Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Struggling with aftereffects of SecurityTool and ThinkPoint infections


  • This topic is locked This topic is locked
45 replies to this topic

#1 NeilB

NeilB

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 25 November 2010 - 12:48 AM

I successfully (??) removed SecurityTool and ThinkPoint infections from my HP desktop running XP Pro on Friday 11/19 using the helpful links, tools, and instructions from the self-help guides on this website (thanks for everything so far !!) Have since installed Norton IS, to hopefully head off further infections.

However I am still struggling with multiple symptoms and side effects, don't know if/how they're related and don't know how to resolve them.
- A "YCemSCI.exe" file showed up on my desktop the same day as the infections. Probably not a coincidence ? I'm seeing that this file may have questionable origins. I feel like I should delete it but was hoping that keeping it would help the diagnosis.
- I am seeing frequent "Generic Host Process for Win32 Services has encountered a problem and needs to close" errors.
- slow opening Internet Explorer windows, often to the point of hanging up forever in a "Connecting..." state and requiring me to power off and reboot either through Task Manager or manually.
- machine tends to lock up and need a restart after using Internet Explorer for a while, varying with how long and how many sessions are open.
- Norton has been flagging a "wert.exe" file, recommending removal. Kept recurring for a couple of days but I don't think I saw it today, maybe that one gave up trying to get in.
- Occasional abrupt shut down/restarts.
- Occasional redirections to a WalMart-appearing site telling me I've won a $1000 shopping card (hmmm, maybe I could buy a new PC with that...)
- Printing stopped for a while today, because the print spooler service disappeared; I was able to restore it by copying the spoolsv.exe file (that had somehow gone missing) back where it was supposed to be.



Please advise. I don't know enough about this stuff to be comfortable moving forward on my own, just enough to be dangerous to my machine, and I don't want to misapply the tools that are available here and completely f*** it up .
Thanks.




BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:37 AM

Posted 06 December 2010 - 09:51 AM

Hello NeilB and sorry for the delay.

Lets first check for rootkits. These rogues often come bundled with a rootkit in order to protect them.

Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note - if you get the following warning, just ignore: "Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

Click on Cancel, then Accept.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 NeilB

NeilB
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 06 December 2010 - 12:41 PM

Thanks Elise,
I suspect you are right about the rootkit, I saw some indications of that when I initially ran DDS and GMER. I can provide those logs if you need them, not sure if I can generate current ones now, given the condition of the PC.

Unfortunately I am 900 land miles away from the affected PC, and will be until Friday 12/10 night. So I may not be getting RKUnhooker results back to you until the weekend, unless my wife can get some of our helpful neighbor's time to take my place in the interim. We will get some results posted as soon as we can.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:37 AM

Posted 06 December 2010 - 01:05 PM

No problem, just post back when you get back. :)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 NeilB

NeilB
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 10 December 2010 - 11:22 PM

Hi Elise I'm back.
Just downloaded RKUnhookerLE.exe and saved to desktop. Attempted to run it, got "Warning - Integrity Checking" box with the message about the detected parasite.
Clicked "Cancel" as directed, but then got an "Error" box saying "Program integrity damaged" with an OK button.
Clicking either the OK or the X gave me another "Error" box saying "Error loading/opening driver" with an OK button.
Clicking either this OK or X caused the Error box to go away.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:37 AM

Posted 11 December 2010 - 04:27 AM

Please follow the steps in this guide and post me the resulting log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 NeilB

NeilB
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 11 December 2010 - 11:06 PM

OK Elise - downloaded and ran TDSSKiller and MalwareBytes, logs follow in this and next post. Looks like it worked? but how do I know for sure...

TDSSKiller log "TDSSKiller.2.4.11.0_11.12.2010_21.16.48_log" :

2010/12/11 21:16:48.0625 TDSS rootkit removing tool 2.4.11.0 Dec 8 2010 14:46:40
2010/12/11 21:16:48.0625 ================================================================================
2010/12/11 21:16:48.0625 SystemInfo:
2010/12/11 21:16:48.0625
2010/12/11 21:16:48.0625 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/11 21:16:48.0625 Product type: Workstation
2010/12/11 21:16:48.0625 ComputerName: HP-PC
2010/12/11 21:16:48.0625 UserName: The Berrys
2010/12/11 21:16:48.0625 Windows directory: C:\WINDOWS
2010/12/11 21:16:48.0625 System windows directory: C:\WINDOWS
2010/12/11 21:16:48.0625 Processor architecture: Intel x86
2010/12/11 21:16:48.0625 Number of processors: 2
2010/12/11 21:16:48.0625 Page size: 0x1000
2010/12/11 21:16:48.0625 Boot type: Safe boot with network
2010/12/11 21:16:48.0625 ================================================================================
2010/12/11 21:16:49.0171 Initialize success
2010/12/11 21:17:07.0171 ================================================================================
2010/12/11 21:17:07.0171 Scan started
2010/12/11 21:17:07.0171 Mode: Manual;
2010/12/11 21:17:07.0171 ================================================================================
2010/12/11 21:17:11.0515 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/11 21:17:12.0281 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/12/11 21:17:13.0671 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/12/11 21:17:14.0421 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/12/11 21:17:17.0578 AmdK8 (efbb0956baed786e137351b5ca272aef) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2010/12/11 21:17:18.0187 AmdLLD (ad8fa28d8ed0d0a689a0559085ce0f18) C:\WINDOWS\system32\DRIVERS\AmdLLD.sys
2010/12/11 21:17:19.0515 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/12/11 21:17:22.0140 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/11 21:17:22.0984 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/11 21:17:26.0312 ati2mtag (b70ecb6bd20e13f0ce3c0bc95f5c3a9a) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/12/11 21:17:29.0218 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/11 21:17:30.0000 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/11 21:17:30.0703 b57w2k (a9d0f6efc61d1ff69b55c495f85dd868) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2010/12/11 21:17:31.0390 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/11 21:17:32.0109 BHDrvx86 (83a2fec59a0a0fc73bf6598e901b2fbd) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20101123.003\BHDrvx86.sys
2010/12/11 21:17:33.0390 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/11 21:17:34.0359 ccHP (e941e709847fa00e0dd6d58d2b8fb5e1) C:\WINDOWS\system32\drivers\NIS\1108000.005\ccHPx86.sys
2010/12/11 21:17:35.0906 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/11 21:17:36.0515 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/11 21:17:37.0125 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/11 21:17:41.0062 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/11 21:17:41.0734 DLABMFSM (e328f653bb38dca443b6b5c209550f16) C:\WINDOWS\system32\DLA\DLABMFSM.SYS
2010/12/11 21:17:42.0437 DLABOIOM (5324fbe31307eddd03df5539225454c8) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
2010/12/11 21:17:43.0171 DLACDBHM (5230cdb7e715f3a3b4a882e254cdd35d) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
2010/12/11 21:17:43.0843 DLADResM (29d4dd39678bda04d76e6ddb56355c21) C:\WINDOWS\system32\DLA\DLADResM.SYS
2010/12/11 21:17:44.0593 DLAIFS_M (b89653704319073f71311a676baf70d4) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
2010/12/11 21:17:45.0343 DLAOPIOM (e08f04c7f7e0c31c9ac928abac9d0193) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
2010/12/11 21:17:46.0031 DLAPoolM (daa942572d1b3393040209bf5eadf4a8) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
2010/12/11 21:17:46.0625 DLARTL_M (77fe51f0f8d86804cb81f6ef6bfb86dd) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
2010/12/11 21:17:47.0343 DLAUDFAM (e1160a37a6f1a7607510744267501836) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
2010/12/11 21:17:48.0000 DLAUDF_M (26dad89dc9de1f7f4990849bc5731d03) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
2010/12/11 21:17:49.0593 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/11 21:17:51.0062 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/11 21:17:51.0875 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/11 21:17:52.0609 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/11 21:17:53.0937 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/11 21:17:54.0531 DRVMCDB (c00440385cf9f3d142917c63f989e244) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
2010/12/11 21:17:55.0343 DRVNDDM (ffc371525aa55d1bae18715ebcb8797c) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
2010/12/11 21:17:55.0921 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2010/12/11 21:17:56.0390 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2010/12/11 21:17:57.0296 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/11 21:17:58.0015 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/12/11 21:17:58.0593 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/11 21:17:59.0328 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/12/11 21:17:59.0984 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/12/11 21:18:00.0750 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/11 21:18:01.0515 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/11 21:18:02.0203 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/12/11 21:18:02.0796 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/11 21:18:03.0578 HdAudAddService (2a013e7530beab6e569faa83f517e836) C:\WINDOWS\system32\drivers\HdAudio.sys
2010/12/11 21:18:04.0359 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/12/11 21:18:05.0031 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/11 21:18:05.0781 HP24X (04ebefe45b300a4edee5a38dc2791291) C:\WINDOWS\system32\DRIVERS\HP24X.sys
2010/12/11 21:18:07.0234 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/11 21:18:09.0359 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/11 21:18:09.0859 IDSxpx86 (74e8463447101ecf0165ddc7e5168b7e) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20101130.001\IDSxpx86.sys
2010/12/11 21:18:10.0781 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/11 21:18:15.0718 IntcAzAudAddService (06b0e8d608ab69643b14a1f95f7feab3) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/12/11 21:18:20.0250 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/12/11 21:18:20.0968 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/11 21:18:21.0703 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/11 21:18:22.0390 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/11 21:18:23.0281 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/11 21:18:23.0875 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/11 21:18:24.0500 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/11 21:18:25.0156 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/11 21:18:25.0968 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/11 21:18:26.0734 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/11 21:18:28.0109 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/11 21:18:28.0875 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/11 21:18:29.0468 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/11 21:18:30.0078 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/12/11 21:18:30.0828 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/11 21:18:32.0312 MRVW245 (513179a0e168b4d4cc6ff302b9c27568) C:\WINDOWS\system32\DRIVERS\MRVW245.sys
2010/12/11 21:18:33.0281 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/11 21:18:34.0312 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/11 21:18:35.0421 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/11 21:18:36.0046 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/11 21:18:36.0796 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/11 21:18:37.0343 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/11 21:18:38.0031 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/11 21:18:38.0625 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/11 21:18:38.0984 NAVENG (49d802531e5984cf1fe028c6c129b9d8) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20101203.032\NAVENG.SYS
2010/12/11 21:18:40.0375 NAVEX15 (158676a5758c1fa519563b3e72fbf256) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20101203.032\NAVEX15.SYS
2010/12/11 21:18:42.0203 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/11 21:18:42.0859 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/11 21:18:43.0468 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/11 21:18:44.0093 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/11 21:18:44.0875 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/11 21:18:45.0500 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/11 21:18:46.0171 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/11 21:18:47.0015 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/12/11 21:18:48.0406 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/11 21:18:49.0375 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/11 21:18:50.0390 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/11 21:18:51.0171 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/11 21:18:51.0875 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/11 21:18:52.0531 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/12/11 21:18:53.0203 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/12/11 21:18:53.0937 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/11 21:18:54.0609 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/11 21:18:55.0375 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/11 21:18:56.0671 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/12/11 21:18:57.0312 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/12/11 21:18:59.0171 pdiddcci (d1fc85a4880539657bb4d3775da0c541) C:\WINDOWS\system32\DRIVERS\pdiddcci.sys
2010/12/11 21:18:59.0734 PdiPorts (18ed1d71fef6f71d38c24263500bbd01) C:\WINDOWS\system32\Drivers\PdiPorts.sys
2010/12/11 21:19:03.0062 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/11 21:19:03.0640 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/12/11 21:19:04.0375 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/11 21:19:05.0015 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/11 21:19:05.0750 PxHelp20 (feffcfdc528764a04c8ed63d5fa6e711) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/12/11 21:19:09.0328 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/11 21:19:10.0062 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/11 21:19:10.0656 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/11 21:19:11.0250 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/11 21:19:12.0093 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/11 21:19:12.0750 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/11 21:19:13.0625 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/12/11 21:19:14.0562 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/11 21:19:15.0406 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/11 21:19:15.0796 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/12/11 21:19:15.0984 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2010/12/11 21:19:16.0765 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/11 21:19:17.0390 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/12/11 21:19:18.0000 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/12/11 21:19:18.0781 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/11 21:19:20.0031 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2010/12/11 21:19:21.0375 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/11 21:19:22.0109 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/11 21:19:23.0062 SRTSP (ec5c3c6260f4019b03dfaa03ec8cbf6a) C:\WINDOWS\System32\Drivers\NIS\1108000.005\SRTSP.SYS
2010/12/11 21:19:23.0890 SRTSPX (55d5c37ed41231e3ac2063d16df50840) C:\WINDOWS\system32\drivers\NIS\1108000.005\SRTSPX.SYS
2010/12/11 21:19:24.0812 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/11 21:19:25.0703 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/11 21:19:26.0484 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/11 21:19:28.0781 SymDS (56890bf9d9204b93042089d4b45ae671) C:\WINDOWS\system32\drivers\NIS\1108000.005\SYMDS.SYS
2010/12/11 21:19:29.0687 SymEFA (1c91df5188150510a6f0cf78f7d94b69) C:\WINDOWS\system32\drivers\NIS\1108000.005\SYMEFA.SYS
2010/12/11 21:19:30.0468 SymEvent (961b48b86f94d4cc8ceb483f8aa89374) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2010/12/11 21:19:31.0375 SymIRON (dc80fbf0a348e54853ef82eed4e11e35) C:\WINDOWS\system32\drivers\NIS\1108000.005\Ironx86.SYS
2010/12/11 21:19:32.0453 SYMTDI (41aad61f87ca8e3b5d0f7fe7fba0797d) C:\WINDOWS\System32\Drivers\NIS\1108000.005\SYMTDI.SYS
2010/12/11 21:19:34.0437 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/11 21:19:35.0359 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/11 21:19:36.0203 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/11 21:19:36.0765 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/11 21:19:37.0343 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/11 21:19:38.0828 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/11 21:19:40.0453 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/12/11 21:19:41.0468 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/12/11 21:19:42.0109 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/11 21:19:42.0718 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/11 21:19:43.0437 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/12/11 21:19:44.0140 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/12/11 21:19:44.0859 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/12/11 21:19:45.0421 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/11 21:19:45.0984 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/12/11 21:19:47.0296 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/11 21:19:48.0203 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/11 21:19:49.0562 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/11 21:19:50.0484 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2010/12/11 21:19:50.0937 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/12/11 21:19:50.0953 ================================================================================
2010/12/11 21:19:50.0953 Scan finished
2010/12/11 21:19:50.0953 ================================================================================
2010/12/11 21:19:51.0031 Detected object count: 1
2010/12/11 21:20:44.0734 \HardDisk0 - will be cured after reboot
2010/12/11 21:20:44.0734 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2010/12/11 21:21:30.0640 Deinitialize success

#8 NeilB

NeilB
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 11 December 2010 - 11:07 PM

And here's the MBAM log:
"mbam-log-2010-12-11 (22-39-31)"

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5153

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

12/11/2010 10:39:31 PM
mbam-log-2010-12-11 (22-39-31).txt

Scan type: Quick scan
Objects scanned: 215342
Time elapsed: 42 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\0.0166399164509361.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\0.7661661510548468.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Application Data\syssvc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.




#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:37 AM

Posted 12 December 2010 - 07:48 AM

That was a nasty rootkit. I recommend you to change any sensitive data (like passwords or online banking/credit card information) if you used that on this computer.

How are things running now?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 NeilB

NeilB
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 12 December 2010 - 03:33 PM

Sluggish to start up but otherwise appears to be working.

First time after booting into normal mode and logging in, got a "Windows Explorer has encountered an error and needs to close. We are sorry for the inconvenience." window. I clicked into the detail windows and have a screen shot of those saved. Nothing actually appeared to close once I clicked out of the windows, but then tried to start IE and it would not connect to any sites. Decided to reboot; while shutting down, Windows installed an update which took about 10 minutes.

Powered back and booted into normal mode again, again slow (5-6 minutes to reach the login screen every time. Seemed to run OK this time, a little sluggish bringing up apps but IE would work OK. Tried to install a Windows Automatic Update for .NET Framework 3.5 (KB951847) x86, it said it initialized but never seemed to make progress. I ended up canceling it which also took a long time to close.

So in summary, it looks like it's working, but slowly. Suggestions?

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:37 AM

Posted 12 December 2010 - 03:49 PM

To be sure lets do some scans. I will move this topic to a more appropriate forum.

OTL
-----
Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Quick Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 NeilB

NeilB
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 12 December 2010 - 09:18 PM

OK, for some reason it isn't liking it when I try to cut and paste the files in, I will attach instead.

Attached File  OTL.Txt   98.24KB   4 downloads



and here's the Extras.txt

Attached File  Extras.Txt   35.79KB   0 downloads

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:37 AM

Posted 13 December 2010 - 02:57 AM

There is still quite some active malware running. Lets get rid of it. :)

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 NeilB

NeilB
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 13 December 2010 - 10:53 AM

Here is the ComboFix log, attached.

After it ran and rebooted, while running the log I got a RUNDLL window with the message "Error loading C:\WINDOWS\mpmowpv.dll The specified module could not be found." Clicked OK and things seemed to continue along.

Took about 3-4 minutes to reach the login screen on the reboot compared to 5-6 minutes before, don't know if that's a sign of improvement or randomness.

Attached File  ComboFix.txt   18.88KB   7 downloads

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:37 AM

Posted 13 December 2010 - 11:40 AM

Hi, at this point, do you still get this error message? I am asking because combofix apparently fixed that problem (if I am to believe the log). If it is till there, let me know and we'll fix it manually.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users