Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Help Killing Tidserv Rootkit virus

  • This topic is locked This topic is locked
13 replies to this topic

#1 Mako232


  • Members
  • 7 posts
  • Local time:09:50 PM

Posted 30 December 2010 - 11:01 AM

Symantec identified the Tidserv Rootkit in several files on my machine. I've tried several things but failed in eradicating it. After living with it a couple of months things are getting worse. Now looking at a clean install unless you can help me. Looking at this board, I can tell there's some Virus killing Jedi's here... Help Please!

DDS (Ver_10-12-12.02) - FAT32x86
Run by Owner at 0:55:55.60 on Thu 12/30/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2505 [GMT -5:00]

AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\ResChanger XP\ResChangerXP.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\NETGEAR\WN311B\Utility\WN311B.exe
C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Data Study\David1\Downloads Study PC\Malware Removal Tools\Defogger.exe
C:\WINDOWS\system32\Macromed\Shockwave 8\PostUpdate.exe
C:\WINDOWS\system32\Macromed\Shockwave 8\PostUpdate.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://searchbar.findthewebsiteyouneed.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://news.google.com/nwshp?hl=en&tab=wn
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {7c109800-a5d5-438f-9640-18d17e168b88} - c:\program files\netproject\sbmdl.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_BHO.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [VTPreset] VTPreset.exe
mRun: [ResChangerXP] c:\program files\reschanger xp\ResChangerXP.exe
mRun: [QFan Help] "c:\program files\asus\ai suite\qfan3\QFanHelp.exe"
mRun: [POINTER] point32.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [hpqSRMon] c:\program files\hewlett-packard\digital imaging\bin\hpqSRMon.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [GhostStartTrayApp] c:\program files\symantec\norton ghost 2003\GhostStartTrayApp.exe
mRun: [Cpu Level Up help] c:\program files\asus\ai suite\CpuLevelUpHelp.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [AS00_WN311B] c:\program files\netgear\wn311b\utility\WN311B.exe -hide
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Ai Nap] "c:\program files\asus\ai suite\ainap\AiNap.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
dRunOnce: [SWHelper] "c:\windows\system32\macromed\shockwave 8\PostUpdate.exe" 1014021
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\eventr~1.lnk - c:\program files\mindscape\printmaster\PMREMIND.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\stk02n~1.lnk - c:\windows\stk02n\STK02NM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - e:\program files\aim95\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_BHO.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1100748652530
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37867.8595833333
DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://driveragent.com/files/driveragent.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
STS: {b0fdc513-46b9-46fc-8e70-d575ee546dae} - No File

============= SERVICES / DRIVERS ===============

R1 GhPciScan;GhostPciScanner;c:\program files\symantec\norton ghost 2003\GhPciScan.sys [2002-8-14 5632]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-6-17 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-6-17 108392]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-3-4 266240]
R2 IOPort;IOPort;c:\windows\system32\IOPORT.SYS [2003-5-26 6144]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-6-17 2234296]
R3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [2007-10-26 16194]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-5-18 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101229.004\NAVENG.SYS [2010-12-29 86008]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101229.004\NAVEX15.SYS [2010-12-29 1360760]
S2 EraserSvc11010;Symantec Eraser Service;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-6-17 108392]
S2 gupdate1c98688726554cc;Google Update Service (gupdate1c98688726554cc);c:\program files\google\update\GoogleUpdate.exe [2009-2-3 133104]
S3 CH341SER;CH341SER;c:\windows\system32\drivers\CH341SER.SYS [2009-7-28 37488]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-6-17 23888]
S3 DCamUSBSTK02N;Standard Camera;c:\windows\system32\drivers\STK02NW2.sys [2009-12-18 101520]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.SYS [2004-2-6 17149]
S3 NETGEAR NETGEAR_MA101_USB_Adapter®;NETGEAR NETGEAR_MA101_USB_Adapter® Service for NETGEAR MA101 USB Adapter;c:\windows\system32\drivers\ma1012kr.sys --> c:\windows\system32\drivers\ma1012kr.sys [?]
S3 USBFVNETR;NETGEAR MA101 USB Adapter;c:\windows\system32\drivers\ma101rnd.sys --> c:\windows\system32\drivers\ma101rnd.sys [?]
S3 VIASens;Vinyl Sensaura WDM 3D Audio Driver;c:\windows\system32\drivers\viasens.sys [2003-11-7 391680]

=============== Created Last 30 ================

2010-12-29 20:44:57 -------- d-sh--w- c:\documents and settings\owner\IECompatCache
2010-12-29 20:44:11 -------- d-sh--w- c:\documents and settings\owner\PrivacIE
2010-12-29 20:40:31 -------- d-sh--w- c:\documents and settings\owner\IETldCache
2010-12-29 20:32:40 -------- d--h--w- c:\windows\ie8
2010-12-29 19:52:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2010-12-29 19:03:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-29 19:03:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-18 16:17:12 -------- d-sh--w- C:\FOUND.006
2010-12-16 18:42:06 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-15 23:35:22 45568 ------w- c:\windows\system32\dllcache\wab.exe
2010-12-14 20:21:54 -------- d-sh--w- C:\FOUND.005

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-07 17:23:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 17:23:02 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-10-07 17:23:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
1999-01-04 07:42:02 890048 ----a-w- c:\program files\DISCWZRD.EXE
1999-01-04 07:42:02 83632 ----a-w- c:\program files\FILECOPY.EXE
1999-01-04 07:42:02 77376 ----a-w- c:\program files\UNINSTAL.EXE
1999-01-04 07:42:02 31264 ----a-w- c:\program files\CDREG.EXE
1999-01-04 07:42:02 27136 ----a-w- c:\program files\DDLOADER.BIN
1999-01-04 07:42:02 243200 ----a-w- c:\program files\CDUPDATE.EXE

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HDP725050GLA360 rev.GM4OA52A -> Harddisk0\DR0 -> \Device\Ide\IdePort3 P3T0L0-12

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AF4C555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8af527b0]; MOV EAX, [0x8af5282c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AFD6AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000007e[0x8AFF14B8]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AF5A940]
\Driver\atapi[0x8AF5F398] -> IRP_MJ_CREATE -> 0x8AF4C555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP3T0L0-12 -> \??\IDE#DiskHitachi_HDP725050GLA360_________________GM4OA52A#5&5c6cfd6&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AF4C39B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 0:57:19.71 ===============

Attached Files

BC AdBot (Login to Remove)


#2 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:50 AM

Posted 30 December 2010 - 06:40 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*

  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.



#3 Mako232

  • Topic Starter

  • Members
  • 7 posts
  • Local time:09:50 PM

Posted 30 December 2010 - 10:46 PM

Thanks so much for your help. Here are the combofix results. It found TDL3 Rootkit. First look is the browser is running better, also alot fewer services running. However I still have an annoying Google redirect virus messing with me.

ComboFix 10-12-30.01 - Owner 12/30/2010 22:08:49.1.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2825 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-31 )))))))))))))))))))))))))))))))

2010-12-29 22:36 . 2010-12-29 22:36 -------- d-sh--w- c:\documents and settings\MaryLynn\IETldCache
2010-12-29 20:54 . 2010-12-29 20:54 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-12-29 20:44 . 2010-12-29 20:44 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2010-12-29 20:44 . 2010-12-29 20:44 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2010-12-29 20:42 . 2010-12-29 20:42 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-12-29 20:40 . 2010-12-29 20:40 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2010-12-29 20:32 . 2010-12-29 20:32 -------- d--h--w- c:\windows\ie8
2010-12-29 19:52 . 2010-12-29 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2010-12-29 19:03 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-29 19:03 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-18 16:17 . 2010-12-18 16:17 -------- d-----w- C:\FOUND.006
2010-12-16 18:42 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-15 23:35 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
2010-12-14 20:21 . 2010-12-14 20:21 -------- d-----w- C:\FOUND.005
2010-12-05 04:06 . 2010-12-05 04:06 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2010-11-18 18:12 . 2009-01-13 13:02 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-02 15:17 . 2002-08-29 17:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2002-08-29 17:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2002-08-29 17:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-07 17:23 . 2010-10-07 17:23 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 17:23 . 2010-10-07 17:23 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-10-07 17:23 . 2010-10-07 17:23 107808 ----a-w- c:\windows\system32\dns-sd.exe
1999-01-04 07:42 . 2000-02-14 01:00 890048 ----a-w- c:\program files\DISCWZRD.EXE
1999-01-04 07:42 . 2000-02-14 01:00 27136 ----a-w- c:\program files\DDLOADER.BIN
1999-01-04 07:42 . 2000-02-14 01:00 77376 ----a-w- c:\program files\UNINSTAL.EXE
1999-01-04 07:42 . 2000-02-14 01:00 31264 ----a-w- c:\program files\CDREG.EXE
1999-01-04 07:42 . 2000-02-14 01:00 243200 ----a-w- c:\program files\CDUPDATE.EXE
1999-01-04 07:42 . 2000-02-14 01:00 83632 ----a-w- c:\program files\FILECOPY.EXE

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[-] 2002-08-29 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\SYSTEM32\DRIVERS\atapi.sys
[-] 2002-08-29 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\SYSTEM32\DRIVERS\System32\DRIVERS\atapi.sys
[-] 2002-08-29 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\SYSTEM32\ReinstallBackups\0021\DriverFiles\i386\atapi.sys
[-] 2002-08-29 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\SYSTEM32\ReinstallBackups\0022\DriverFiles\i386\atapi.sys
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-04 68856]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-25 13529088]
"VTPreset"="VTPreset.exe" [2004-02-25 45056]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"ResChangerXP"="c:\program files\ResChanger XP\ResChangerXP.exe" [2002-02-14 600576]
"QFan Help"="c:\program files\ASUS\AI Suite\QFan3\QFanHelp.exe" [2008-05-06 594432]
"nwiz"="nwiz.exe" [2008-06-25 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-25 86016]
"NeroCheck"="c:\windows\System32\NeroCheck.exe" [2001-07-09 155648]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 176128]
"GhostStartTrayApp"="c:\program files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2002-08-14 94208]
"Cpu Level Up help"="c:\program files\ASUS\AI Suite\CpuLevelUpHelp.exe" [2007-12-01 881152]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-06-17 115560]
"AS00_WN311B"="c:\program files\NETGEAR\WN311B\Utility\WN311B.exe" [2006-05-08 1413241]
"Ai Nap"="c:\program files\ASUS\AI Suite\AiNap\AiNap.exe" [2008-05-21 1423360]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-11 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
"SWHelper"="c:\windows\system32\Macromed\Shockwave 8\PostUpdate.exe" [2010-12-30 53248]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Event Reminder.lnk - c:\program files\Mindscape\PrintMaster\PMREMIND.EXE [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [N/A]
STK02N 2.3 PNP Monitor.lnk - c:\windows\STK02N\STK02NM.exe [2009-12-18 163840]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2009-1-31 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-12-27 692224]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *sprestrt



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]


[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"EnableFirewall"= 0 (0x0)

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [8/14/2002 3:11 PM 5632]
R2 IOPort;IOPort;c:\windows\SYSTEM32\IOPORT.SYS [5/26/2003 5:23 PM 6144]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/18/2009 7:24 PM 102448]
S2 CSHelper;CopySafe Helper Service;c:\windows\SYSTEM32\CSHelper.exe [3/4/2009 3:43 PM 266240]
S2 EraserSvc11010;Symantec Eraser Service;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [6/17/2008 4:05 PM 108392]
S2 gupdate1c98688726554cc;Google Update Service (gupdate1c98688726554cc);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2009 9:21 PM 133104]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\SYSTEM32\AWINDIS5.SYS [10/26/2007 10:34 PM 16194]
S3 CH341SER;CH341SER;c:\windows\SYSTEM32\DRIVERS\CH341SER.SYS [7/28/2009 8:03 PM 37488]
S3 COH_Mon;COH_Mon;c:\windows\SYSTEM32\DRIVERS\COH_Mon.sys [6/17/2008 4:04 PM 23888]
S3 DCamUSBSTK02N;Standard Camera;c:\windows\SYSTEM32\DRIVERS\STK02NW2.sys [12/18/2009 10:13 AM 101520]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\SYSTEM32\DNINDIS5.SYS [2/6/2004 1:22 PM 17149]
S3 NETGEAR NETGEAR_MA101_USB_Adapter®;NETGEAR NETGEAR_MA101_USB_Adapter® Service for NETGEAR MA101 USB Adapter;c:\windows\system32\DRIVERS\ma1012kr.sys --> c:\windows\system32\DRIVERS\ma1012kr.sys [?]
S3 USBFVNETR;NETGEAR MA101 USB Adapter;c:\windows\system32\DRIVERS\ma101rnd.sys --> c:\windows\system32\DRIVERS\ma101rnd.sys [?]
S3 VIASens;Vinyl Sensaura WDM 3D Audio Driver;c:\windows\SYSTEM32\DRIVERS\viasens.sys [11/7/2003 7:07 AM 391680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
Contents of the 'Scheduled Tasks' folder

2010-12-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]

2010-12-31 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-05 02:21]

2010-12-31 c:\windows\Tasks\User_Feed_Synchronization-{F60E4A9D-A343-4E1C-9FE4-1F26E51CE18A}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]

2010-12-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 02:21]

2010-12-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 02:21]
------- Supplementary Scan -------
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://news.google.com/nwshp?hl=en&tab=wn
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
- - - - ORPHANS REMOVED - - - -

HKCU-Run-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe
HKLM-Run-POINTER - point32.exe
HKLM-Run-hpqSRMon - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe
HKLM-Run-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe
SafeBoot-Symantec Antvirus
AddRemove-Corel Applications - c:\windows\Corel\Uninst32.exe


catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-30 22:23
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HDP725050GLA360 rev.GM4OA52A -> Harddisk0\DR0 -> \Device\Ide\IdePort3 P3T0L0-12

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AF62555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8af687b0]; MOV EAX, [0x8af6882c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AF73AB8]
3 CLASSPNP[0xBA0F8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000007f[0x8AFEF030]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AFE9D98]
\Driver\atapi[0x8AF70900] -> IRP_MJ_CREATE -> 0x8AF62555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP3T0L0-12 -> \??\IDE#DiskHitachi_HDP725050GLA360_________________GM4OA52A#5&5c6cfd6&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AF6239B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

--------------------- LOCKED REGISTRY KEYS ---------------------

@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
Completion time: 2010-12-30 22:31:27
ComboFix-quarantined-files.txt 2010-12-31 03:31

Pre-Run: 271,701,868,544 bytes free
Post-Run: 287,791,022,080 bytes free

[boot loader]
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 9E2DE85D6B68AF6CA898DCE6695B0103

#4 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:50 AM

Posted 31 December 2010 - 02:22 PM

Good evening. :)

Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
  • Accept the ActiveX download, and allow it to install.
  • Once this has been completed, you will see the Computer Scan settings page - ensure that you uncheck the "Remove found threats" box and then click Start.
  • The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

So long, and thanks for all the fish.



#5 Mako232

  • Topic Starter

  • Members
  • 7 posts
  • Local time:09:50 PM

Posted 31 December 2010 - 06:52 PM

Here's the ESET scan results. Happy New Years and thanks so much for helping me! Looks like it found 75 bad files.

C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0001001.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0001033.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0001130.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0001165.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0001196.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0001297.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0001347.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0001396.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0001449.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0001477.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0001554.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0001582.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0001621.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0002001.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0002986.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0003033.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0003076.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0003118.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0003158.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0004158.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0004189.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0004261.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0004303.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0005303.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0005406.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0005438.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0005480.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0005530.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0005561.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0005663.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0005707.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0005744.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0005755.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0005802.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0005837.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0005898.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0005931.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0005966.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0005997.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0006051.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0006107.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0006144.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0007144.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0007249.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0007283.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0007325.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0007361.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0007497.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0007559.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0008559.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0009559.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0009641.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0009681.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0009763.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0009786.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0009818.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0009846.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0009873.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0010076.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0010114.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0011114.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0012114.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0012177.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0012255.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0012489.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0012518.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0012655.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP1\A0012677.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP2\A0012919.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP2\A0012979.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP2\A0013919.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP2\A0013947.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP3\A0014947.SYS Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{66522A5D-08CA-4723-8A05-B880D03EC579}\RP3\A0014957.SYS Win32/Olmarik.ZC trojan

#6 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:50 AM

Posted 01 January 2011 - 02:28 PM

Good evening. :)

The list of files got cut off part way down. Did you keep a copy of the report that you could zip up and attach?

So long, and thanks for all the fish.



#7 Mako232

  • Topic Starter

  • Members
  • 7 posts
  • Local time:09:50 PM

Posted 01 January 2011 - 05:11 PM

I thought the file list looked strange too. Here's the log file attached. However I've restarted the scan and will post any updated results in 30 mins. I have not been able to run it in IE8, the popup virus stalls it out when I go to the ESET site, so I'm using Chrome.

Attached Files

#8 Mako232

  • Topic Starter

  • Members
  • 7 posts
  • Local time:09:50 PM

Posted 01 January 2011 - 08:01 PM

I reran the scan and got the same results. See attached txt file, I tried putting in a screenshot but couldn't. However I had trouble getting it to run all the way. It says Finished, but I have my doubts because the file count (180k files ESET)from Symantec scanner is over 300k. It says 77 bad files were found. I suspect a virus maybe shutting it down somehow. I switched off my Symantec virus scanner/control for this scan...

Thanks for your help!

Attached Files

#9 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:50 AM

Posted 02 January 2011 - 04:02 PM

Good evening. :)

Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop.
  • You will then need to extract the file(s) from the zipped folder.

  • To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
    In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
    In the final window, click on Finish

  • Please close all open programs as this may result in a reboot being necessary.
  • Double click TDSSKiller.exe to begin.
  • Click Start scan and allow the tool to do just that.
  • One the scan has completed, if the tool has identified anything allow it to carry out it's default action(s) - you'll need to click Continue where appropriate.
  • Finally, if it prompts you to reboot your machine, please click Reboot Now and ensure that your machine does so.

  • If the scan finds nothing, please click the Report button and let me have a copy of the text file that opens.
  • If you reboot your machine, the log, which i'd like to see, will be located at the root of you hard drive as C:\TDSSKiller.Version_Date_Time_log.txt.
    Please check that you get the one with the right date and time. :)

So long, and thanks for all the fish.



#10 Mako232

  • Topic Starter

  • Members
  • 7 posts
  • Local time:09:50 PM

Posted 02 January 2011 - 05:53 PM

Looks like this may have gotten it done! :woot: IE8 seems to be working and I don't see the same drag effects I've seen in the past. Attached are two logs, the initial one and then another scan I did after reboot. I also ran MBAM which produced a clean scan.

Thanks so much for your help! Let's make sure I've got any other holes plugged while we're at it... I'm wondering if I should upgrade to Windows 7 for improved security. Could this thing have left some backdoors or gotten into my router?

Thanks so much for your help with this!

Attached Files

#11 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:50 AM

Posted 03 January 2011 - 04:41 PM

Good evening. :)

I'm wondering if I should upgrade to Windows 7 for improved security.

I'm running XP on my Desktop and I sleep soundly at night.
To paraphrase somebody, I think in the F.B.I., "if you want a secure PC, stick it back in the box and bury it". All PCs have security issues, even those running Windows 7, so solely on the grounds of security, I wouldn't lay out the coin.
One AV, one firewall (which you're going to get shortly), some regular scans with MBAM and a little care and you should be no worse off than most everybody else.
Don't open emails from people you don't know and don't click links in emails even if you do know who they are from, and you lessen the risks all ready.

Could this thing have left some backdoors or gotten into my router?

No scans have shown anything like that, but obviously you can never be 100% sure of anything. The particular infection you had isn't know to do that anyway, so i'd not worry overly about it.

Would you mind having another go at the ESET scan now and see if it sorts itself out now the main issue has been dealt with.

So long, and thanks for all the fish.



#12 Mako232

  • Topic Starter

  • Members
  • 7 posts
  • Local time:09:50 PM

Posted 03 January 2011 - 11:41 PM

I ran ESET scanner and got the attached report (it still is strangely truncated). When I saw all the files it identified were from a previous restore point, I cleared all previous restore points and created a new one then reran the scan. The second one returned a clean scan report, but there was no option to create a similar .txt file it just had a close button.

Computer operation has been back to normal as far as I can tell. No more redirects, and responsiveness is greatly improved. All browser types seem to work too.

Attached Files

#13 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:50 AM

Posted 05 January 2011 - 02:51 PM

Good evening. :)

If that's all that was detected i'd say you were about done.

Your log doesn't appear to show a third-party software firewall installed - if you have one, and i've missed it, please ignore this.
If you are relying the firewall that comes with Service Pack 2, then you need to install one. While the SP2 firewall is better than nothing, it doesn't monitor outgoing traffic, so anything malicious on your computer can 'phone home' at will.
If you are using a wireless router that comes with a NAT hardware firewall, this also doesn't monitor outgoing connections.

There are a few free firewalls available, of which the following are just three (all of which i've used at one time or another) :

Comodo Firewall Pro, available here.
PC Tools Firewall Plus, available here.
Online Armor Free, available here.

It is important to note that you should only have one firewall installed at a time, but you can download them all to your Desktop and install each in turn to see which one you prefer.

Understanding and Using Firewalls: http://www.bleepingcomputer.com/tutorials/understanding-and-using-firewalls/


I want you to run your PC as normal for a few days and when you are happy that everything is fine, do the following:

Go to Start > Run, enter the following into the textbox and click OK: ComboFix /Uninstall
This will uninstall Combofix and do a little housework besides.

Create a new Restore Point with a memorable name - this will give a clean one should you need it in the future. If you use a Restore Point from before this point you may reinstall any infection that was present at the time, so only do so if using this latest one doesn't solve any issues.
A tutorial for System Restore is available here.

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet.
It's a little old, but still contains some good ideas.

So long, and thanks for all the fish.



#14 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:02:50 AM

Posted 10 January 2011 - 03:11 PM

As this issue appears to have been resolved, this thread is now closed.

So long, and thanks for all the fish.



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users