/23 09:34:56.0421 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/11/23 09:34:56.0500 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/11/23 09:34:56.0546 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/11/23 09:34:56.0625 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/11/23 09:34:56.0656 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/11/23 09:34:56.0765 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/11/23 09:34:56.0875 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/11/23 09:34:57.0000 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/11/23 09:34:57.0078 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/11/23 09:34:57.0109 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/11/23 09:34:57.0171 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/11/23 09:34:57.0234 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/11/23 09:34:57.0281 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/11/23 09:34:57.0312 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/11/23 09:34:57.0328 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/11/23 09:34:57.0343 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/11/23 09:34:57.0421 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/11/23 09:34:57.0515 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/11/23 09:34:57.0609 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/11/23 09:34:57.0703 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/11/23 09:34:57.0750 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/11/23 09:34:57.0921 ================================================================================
2010/11/23 09:34:57.0921 Scan finished
2010/11/23 09:34:57.0921 ================================================================================
2010/11/23 09:34:57.0921 Detected object count: 1
2010/11/23 09:36:34.0406 \HardDisk0 - will be cured after reboot
2010/11/23 09:36:34.0406 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2010/11/23 09:36:59.0468 Deinitialize success

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:47 AM

Posted 23 November 2010 - 11:09 AM

This is the pertinent section of the log which indicates a TDSS rootkit infected the Master Boot Record (MBR) and that it will be cured after reboot.

2010/11/23 09:34:57.0750 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/11/23 09:34:57.0921 ================================================================================
2010/11/23 09:34:57.0921 Scan finished
2010/11/23 09:34:57.0921 ================================================================================
2010/11/23 09:34:57.0921 Detected object count: 1
2010/11/23 09:36:34.0406 \HardDisk0 - will be cured after reboot
2010/11/23 09:36:34.0406 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure

This is a type of malware that alters the MBR of the system drive to ensure persistent execution of malicious code. Essentially, it overwrites the MBR of the hard disk with its own code and stores a copy of the original MBR at another sector using rootkit techniques to hide itself. To learn more about this infection please refer to:


Try doing an online scan to see if it finds anything else (i.e. remnants) that the other scans may have missed.

Please perform a scan with Eset Online Anti-virus Scanner.
  • This scan requires Internet Explorer to work. If using a different browser, you will be given the option to download and use the ESET Smart Installer.
  • Vista/Windows 7 users need to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • If offered the option to get information or buy software at any point, just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply.
Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 funlover

funlover
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:47 AM

Posted 23 November 2010 - 11:24 AM

Oh boy it starts to scan and then stops. First time i got a message that internet explorer was closing to protect my computer. Now now the scans starts and then stops over and over

#14 funlover

funlover
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:47 AM

Posted 23 November 2010 - 11:30 AM

Forgot to say, i hear a beep first like a popup, but don't see one..then it stops

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:47 AM

Posted 23 November 2010 - 11:34 AM

Try a different online scan.

Please perform a scan with Kaspersky Online Virus Scanner.
-- Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.
-- This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools.
  • Vista/Windows 7 users need to run Internet Explorer as Administrator.
    To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Read the "Advantages - Requirements and Limitations" then press the Posted Image... button.
  • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
  • When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the Posted Image... button.
  • Make sure these boxes are checked. By default, they should be. If not, please check them and click on the Posted Image... button afterwards:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
  • Click on My Computer under the Scan section. OK any warnings from your protection programs.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
  • Click on Save Report As... and change the Files of type to Text file (.txt)
  • Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
  • Copy and paste (Ctrl+C) the saved scan results from that file in your next reply.
-- Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished. If that's the case, please refer to How To Temporarily Disable Your Anti-virus.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users