Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.TDSS.Gen Issue


  • This topic is locked This topic is locked
9 replies to this topic

#1 rycool20

rycool20

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 08 December 2010 - 12:16 PM

I am using Windows XP and started getting issues with Google (in both firefox and IE) redirecting links to random junk search sites. I did a scan with Malwarebites (fully updated) and got Rootkit.TSDD.Gen detections. I cleaned them, but it keeps coming back. I tried ending any processes I did not recognize and closing all my browsers, then running it again, but to no avail.

Here is my most recent Malware bites log:

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5270

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/8/2010 12:05:05 PM
mbam-log-2010-12-08 (12-05-05).txt

Scan type: Full scan (C:\|)
Objects scanned: 308790
Time elapsed: 1 hour(s), 3 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\Temp\4.tmp (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\6.tmp (Rootkit.TDSS.Gen) -> Delete on reboot.
c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\L8QZIRTM\dm6[1].exe (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.

Any help would be greatly appreciated.

-Ryan

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:27 PM

Posted 08 December 2010 - 01:03 PM

Please download the TDSS Rootkit Removing Tool (TDSSKiller.zip) and save it to your Desktop. <-Important!!!
Be sure to print out and follow all instructions for performing a scan or refer to these instructions with screenshots.

  • Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the Desktop. Vista/Windows 7 users refer to these instructions if you're unsure how to unzip a file.
  • If you don't have an extracting program, you can download TDSSKiller.exe and use that instead.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • When the program opens, click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure is selected, then click Continue > Reboot now to finish the cleaning process.<- Important!!
    Note: If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection.
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.

-- For any files detected as 'Suspicious' (except those identified as Forged to be cured after reboot) get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 rycool20

rycool20
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 08 December 2010 - 01:17 PM

It did detect TDSS, I clicked Cure and restarted, here is the log:

2010/12/08 13:10:01.0145 TDSS rootkit removing tool 2.4.11.0 Dec 8 2010 14:46:40
2010/12/08 13:10:01.0145 ================================================================================
2010/12/08 13:10:01.0145 SystemInfo:
2010/12/08 13:10:01.0145
2010/12/08 13:10:01.0145 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/08 13:10:01.0145 Product type: Workstation
2010/12/08 13:10:01.0145 ComputerName: GFC-HQ-RMURPHY
2010/12/08 13:10:01.0145 UserName: rmurphy
2010/12/08 13:10:01.0145 Windows directory: C:\WINDOWS
2010/12/08 13:10:01.0145 System windows directory: C:\WINDOWS
2010/12/08 13:10:01.0145 Processor architecture: Intel x86
2010/12/08 13:10:01.0145 Number of processors: 2
2010/12/08 13:10:01.0145 Page size: 0x1000
2010/12/08 13:10:01.0145 Boot type: Normal boot
2010/12/08 13:10:01.0145 ================================================================================
2010/12/08 13:10:01.0379 Initialize success
2010/12/08 13:10:52.0330 ================================================================================
2010/12/08 13:10:52.0330 Scan started
2010/12/08 13:10:52.0330 Mode: Manual;
2010/12/08 13:10:52.0330 ================================================================================
2010/12/08 13:10:52.0736 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
2010/12/08 13:10:52.0767 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/08 13:10:52.0767 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/12/08 13:10:52.0783 ADIHdAudAddService (53b29a84f5105a6d887b662188c93503) C:\WINDOWS\system32\drivers\ADIHdAud.sys
2010/12/08 13:10:52.0799 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2010/12/08 13:10:52.0799 adpu320 (0ea9b1f0c6c90a509c8603775366adb7) C:\WINDOWS\system32\DRIVERS\adpu320.sys
2010/12/08 13:10:52.0830 AEAudio (b4afcc2f911939a1c16a26e7eba7f36b) C:\WINDOWS\system32\drivers\AEAudio.sys
2010/12/08 13:10:52.0845 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/12/08 13:10:52.0892 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/12/08 13:10:52.0923 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2010/12/08 13:10:52.0923 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2010/12/08 13:10:53.0064 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/08 13:10:53.0111 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/08 13:10:53.0142 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/08 13:10:53.0158 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/08 13:10:53.0205 AvgLdx86 (bc12f2404bb6f2b6b2ff3c4c246cb752) C:\WINDOWS\System32\Drivers\avgldx86.sys
2010/12/08 13:10:53.0205 AvgMfx86 (5903d729d4f0c5bca74123c96a1b29e0) C:\WINDOWS\System32\Drivers\avgmfx86.sys
2010/12/08 13:10:53.0236 AvgRkx86 (94a16f829b1456237b7f929198ce2807) C:\WINDOWS\system32\Drivers\avgrkx86.sys
2010/12/08 13:10:53.0283 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/08 13:10:53.0314 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/08 13:10:53.0345 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/08 13:10:53.0361 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/08 13:10:53.0392 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/08 13:10:53.0517 DgivEcp (277b9af0f1034be4731cba7eff10e8f9) C:\WINDOWS\system32\Drivers\DgivEcp.Sys
2010/12/08 13:10:53.0548 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/08 13:10:53.0595 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/08 13:10:53.0627 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/08 13:10:53.0627 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/08 13:10:53.0658 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/08 13:10:53.0689 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2010/12/08 13:10:53.0705 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/08 13:10:53.0736 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/12/08 13:10:53.0783 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2010/12/08 13:10:53.0814 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/08 13:10:53.0845 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/12/08 13:10:53.0861 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/08 13:10:53.0892 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/12/08 13:10:53.0923 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/12/08 13:10:53.0970 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/08 13:10:53.0986 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/08 13:10:54.0017 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/08 13:10:54.0033 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/12/08 13:10:54.0064 HECI (c865d1f6d03595df213dc3c67e4e4c58) C:\WINDOWS\system32\DRIVERS\HECI.sys
2010/12/08 13:10:54.0095 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/08 13:10:54.0142 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/08 13:10:54.0189 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/08 13:10:54.0220 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
2010/12/08 13:10:54.0252 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
2010/12/08 13:10:54.0252 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
2010/12/08 13:10:54.0267 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
2010/12/08 13:10:54.0267 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
2010/12/08 13:10:54.0283 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
2010/12/08 13:10:54.0298 iAimFP5 (0308aef61941e4af478fa1a0f83812f5) C:\WINDOWS\system32\DRIVERS\wADV07nt.sys
2010/12/08 13:10:54.0314 iAimFP6 (714038a8aa5de08e12062202cd7eaeb5) C:\WINDOWS\system32\DRIVERS\wADV08nt.sys
2010/12/08 13:10:54.0330 iAimFP7 (7bb3aa595e4507a788de1cdc63f4c8c4) C:\WINDOWS\system32\DRIVERS\wADV09nt.sys
2010/12/08 13:10:54.0330 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
2010/12/08 13:10:54.0345 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
2010/12/08 13:10:54.0361 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
2010/12/08 13:10:54.0377 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
2010/12/08 13:10:54.0392 iAimTV5 (791cc45de6e50445be72e8ad6401ff45) C:\WINDOWS\system32\DRIVERS\wATV10nt.sys
2010/12/08 13:10:54.0408 iAimTV6 (352fa0e98bc461ce1ce5d41f64db558d) C:\WINDOWS\system32\DRIVERS\wATV06nt.sys
2010/12/08 13:10:54.0439 IFXTPM (2cdf483f8fc2bf3f7b93e3bdd734cfbd) C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
2010/12/08 13:10:54.0455 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/08 13:10:54.0502 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/12/08 13:10:54.0533 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/12/08 13:10:54.0564 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/12/08 13:10:54.0580 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/08 13:10:54.0595 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/08 13:10:54.0627 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/08 13:10:54.0627 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/08 13:10:54.0642 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/08 13:10:54.0673 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/08 13:10:54.0705 KAPFA (9c3abc6d9cc915056f0918469f567975) C:\WINDOWS\system32\drivers\KAPFA.SYS
2010/12/08 13:10:54.0736 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/08 13:10:54.0752 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/12/08 13:10:54.0767 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/08 13:10:54.0798 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/08 13:10:54.0861 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/08 13:10:54.0892 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/08 13:10:54.0923 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/12/08 13:10:54.0955 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/08 13:10:54.0986 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/12/08 13:10:55.0002 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/08 13:10:55.0017 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/08 13:10:55.0048 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/08 13:10:55.0111 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/08 13:10:55.0158 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/08 13:10:55.0189 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/08 13:10:55.0236 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/08 13:10:55.0283 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/08 13:10:55.0330 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/08 13:10:55.0376 NDIS (8716356e49a665bdc7b114725b60a456) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/08 13:10:55.0423 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/08 13:10:55.0455 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/08 13:10:55.0455 NdisWan (5526cfebb619f7f763bd6a2e1b618078) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/08 13:10:55.0470 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/08 13:10:55.0486 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/08 13:10:55.0517 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/08 13:10:55.0548 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/08 13:10:55.0580 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/08 13:10:55.0626 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/08 13:10:55.0751 nv (fee170f182d5167b6e06e490dd7b42d7) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/12/08 13:10:55.0876 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/08 13:10:55.0892 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/08 13:10:55.0908 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
2010/12/08 13:10:55.0923 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/12/08 13:10:55.0939 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/08 13:10:55.0955 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/08 13:10:55.0970 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/08 13:10:56.0001 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/12/08 13:10:56.0033 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/12/08 13:10:56.0142 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/08 13:10:56.0158 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/08 13:10:56.0158 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/08 13:10:56.0251 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/08 13:10:56.0267 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/08 13:10:56.0283 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/08 13:10:56.0298 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/08 13:10:56.0314 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/08 13:10:56.0330 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/08 13:10:56.0345 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/12/08 13:10:56.0376 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/08 13:10:56.0392 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/08 13:10:56.0423 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2010/12/08 13:10:56.0455 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/08 13:10:56.0486 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/12/08 13:10:56.0501 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/12/08 13:10:56.0533 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/08 13:10:56.0595 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/08 13:10:56.0626 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/08 13:10:56.0642 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/08 13:10:56.0673 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/08 13:10:56.0689 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/08 13:10:56.0720 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2010/12/08 13:10:56.0736 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2010/12/08 13:10:56.0736 Symmpi (f2b7e8416f508368ac6730e2ae1c614f) C:\WINDOWS\system32\DRIVERS\symmpi.sys
2010/12/08 13:10:56.0751 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2010/12/08 13:10:56.0767 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2010/12/08 13:10:56.0783 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/08 13:10:56.0830 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/08 13:10:56.0861 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/08 13:10:56.0876 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/08 13:10:56.0892 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/08 13:10:56.0939 tmcomm (2ddd3c0e23bc0fd63702910c597298b4) C:\WINDOWS\system32\drivers\tmcomm.sys
2010/12/08 13:10:56.0986 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/08 13:10:57.0048 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/12/08 13:10:57.0095 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/08 13:10:57.0111 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/08 13:10:57.0158 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/12/08 13:10:57.0205 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/12/08 13:10:57.0251 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/08 13:10:57.0267 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/12/08 13:10:57.0283 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/12/08 13:10:57.0314 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/12/08 13:10:57.0330 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/08 13:10:57.0361 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/08 13:10:57.0423 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/08 13:10:57.0486 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2010/12/08 13:10:57.0564 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/12/08 13:10:57.0580 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/12/08 13:10:57.0626 xeipnmdm (0510b170a12229fbda374547f4b55c26) C:\WINDOWS\system32\DRIVERS\xeipnmdm.sys
2010/12/08 13:10:57.0642 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/12/08 13:10:57.0642 ================================================================================
2010/12/08 13:10:57.0642 Scan finished
2010/12/08 13:10:57.0642 ================================================================================
2010/12/08 13:10:57.0658 Detected object count: 1
2010/12/08 13:11:06.0985 \HardDisk0 - will be cured after reboot
2010/12/08 13:11:06.0985 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2010/12/08 13:11:19.0672 Deinitialize success

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:27 PM

Posted 08 December 2010 - 01:31 PM

This is the pertinent section of the log which indicates a TDSS rootkit infected the Master Boot Record (MBR) and that it will be cured after reboot.

2010/12/08 13:10:57.0642 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/12/08 13:10:57.0642 ================================================================================
2010/12/08 13:10:57.0642 Scan finished
2010/12/08 13:10:57.0642 ================================================================================
2010/12/08 13:10:57.0658 Detected object count: 1
2010/12/08 13:11:06.0985 \HardDisk0 - will be cured after reboot
2010/12/08 13:11:06.0985 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure

This particular malware alters the MBR of the system drive to ensure persistent execution of malicious code. Essentially, it overwrites the MBR of the hard disk with its own code and stores a copy of the original MBR at another sector using rootkit techniques to hide itself. To learn more about these types of infections please refer to:
Please download Norman Malware Cleaner and save to your desktop.
alternate download link
If you previously used Norman, delete that version and download it again as the tool is frequently updated!
  • Be sure to read all the information Norman provides on that same page.
  • Double-click on Norman_Malware_Cleaner.exe to start. Vista/Windows 7 users right-click and select Run As Administrator.
    The tool is very slow to load as it uses a special driver. This is normal so please be patient.
  • Read the End User License Agreement and click the Accept button to open the scanning window.
  • Click Start Scan to begin.
  • In some cases Norman Malware Cleaner may require that you restart the computer to completely remove an infection. If prompted, reboot to ensure that all infections are removed.
  • After the scan has finished, a log file a log file named NFix_date_time (i.e. NFix_2009-06-22_07-08-56.log) will be created on your desktop with the results.
  • Copy and paste the contents of that file in your next reply.
-- Note: If you need to scan a usb flash drives or other removable drives not listed, use the Add button to browse to the drives location, click on the drive to highlight and choose Ok.


Please perform a scan with Eset Online Anti-virus Scanner.
  • This scan requires Internet Explorer to work. If using a different browser, you will be given the option to download and use the ESET Smart Installer.
  • Vista/Windows 7 users need to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • If offered the option to get information or buy software at any point, just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply.
Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 rycool20

rycool20
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 09 December 2010 - 11:25 AM

Sorry for the delay, the Norman scan took a long time. After the Norman one, I was still having issues with search links being redirected.
I ran the ESET scan and left it running when I went home for the day, when I came back this morning I could not get the computer to start back up so I restarted and ran it again. As far as I saw in the first time I ran it, it detected a few viruses, I remember that they were a 'Olimarik AJC trojan' and an 'NWG trojan'. Unfortunately I do not have the full results of that scan. I re-ran the ESET scan today, and different issues appeared this time, and that is the log I have here, along with the Norman log:

Norman Malware Cleaner
Version 1.8.3
Copyright 1990 - 2010, Norman ASA. Built 2010/12/07 16:59:54

Norman Scanner Engine Version: 6.06.07
Nvcbin.def Version: 6.06.00, Date: 2010/12/07 16:59:54, Variants: 8304917

Scan started: 2010/12/08 13:49:01

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Professional 5.1.2600 Service Pack 3
Logged on user: FINANCE\rmurphy

Set registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLS = -> ""

Scanning kernel...

Kernel scan complete


Scanning bootsectors...

Number of sectors found: 1
Number of sectors scanned: 1
Number of sectors not scanned: 0
Number of infections found: 0
Number of infections removed: 0
Total scanning time: 0s 31ms


Scanning running processes and process memory...

Number of processes/threads found: 5053
Number of processes/threads scanned: 5053
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 2m 4s


Scanning file system...

Scanning: prescan

Scanning: C:\*.*

C:\Documents and Settings\All Users\Application Data\{2E58FB9B-0548-471A-AA7A-FA3EE8D8F988}\Setup.res/componentslist.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{2E58FB9B-0548-471A-AA7A-FA3EE8D8F988}\Setup.res/componentstree.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{2E58FB9B-0548-471A-AA7A-FA3EE8D8F988}\Setup.res/maintenance.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{2E58FB9B-0548-471A-AA7A-FA3EE8D8F988}\Setup.res/progressprereq.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{2E58FB9B-0548-471A-AA7A-FA3EE8D8F988}\Setup.res/readme.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{2E58FB9B-0548-471A-AA7A-FA3EE8D8F988}\Setup.res/setuptype.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{2E58FB9B-0548-471A-AA7A-FA3EE8D8F988}\Setup.res/startinstallation.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{2E58FB9B-0548-471A-AA7A-FA3EE8D8F988}\Setup.res/wizard.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{44C887F8-226D-445E-A0AD-EC0E82C02C0B}\Setup.res/componentslist.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{44C887F8-226D-445E-A0AD-EC0E82C02C0B}\Setup.res/componentstree.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{44C887F8-226D-445E-A0AD-EC0E82C02C0B}\Setup.res/maintenance.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{44C887F8-226D-445E-A0AD-EC0E82C02C0B}\Setup.res/progressprereq.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{44C887F8-226D-445E-A0AD-EC0E82C02C0B}\Setup.res/readme.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{44C887F8-226D-445E-A0AD-EC0E82C02C0B}\Setup.res/setuptype.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{44C887F8-226D-445E-A0AD-EC0E82C02C0B}\Setup.res/startinstallation.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{44C887F8-226D-445E-A0AD-EC0E82C02C0B}\Setup.res/wizard.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{649368D7-58DE-43D3-A64D-CD57E976131B}\Setup.res/componentslist.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{649368D7-58DE-43D3-A64D-CD57E976131B}\Setup.res/componentstree.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{649368D7-58DE-43D3-A64D-CD57E976131B}\Setup.res/maintenance.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{649368D7-58DE-43D3-A64D-CD57E976131B}\Setup.res/progressprereq.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{649368D7-58DE-43D3-A64D-CD57E976131B}\Setup.res/readme.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{649368D7-58DE-43D3-A64D-CD57E976131B}\Setup.res/setuptype.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{649368D7-58DE-43D3-A64D-CD57E976131B}\Setup.res/startinstallation.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{649368D7-58DE-43D3-A64D-CD57E976131B}\Setup.res/wizard.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{B12FAE0A-2533-446E-A31B-6310DD4C65FB}\Setup.res/componentstree.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{B12FAE0A-2533-446E-A31B-6310DD4C65FB}\Setup.res/maintenance.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{B12FAE0A-2533-446E-A31B-6310DD4C65FB}\Setup.res/prereq.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{B12FAE0A-2533-446E-A31B-6310DD4C65FB}\Setup.res/progressprereq.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{B12FAE0A-2533-446E-A31B-6310DD4C65FB}\Setup.res/progressuninstall.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{B12FAE0A-2533-446E-A31B-6310DD4C65FB}\Setup.res/readme.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{B12FAE0A-2533-446E-A31B-6310DD4C65FB}\Setup.res/setuptype.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{B12FAE0A-2533-446E-A31B-6310DD4C65FB}\Setup.res/startinstallation.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{B12FAE0A-2533-446E-A31B-6310DD4C65FB}\Setup.res/welcome.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{B12FAE0A-2533-446E-A31B-6310DD4C65FB}\Setup.res/wizard.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{EA445726-C742-428A-9D5B-8461840A5E29}\Setup.res/componentstree.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{EA445726-C742-428A-9D5B-8461840A5E29}\Setup.res/maintenance.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{EA445726-C742-428A-9D5B-8461840A5E29}\Setup.res/prereq.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{EA445726-C742-428A-9D5B-8461840A5E29}\Setup.res/progressprereq.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{EA445726-C742-428A-9D5B-8461840A5E29}\Setup.res/progressuninstall.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{EA445726-C742-428A-9D5B-8461840A5E29}\Setup.res/readme.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{EA445726-C742-428A-9D5B-8461840A5E29}\Setup.res/setuptype.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{EA445726-C742-428A-9D5B-8461840A5E29}\Setup.res/startinstallation.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{EA445726-C742-428A-9D5B-8461840A5E29}\Setup.res/welcome.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\All Users\Application Data\{EA445726-C742-428A-9D5B-8461840A5E29}\Setup.res/wizard.dfm.miaf (Error whilst scanning file: I/O Error (0x00220005))

C:\Documents and Settings\rmurphy\Application Data\Sun\Java\Deployment\cache\6.0\41\4f427469-3d7be3f0/gogol/Emailer.class (Infected with JAVA/Dloader.H)
Deleted file

C:\Documents and Settings\rmurphy\Application Data\Sun\Java\Deployment\cache\6.0\41\4f427469-3d7be3f0/gogol/Familie.class (Infected with Java/Agent.X)
Deleted file

C:\Documents and Settings\rmurphy\Application Data\Sun\Java\Deployment\cache\6.0\41\4f427469-3d7be3f0/gogol/PhonBook.class (Infected with JAVA/Dloader.I)
Deleted file

C:\Documents and Settings\rmurphy\Application Data\Sun\Java\Deployment\cache\6.0\42\521bbaaa-7dd42484/myf/y/AppletX.class (Infected with Exploit/ByteVerify.A)
Deleted file

C:\Documents and Settings\rmurphy\Application Data\Sun\Java\Deployment\cache\6.0\42\521bbaaa-7dd42484/myf/y/LoaderX.class (Infected with JAVA/Byteverify.AE)
Deleted file

C:\Documents and Settings\rmurphy\Application Data\Sun\Java\Deployment\cache\6.0\42\521bbaaa-7dd42484/myf/y/PayloadX.class (Infected with JS/ByteVerify.F)
Deleted file

C:\Documents and Settings\rmurphy\Application Data\Sun\Java\Deployment\cache\6.0\5\68610bc5-4024c0a0/mz1/my/CL.class (Infected with Suspicious_Gen2.CHDKN)
Deleted file

C:\Documents and Settings\rmurphy\Application Data\Sun\Java\Deployment\cache\6.0\5\68610bc5-4024c0a0/mz1/my/MainClass.class (Infected with Suspicious_Gen2.CSTVQ)
Deleted file

C:\Documents and Settings\rmurphy\Application Data\Sun\Java\Deployment\cache\6.0\51\3534cc33-61f791ae/Is.class (Infected with JAVA/Dloader.J)
Deleted file

C:\Documents and Settings\rmurphy\Application Data\Sun\Java\Deployment\cache\6.0\51\3534cc33-61f791ae/MyName.class (Infected with JAVA/Exploit.AB)
Deleted file

C:\Documents and Settings\rmurphy\Application Data\Sun\Java\Deployment\cache\6.0\51\3534cc33-61f791ae/Phone.class (Infected with Java/Exploit.AA)
Deleted file

C:\Program Files\Nationwide\Life Illustrator\bin\Temp\LI_Minor_Setup.exe/noname.nsis/file1 (Error whilst scanning file: I/O Error (0x00220000))

C:\Program Files\Nationwide\Life Illustrator\uninst.exe/noname.nsis/file0 (Error whilst scanning file: I/O Error (0x00220005))

Scanning: D:\*.*

Scanning: postscan


Running post-scan cleanup routine:

Number of files found: 427613
Number of archives unpacked: 9063
Number of files scanned: 427566
Number of files not scanned: 47
Number of files skipped due to exclude list: 0
Number of infected files found: 11
Number of infected files repaired/deleted: 11
Number of infections removed: 11
Total scanning time: 2h 24m 9s


----------------------------------------------------------------------------
:busy: :busy: :busy: :busy:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6415
# api_version=3.0.2
# EOSSerial=9165c4aa0f9d4d4d8489a3257c499e05
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-08 10:23:42
# local_time=2010-12-08 05:23:42 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777175 100 0 53053760 53053760 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=114849
# found=4
# cleaned=4
# scan_time=3260
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6YJF5HYT\dm6[1].exe Win32/Olmarik.AJC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UYFQ0VEB\gspwjg[1].htm JS/TrojanDownloader.Agent.NWG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\Temp\3E.tmp Win32/Olmarik.AJC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\Temp\40.tmp Win32/Olmarik.AJC trojan (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6415
# api_version=3.0.2
# EOSSerial=9165c4aa0f9d4d4d8489a3257c499e05
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-09 02:54:19
# local_time=2010-12-09 09:54:19 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777175 100 0 53110832 53110832 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=115100
# found=2
# cleaned=2
# scan_time=5624
C:\Documents and Settings\rmurphy\Application Data\Sun\Java\Deployment\cache\6.0\28\11d5729c-6fe74ea5 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\rmurphy\Application Data\Sun\Java\Deployment\cache\6.0\5\68610bc5-4024c0a0 a variant of Java/TrojanDownloader.Agent.NAD trojan (deleted - quarantined) 00000000000000000000000000000000 C

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:27 PM

Posted 09 December 2010 - 02:13 PM

Your scan results indicate a threat(s) was found in the Java cache.

When a browser runs an applet, the Java Runtime Environment (JRE) stores the downloaded files into its cache folder (C:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache) for quick execution later and better performance. Malicious applets are also stored in the Java cache directory and your anti-virus may detect them and provide alerts. For more specific information about Java exploits, please refer to Virus found in the Java cache directory.

Notification of these files as a threat does not always mean that a machine has been infected; it indicates that a program included the viral class file but this does not mean that it used the malicious functionality. As a precaution, I recommend clearing the entire cache to ensure everything is cleaned out:
Please download and scan with the Kaspersky Virus Removal Tool from one of the links provided below and save it to your desktop.
Link 1
Link 2Be sure to print out and read the instructions provided in:How to Install Kaspersky Virus Removal Tool
How to use the Kaspersky Virus Removal Tool to automatically remove viruses
  • Double-click the setup file (i.e. setup_9.0.0.722_22.01.2010_10-04.exe) to select your language and install the utility.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If you receive a UAC prompt asking if you would like to continue running the program, you should press the Continue button.
  • When the 'Setup page' appears, click Next, check the box 'I accept the license agreement' and click Next twice more to begin extracting the required files.
  • Setup may recommend to scan the computer in Safe Mode. Click Ok.
  • A window will open with a tab that says Autoscan and one for Manual disinfection.
  • Click the green Start scan button on the Autoscan tab in the main window.
  • If malware is detected, you will see the Scan Alert screen. Place a checkmark in the Apply to all box, and click Disinfect if the button is active.
  • After the scan finishes, if any threats are left unneutralized in the Scan window (Red exclamation point), click the Neutralize all button.
  • Place a checkmark in the Apply to all box, and click Disinfect if the button is active.
  • If advised that a special disinfection procedure is required which demands system reboot, click the Ok button to close the window.
  • In the Scan window click the Reports button, choose Critical events and select Save to save the results to a file (name it avptool.txt).
  • Copy and paste the report results of any threats detected and if they were successfully removed in your next reply. Do not include the longer list marked Events.
  • When finished, follow these instructions on How to uninstall Kaspersky Virus Removal Tool 2010.
-- If you cannot run this tool in normal mode, then try using it in "safe mode".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 rycool20

rycool20
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 10 December 2010 - 08:33 AM

Ok, I am still having problems. I have run the Kapersky scan, and it is still detecting TDSS every time. It restarts and says it is clean but it does not appear to actually go away. I am also still getting the unwanted pop-ups and search redirections. Also, when I restart now the computer takes really long to go through every step, and seemed to get frozen at "Applying Personal Settings" when I log on, I had to start up in Safe Mode this time to get it to work.

EDIT: I fixed the starting up issue, I went into 'msconfig' and removed the Kapersky Setup file, apparently that was hindering the startup process. Also, I'd like to note that the redirection issues were still occuring in Safe Mode. I also ran another Malware bites scan and it showed 0 infections.

Also, since this infection started I have been periodically getting this message:

Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience.

Thanks,

Here is the log:

Autoscan: stopped 23 minutes ago (events: 2, objects: 11993, time: 00:04:46)
12/9/2010 2:30:57 PM Task started
12/9/2010 2:35:45 PM Task stopped
Autoscan: stopped 2 minutes ago (events: 8, objects: 1114, time: 00:01:48)
12/9/2010 2:35:50 PM Task started
12/9/2010 2:35:51 PM Detected: MEM:Rootkit.Win32.TDSS.fa Unknown application
12/9/2010 2:36:04 PM Cannot be backed up: MEM:Rootkit.Win32.TDSS.fa Unknown application
12/9/2010 2:38:32 PM Detected: MEM:Rootkit.Win32.TDSS.fa System Memory
12/9/2010 2:40:40 PM Task stopped
12/9/2010 2:54:21 PM Task started
12/9/2010 2:56:04 PM Detected: MEM:Rootkit.Win32.TDSS.fa System Memory
12/9/2010 2:56:10 PM Task stopped
Disinfect active threats: completed 16 minutes ago (events: 3, objects: 4341, time: 00:01:59)
12/9/2010 2:40:40 PM Task started
12/9/2010 2:40:40 PM Detected: MEM:Rootkit.Win32.TDSS.fa System Memory
12/9/2010 2:42:39 PM Task completed
Disinfect active threats: completed <1 minute ago (events: 3, objects: 3685, time: 00:02:09)
12/9/2010 2:56:10 PM Task started
12/9/2010 2:56:10 PM Detected: MEM:Rootkit.Win32.TDSS.fa System Memory
12/9/2010 2:58:19 PM Task completed

Edited by rycool20, 10 December 2010 - 09:30 AM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:27 PM

Posted 10 December 2010 - 09:35 AM

Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself or infect critical system files which cannot be cleaned. Sometimes there is an undetected hidden piece of malware such as a rootkit which protects malicious files and registry keys so they cannot be permanently deleted. Rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Security vendors that claim to be able to remove rootkits and backdoor Trojans cannot guarantee that all traces of will be removed as they may not find all the remnants. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS log for further investigation.

Please read the pinned topic titled "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help". If you cannot complete a step, then skip it and continue with the next. In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the Malware Response Team.

Please be patient. It may take a while to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 rycool20

rycool20
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:27 PM

Posted 10 December 2010 - 10:31 AM

Here is the tread with my logs I created in the Malware Removal forum:
http://www.bleepingcomputer.com/forums/topic366151.html

Thanks,

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:27 PM

Posted 10 December 2010 - 04:12 PM

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Response Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process or make things worst which would extend the time it takes to clean your computer.

From this point on the Malware Response Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic until you are cleared by the Malware Response Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users