Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DiskChecker Malware


  • This topic is locked This topic is locked
15 replies to this topic

#1 Serigraphics

Serigraphics

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 22 December 2010 - 11:21 AM

So I have used this forum in the past to successfully (for the most part) remove a nasty braviax virus from this same machine. I say for the most part because my ntfs.sys file remained corrupt afterwards but the machine was functional, which is important because this is my main work machine here at a busy screen-printing company.

Either way, I somehow was infected clicking through an image on google images, not having "NoScript" installed it promptly launched a java code which infected my computer. I knew immediately what was happening but I could not stop it.

I've done a lot of preliminary stuff that is similar to how I removed the last virus, such as getting to safe mode and running my MBAM, and Combofix. I also tried my Security Essentials but that is a pretty useless program. Other things I have ran already are Kapersky's Virus Removal Tool, and Dr Web Cureit.

After all this the machine will finally boot into normal Windows, however after a glimmer of hope for about 2 minutes, CheckDisk resurfaces and installs itself again. Any help will be much appreciated and I thank the professionals at this forum for their continued hard work, even though there are a lot more bad guys than there are of you good guys.

Sorry the name of the malware is actually "CheckDisk." Searched the forums and I couldn't find anything exactly related to it.

COMBOFIX LOG
Attached File  COMBOFIX.txt   25.65KB   4 downloads


OLDTIMER LOG
Attached File  OTL.Txt   58.26KB   0 downloads

Merged 3 posts. ~ OB

Edited by Orange Blossom, 23 December 2010 - 08:38 PM.


BC AdBot (Login to Remove)

 


#2 Serigraphics

Serigraphics
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 30 December 2010 - 12:22 PM

Well I fixed the main malware issue. But now I have the google redirect thing going on a lot of people are having trouble with right now.

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:34 AM

Posted 30 December 2010 - 07:47 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#4 Serigraphics

Serigraphics
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 31 December 2010 - 01:50 PM

Hi m0le. Thanks for the help. I wont be back in the office until Tuesday. If possible can we return to this issue at that time? Note that I got most of the malware software removed however there are still files trying to execute java attacks that my AV has caught recently and I have the google redirect thing going on. Let me know what logs you want and I will post them up first thing tuesday. Thanks!

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:34 AM

Posted 31 December 2010 - 02:33 PM

No problem. Let's have a check for some rootkit activity first

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\


And

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#6 Serigraphics

Serigraphics
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 04 January 2011 - 11:05 AM

After I ran TDSSKiller it found a rootkit infection. I clicked clean and my computer got hung up and wouldn't restart. I was forced to shut it down manually. When I logged back on Microsoft Security Essentials detected the Rootkit again with these details:

Trojan:DOS/Alureon.A
Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommendation: Remove this software immediately.

Microsoft Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the 'Allow' action and click 'Apply actions'. If this option is not available, log on as administrator or ask the local administrator for help.

Items:
boot:\Device\Harddisk0\DR0

Get more information about this item online.


It's asking to restart as I clicked to remove the infection with MSSE.

Here are the two logs you asked for.

Attached Files



#7 Serigraphics

Serigraphics
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 04 January 2011 - 11:12 AM

UPDATE

After I ran MSSE and restarted it failed to remove the rootkit. However upon restart I reran TDSS and it still detects it, I opted to restart later. Then I ran MSSE again and it was able to clean the rootkit without a restart. TDSS is no longer detecting it.

2011/01/04 11:09:57.0546 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2011/01/04 11:09:57.0546 ================================================================================
2011/01/04 11:09:57.0546 SystemInfo:
2011/01/04 11:09:57.0546
2011/01/04 11:09:57.0546 OS Version: 5.1.2600 ServicePack: 2.0
2011/01/04 11:09:57.0546 Product type: Workstation
2011/01/04 11:09:57.0546 ComputerName: AMD-COMPUTER
2011/01/04 11:09:57.0546 UserName: Owner
2011/01/04 11:09:57.0546 Windows directory: C:\WINDOWS
2011/01/04 11:09:57.0546 System windows directory: C:\WINDOWS
2011/01/04 11:09:57.0546 Processor architecture: Intel x86
2011/01/04 11:09:57.0546 Number of processors: 2
2011/01/04 11:09:57.0546 Page size: 0x1000
2011/01/04 11:09:57.0546 Boot type: Normal boot
2011/01/04 11:09:57.0546 ================================================================================
2011/01/04 11:09:57.0734 Initialize success
2011/01/04 11:09:59.0359 ================================================================================
2011/01/04 11:09:59.0359 Scan started
2011/01/04 11:09:59.0359 Mode: Manual;
2011/01/04 11:09:59.0359 ================================================================================
2011/01/04 11:10:00.0406 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/01/04 11:10:00.0453 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/01/04 11:10:00.0484 adfs (6d7f09cd92a9fef3a8efce66231fdd79) C:\WINDOWS\system32\drivers\adfs.sys
2011/01/04 11:10:00.0562 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
2011/01/04 11:10:00.0578 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
2011/01/04 11:10:00.0671 aksfridge (11f424d02aea63a3a53445087072fdd0) C:\WINDOWS\system32\DRIVERS\aksfridge.sys
2011/01/04 11:10:01.0015 akshasp (64fc197d24a2b240598f29ce0a6660c0) C:\WINDOWS\system32\DRIVERS\akshasp.sys
2011/01/04 11:10:01.0062 akshhl (147b61b81be1ffc38939ea47e5cfb51f) C:\WINDOWS\system32\DRIVERS\akshhl.sys
2011/01/04 11:10:01.0109 aksusb (cce6c56f18d214de8d66f3f2a774cd5b) C:\WINDOWS\system32\DRIVERS\aksusb.sys
2011/01/04 11:10:01.0171 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
2011/01/04 11:10:01.0296 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/01/04 11:10:01.0328 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/01/04 11:10:01.0453 ati2mtag (b1ae41cfe277e043837aa2b875adb757) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/01/04 11:10:01.0781 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/01/04 11:10:01.0828 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/01/04 11:10:01.0890 BrPar (2fe6d5be0629f706197b30c0aa05de30) C:\WINDOWS\System32\drivers\BrPar.sys
2011/01/04 11:10:02.0000 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/01/04 11:10:02.0046 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/01/04 11:10:02.0093 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/01/04 11:10:02.0140 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/01/04 11:10:02.0281 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/01/04 11:10:02.0343 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2011/01/04 11:10:02.0406 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2011/01/04 11:10:02.0437 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/01/04 11:10:02.0484 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2011/01/04 11:10:02.0531 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/01/04 11:10:02.0562 ENTECH (fd9fc82f134b1c91004ffc76a5ae494b) C:\WINDOWS\system32\DRIVERS\ENTECH.sys
2011/01/04 11:10:02.0609 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/01/04 11:10:02.0671 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/01/04 11:10:02.0718 fdrawcmd (75c1e92f6ac3da41728731ea2e20fbce) C:\WINDOWS\system32\drivers\fdrawcmd.sys
2011/01/04 11:10:02.0750 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2011/01/04 11:10:02.0796 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/01/04 11:10:02.0828 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/01/04 11:10:02.0859 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/01/04 11:10:02.0906 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/01/04 11:10:02.0937 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/01/04 11:10:02.0984 hardlock (995178a443b07fa9eeaea041d7b4b5ca) C:\WINDOWS\system32\drivers\hardlock.sys
2011/01/04 11:10:03.0250 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/01/04 11:10:03.0296 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/01/04 11:10:03.0359 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/01/04 11:10:03.0421 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/01/04 11:10:03.0468 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/01/04 11:10:03.0625 IntcAzAudAddService (41ef008d7b089ce6f5f2e4a61d5638e6) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/01/04 11:10:03.0718 ip6fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/01/04 11:10:03.0765 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/01/04 11:10:03.0796 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/01/04 11:10:03.0843 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/01/04 11:10:03.0875 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/01/04 11:10:03.0921 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/01/04 11:10:03.0953 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/01/04 11:10:03.0984 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/01/04 11:10:04.0015 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/01/04 11:10:04.0062 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
2011/01/04 11:10:04.0109 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/01/04 11:10:04.0171 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/01/04 11:10:04.0218 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2011/01/04 11:10:04.0250 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/01/04 11:10:04.0281 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/01/04 11:10:04.0312 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/01/04 11:10:04.0359 MpFilter (c98301ad8173a2235a9ab828955c32bb) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2011/01/04 11:10:04.0406 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/01/04 11:10:04.0453 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/01/04 11:10:04.0484 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2011/01/04 11:10:04.0562 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/01/04 11:10:04.0593 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/01/04 11:10:04.0656 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/01/04 11:10:04.0687 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/01/04 11:10:04.0718 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
2011/01/04 11:10:04.0765 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2011/01/04 11:10:04.0812 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2011/01/04 11:10:04.0859 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/01/04 11:10:04.0890 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/01/04 11:10:04.0921 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/01/04 11:10:04.0953 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/01/04 11:10:05.0000 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/01/04 11:10:05.0031 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/01/04 11:10:05.0109 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2011/01/04 11:10:05.0187 Ntfs (b5fac1a3e6cf6d59d92ecb071c0eac3d) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/01/04 11:10:05.0187 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\Ntfs.sys. md5: b5fac1a3e6cf6d59d92ecb071c0eac3d
2011/01/04 11:10:05.0187 Ntfs - detected Locked file (1)
2011/01/04 11:10:05.0218 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/01/04 11:10:05.0250 NVENETFD (7d275ecda4628318912f6c945d5cf963) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2011/01/04 11:10:05.0281 nvgts (ea98bfe4931bd13d747d647c1859796e) C:\WINDOWS\system32\DRIVERS\nvgts.sys
2011/01/04 11:10:05.0312 nvnetbus (b64aacefad2be5bff5353fe681253c67) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2011/01/04 11:10:05.0359 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/01/04 11:10:05.0375 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/01/04 11:10:05.0421 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/01/04 11:10:05.0453 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/01/04 11:10:05.0484 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/01/04 11:10:05.0531 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/01/04 11:10:05.0578 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/01/04 11:10:05.0656 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/01/04 11:10:05.0703 PCTAppEvent (cc174f32cc9c18ea3109c4b0fc2ca8df) C:\WINDOWS\system32\drivers\PCTAppEvent.sys
2011/01/04 11:10:05.0734 PCTCore (ad629e621cb1242ba8707cd9c2c5b6ec) C:\WINDOWS\system32\drivers\PCTCore.sys
2011/01/04 11:10:05.0765 PCTFW-DNS (0afd401e45033c6264080989647989d2) C:\WINDOWS\system32\drivers\pctNdis-DNS.sys
2011/01/04 11:10:05.0812 PCTFW-PacketFilter (4a7ef973fcd9c6cad6040ebb61262a5c) C:\WINDOWS\system32\drivers\pctNdis-PacketFilter.sys
2011/01/04 11:10:05.0828 pctgntdi (39e8623f9f29dbc9e053a696d85f8ac6) C:\WINDOWS\system32\drivers\pctgntdi.sys
2011/01/04 11:10:05.0875 pctNDIS (8bbe917bc4da64b0ba8db33d4c0e0b7d) C:\WINDOWS\system32\DRIVERS\pctNdis.sys
2011/01/04 11:10:05.0906 pctplfw (6d74df36716a458619a62dd764fc4f8b) C:\WINDOWS\system32\drivers\pctplfw.sys
2011/01/04 11:10:06.0062 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/01/04 11:10:06.0093 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/01/04 11:10:06.0156 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/01/04 11:10:06.0203 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/01/04 11:10:06.0218 PxHelp20 (d970470f8f39470bdae94d313a1ccdce) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/01/04 11:10:06.0328 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/01/04 11:10:06.0375 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/01/04 11:10:06.0421 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/01/04 11:10:06.0453 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/01/04 11:10:06.0484 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/01/04 11:10:06.0500 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/01/04 11:10:06.0546 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/01/04 11:10:06.0578 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/01/04 11:10:06.0640 SCDEmu (23aa53256ce05b975398b78a33474265) C:\WINDOWS\system32\drivers\SCDEmu.sys
2011/01/04 11:10:06.0765 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/01/04 11:10:06.0796 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/01/04 11:10:06.0843 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/01/04 11:10:06.0890 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/01/04 11:10:06.0984 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
2011/01/04 11:10:07.0015 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/01/04 11:10:07.0078 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/01/04 11:10:07.0109 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/01/04 11:10:07.0140 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2011/01/04 11:10:07.0203 SydexFDD (9b2bdd7a8629a9c5a55cd5635ddf136f) C:\WINDOWS\System32\drivers\sydexfdd.sys
2011/01/04 11:10:07.0296 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/01/04 11:10:07.0343 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/01/04 11:10:07.0375 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/01/04 11:10:07.0390 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/01/04 11:10:07.0421 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/01/04 11:10:07.0484 TPkd (83596c4371f33b09ea53c56f54e0af31) C:\WINDOWS\system32\drivers\TPkd.sys
2011/01/04 11:10:07.0515 trysftnt (226bd9e95e30bc833345ac5eea316e03) C:\WINDOWS\system32\drivers\trysftnt.sys
2011/01/04 11:10:07.0562 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2011/01/04 11:10:07.0640 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2011/01/04 11:10:07.0703 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/01/04 11:10:07.0734 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/01/04 11:10:07.0781 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/01/04 11:10:07.0812 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/01/04 11:10:07.0859 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/01/04 11:10:07.0906 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/01/04 11:10:07.0937 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/01/04 11:10:07.0984 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/01/04 11:10:08.0031 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2011/01/04 11:10:08.0093 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/04 11:10:08.0156 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/01/04 11:10:08.0203 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/01/04 11:10:08.0265 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/01/04 11:10:08.0343 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
2011/01/04 11:10:08.0390 wntpport (602c3f23b332b446da96115397289471) C:\WINDOWS\system32\drivers\wntpport.sys
2011/01/04 11:10:08.0437 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/01/04 11:10:08.0484 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/01/04 11:10:09.0031 ================================================================================
2011/01/04 11:10:09.0031 Scan finished
2011/01/04 11:10:09.0031 ================================================================================
2011/01/04 11:10:09.0046 Detected object count: 1
2011/01/04 11:10:18.0296 Locked file(Ntfs) - User select action: Skip



However, I still have the suspicious activity on ntfs.sys which MSSE detects as Cutwail.H

That has been a pain for a while now any ideas on that?

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:34 AM

Posted 04 January 2011 - 08:22 PM

Strange that MSSE flags a Microsoft driver file as malware...

Let's take a look at the file if we can

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Go to Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\WINDOWS\system32\drivers\Ntfs.sys

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at VirusTotal
Posted Image
m0le is a proud member of UNITE

#9 Serigraphics

Serigraphics
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 05 January 2011 - 12:43 PM

Neither one of those websites will work for that file.

The first one says "File Empty! 0 bytes"

and the second site pops up the "File uploading" box, but then it closes and nothing happens. I tried this with other files and it works fine, so it's confusing. Just won't work for the NTFS.sys

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:34 AM

Posted 05 January 2011 - 01:31 PM

If we can find a backup we can overwrite this suspicious driver file.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    ntfs.sys
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Posted Image
m0le is a proud member of UNITE

#11 Serigraphics

Serigraphics
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 05 January 2011 - 01:37 PM

SystemLook 04.09.10 by jpshortstuff
Log created at 13:34 on 05/01/2011 by Owner
Administrator - Elevation successful

========== filefind ==========

Searching for "ntfs.sys"
C:\cmdcons\NTFS.SYS --a---- 574592 bytes [04:15 04/08/2004] [04:15 04/08/2004] B78BE402C3F63DD55521F73876951CDD
C:\WINDOWS\$hf_mig$\KB930916\SP2QFE\ntfs.sys --a---- 574976 bytes [11:23 09/02/2007] [11:23 09/02/2007] 05AB81909514BFD69CBB1F2C147CF6B9
C:\WINDOWS\$NtUninstallKB930916$\ntfs.sys -----c- 574592 bytes [05:39 18/10/2008] [03:15 04/08/2004] B78BE402C3F63DD55521F73876951CDD
C:\WINDOWS\ServicePackFiles\i386\ntfs.sys ------- 574592 bytes [03:15 04/08/2004] [03:15 04/08/2004] B78BE402C3F63DD55521F73876951CDD
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ntfs.sys --a---- 574976 bytes [21:36 19/05/2010] [19:15 13/04/2008] 78A08DD6A8D65E697C18E1DB01C5CDCA
C:\WINDOWS\system32\dllcache\ntfs.sys --a--c- 574464 bytes [11:10 09/02/2007] [16:00 20/08/2009] 19A811EF5F1ED5C926A028CE107FF1AF
C:\WINDOWS\system32\drivers\ntfs.sys --a---- 629920 bytes [12:00 29/08/2002] [16:00 20/08/2009] (Unable to calculate MD5)

-= EOF =-

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:34 AM

Posted 05 January 2011 - 01:46 PM

  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    files to move:C:\WINDOWS\ServicePackFiles\i386\ntfs.sys | C:\WINDOWS\system32\drivers\ntfs.sys
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.

Now rerun TDSSKiller for me.
Posted Image
m0le is a proud member of UNITE

#13 Serigraphics

Serigraphics
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 05 January 2011 - 02:13 PM

Here the two logs. MSSE found the NTFS.sys in the avenger folder immediately on startup and identified it as Cutwail:H... I opted to disinfect it just in case. TDSS is still detecting it as suspicious. So I ran MSSE quick scan to see if it still found the ntfs.sys in the windows folder is "infected." It didn't find it as infected anymore. However not sure why TDSSKiller is finding it as a threat.

Attached Files



#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:34 AM

Posted 05 January 2011 - 04:59 PM

That just looks so much like a false positive but I can't confirm it.

Please run Combofix to check for another infected file.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:34 AM

Posted 08 January 2011 - 09:47 PM

Hi,

I have not had a reply from you for 4 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users