Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

possible MBR rootkit: TDL4


  • This topic is locked This topic is locked
9 replies to this topic

#1 Michael Calkins

Michael Calkins

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Floresville, Texas
  • Local time:05:57 PM

Posted 02 January 2011 - 12:48 AM

First: I am a self employed computer technician. I consider myself fairly capable, but I am not as familiar with specific malware as i should be. I can remove most ordinary malware with MSE, Spybot, Hijackthis, and ProcessExplorer. However, I'm having some trouble with the computer I'm currently cleaning up.

Note that I do not have my own high speed internet connection. I usually take computers to the public library to get the microsoft updates and MSE and Spybot definitions, after I do as much as I can offline (I have offline installers for MS service packs, etc). For that reason, I did some things in an otherwise suboptimal order.

The computer in question is a Dell Dimension 4700. It has a Pentium 4 3GHz, and 2GB of DDR2 (dual channel). It has a i915P/G chipset, and BIOS version A10. It had XP Pro 32 bit SP2, which I upgraded to SP3 before seriously suspecting a rootkit. It had IE 6, which I upgraded to IE8.

The customer complained about a message telling him that he exceeded his profile space, and it wouldn't let him shut down the computer properly. He also thought he had numerous malware, and requested a cleanup. Otherwise, I have not had much communication with the customer. The customer is a business associate of my dad's, but I do not know him very well.

I went into his Group Policy editor, and changed "Limit profile size" from "not configured" to "disabled". That seemed to fix the profile space issue.

The customer had CCleaner, Spybot, Malwarebytes antimalware installed already. He also had some sort of expired AVG 2011 trial version. I tried removing the AVG, but the uninstallation program wouldn't work. So I manually deleted its folders, and 2 obviously named .dll files from the system32 folder. However, the windows security center still thinks AVG 2011 is installed and up to date.

I then started a normal cleanup on the computer, doing most of what i could without an internet connection. When I tried installing MSE, I was told that it needed the Windows Installer 3.1. I then installed SP3.

When I finally got MSE installed with an offline definition update from several weeks ago. It found Bubnix.A (iztbjhowu[1].htm and Local Settings\Temp\qcsnw.exe) and Ertfor.A (izgowq[1] and [2].htm, and Local Settings\Temp\lnonqxhp.exe). I found some other weirdly named .exe files in the Local Settings\Temp folder, (dxfh.exe, mpqte.exe, and xdsfi.exe) but MSE didn't detect anything wrong with them. I also suspected 2 .dll files from the Windows folder, which were set to automatically start. (w3hebcp.dll, which claims an original filename of mt_masktools.dll" and egapelepixoxiwak.dll, which claims an original filename of "flvsplitter.ax" (I did install the K-Lite Codec pack, but I don't know if that was part of it.)) I don't know if any of that means anything to you.

When I tried to get on the Internet is when I started running into obvious problems. The Microsoft Update site just doesn't work at all. Neither IE nor Firefox can get to it. Wget downloads a small file from it. Also, I was having pop up windows. IE would also start without me asking it too. At some point, both Firefox and IE had their search providers changed to ask.com without my permission. At some point, I think I stopped having pop ups. (This was several days ago, I don't remember all the details.) Whenever I would search for anything with google, the links in the results would take me to various weird sites. I had to copy and paste the URLs to get to the correct sites.

MSE will not update. Even the newer offline update doesn't seem to work.

Spybot S&D did not find anything.

Hijackthis works in regular mode, but hangs in safe mode.

For a while, MSE was finding Wimpixo.E in setup.exe in the Windows\Temp folder about every 10 minutes. However, this does not show up in MSE's history.

I think it's funny that a lot of times, processes are using exactly 50% cpu time. I don't know if that's normal in a single core chip.

Ordinarily, if I were to run into a problem like this, I would just reinstall Windows and be done with it. (If i suspected a rootkit, I would use the fixmbr and fixboot commands in the recovery console, after a hard boot.) However, the customer has numerous programs, and data scattered all over his hard drive, not just in my documents, so i think having you guys help me with this would probably be easier than backing up everything and reinstalling, especially with the chance i might miss some data. (I could do a repair without formatting, but i don't think that is as clean.) If you guys think that I should still reinstall, then I will recommend that to the customer. Personally, if this were my computer, I would not trust it without a complete Windows reinstall. After reading a little about the TDL4 rootkit, I was tempted to try to remove it myself, but I am worried I wouldn't get it all or that there might be other things i wouldn't recognize. Please offer any advice you can. Thanks in advance.

I am not experienced with your DDS tool. Does the fact that it says hxxp instead of http mean anything?

Regards,
Michael


--- RootkitRevealer:


HKLM\SECURITY\Policy\Secrets\SAC* 8/11/2004 11:36 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 8/11/2004 11:36 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\webcal\URL Protocol 3/11/2005 3:55 PM 13 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\MpScanCache-0.bin 1/1/2011 11:23 PM 1.96 MB Hidden from Windows API.
C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\MpScanCache-1.bin 12/30/2010 8:17 AM 1.51 MB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Scans\History\Results\Resource\{1905D760-BB0C-4B1E-854F-5276B8E4E50F} 1/1/2011 11:07 PM 6.57 KB Hidden from Windows API.
C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Scans\History\Results\Resource\{40C1993E-ED8B-4727-8CD4-8EAD1599628E} 1/1/2011 11:23 PM 6.71 KB Hidden from Windows API.
C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Scans\History\Results\Resource\{A4BB6F18-16FA-4FDD-90AC-57D013D2B445} 1/1/2011 11:08 PM 6.64 KB Hidden from Windows API.
C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Scans\History\Results\Resource\{AD85595D-E0C6-4A02-A74F-65481F8C963E} 1/1/2011 11:24 PM 6.71 KB Hidden from Windows API.
C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Scans\History\Results\Resource\{F0D24A61-0FC6-4E4E-8805-924D3F8903C8} 1/1/2011 11:22 PM 6.71 KB Hidden from Windows API.

--- MBAM:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5363

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/29/2010 11:03:20 PM
mbam-log-2010-12-29 (23-03-20).txt

Scan type: Quick scan
Objects scanned: 143418
Time elapsed: 6 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\SYSTEM32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.


--- DDS:

DDS (Ver_10-12-12.02) - NTFSx86
Run by bear at 22:01:58.48 on Sat 01/01/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1482 [GMT -6:00]

AV: AVG Anti-Virus 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Enabled/Outdated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\ClickTray Calendar\ClickTray.exe
C:\calkins\procexp\procexp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\calkins\new\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [RunNarrator] Narrator.exe
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\bear\startm~1\programs\startup\clickt~1.lnk - c:\program files\clicktray calendar\ClickTray.exe
StartupFolder: c:\docume~1\bear\startm~1\programs\startup\shortc~1.lnk - c:\calkins\procexp\procexp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photol~1.lnk - c:\program files\casio\photo loader\Plauto.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bear\applic~1\mozilla\firefox\profiles\0u2byuww.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol308.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Mozilla Archive Format: {7f57cf46-4467-4c2d-adfa-0cba7c507e54} - %profile%\extensions\{7f57cf46-4467-4c2d-adfa-0cba7c507e54}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-7-30 161064]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2010\TuneUpUtilitiesService32.exe [2009-11-17 1021256]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 dfg;dfg;c:\windows\system32\drivers\dfg.sys [2009-11-27 23552]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-12-28 23:20:48 0 ----a-w- c:\windows\Ccamejupecejoxo.bin
2010-12-28 23:20:46 -------- d-----w- c:\docume~1\bear\locals~1\applic~1\{68DB5690-95CD-4C35-AAE2-858B34EBE9ED}
2010-12-28 22:45:00 -------- d-sh--w- c:\documents and settings\bear\IECompatCache
2010-12-28 22:43:45 -------- d-sh--w- c:\documents and settings\bear\PrivacIE
2010-12-28 22:25:32 6273872 ------w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{174b147a-9c3c-4c37-8acc-426c6f5a41b2}\mpengine.dll
2010-12-28 22:25:32 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-28 22:24:51 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-12-28 22:13:06 -------- d-sh--w- c:\documents and settings\bear\IETldCache
2010-12-28 22:08:45 -------- dc-h--w- c:\windows\ie8
2010-12-28 22:07:53 165376 ----a-w- c:\windows\system32\unrar.dll
2010-12-28 22:07:51 839680 ----a-w- c:\windows\system32\lameACM.acm
2010-12-28 22:07:51 237568 ----a-w- c:\windows\system32\yv12vfw.dll
2010-12-28 22:07:51 108032 ----a-w- c:\windows\system32\ff_vfw.dll
2010-12-28 22:07:48 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-12-28 22:04:57 -------- d-----w- c:\program files\Windows Media Connect 2
2010-12-28 21:34:29 -------- d-----w- c:\windows\ServicePackFiles
2010-12-28 21:30:36 19569 ----a-w- c:\windows\002925_.tmp
2010-12-28 21:00:59 1409 ----a-w- c:\windows\QTFont.for
2010-12-28 20:30:06 330240 ----a-r- c:\windows\system32\drivers\ZD1211BU.sys
2010-12-28 04:45:58 -------- d-----w- c:\program files\WinBoard-4.2.7
2010-12-28 03:54:42 -------- d-----w- c:\program files\Microsoft Baseline Security Analyzer 2
2010-12-28 03:52:21 -------- d-----w- c:\program files\Astonsoft
2010-12-28 03:43:23 -------- d-----w- c:\program files\GNU
2010-12-28 03:30:59 -------- d-----w- c:\program files\SpywareBlaster
2010-12-28 03:10:44 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-12-28 03:10:44 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-28 03:10:44 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-12-28 00:27:02 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-12-28 00:12:19 -------- d-----w- C:\calkins
2010-12-27 23:41:59 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-12-27 23:41:24 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-12-27 23:41:24 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-12-27 23:41:16 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-12-27 23:40:40 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

==================== Find3M ====================

2010-12-28 04:07:21 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2010-12-07 18:40:22 183808 ----a-w- c:\windows\system32\xvidvfw.dll
2010-12-07 18:22:46 810496 ----a-w- c:\windows\system32\xvidcore.dll
2010-10-14 10:53:06 0 ----a-w- c:\windows\system32\lsp13.tmp

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6Y080M0 rev.YAR51HW0 -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-17

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A6FC44C]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a702504]; MOV EAX, [0x8a702580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E1397] -> \Device\Harddisk0\DR0[0x8A71D030]
3 CLASSPNP[0xF76B7FD7] -> nt!IofCallDriver[0x804E1397] -> [0x8A74CBD0]
\Driver\atapi[0x8A734A80] -> IRP_MJ_CREATE -> 0x8A6FC44C
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-17 -> \??\IDE#DiskMaxtor_6Y080M0__________________________YAR51HW0#3259483344424332202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A6FC298
user != kernel MBR !!!
sectors 156249998 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 22:03:20.62 ===============


--- GMER:


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-01 22:12:19
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort1 Maxtor_6Y080M0 rev.YAR51HW0
Running: gmer.exe; Driver: C:\DOCUME~1\bear\LOCALS~1\Temp\uwloapob.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB8FAF000, 0x1C5D58, 0xE8000020]
init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xB95F4760]
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB8CB6F80]
? C:\WINDOWS\system32\Drivers\PROCEXP141.SYS The system cannot find the file specified. !
? C:\DOCUME~1\bear\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[200] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[200] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 00C2000A
.text C:\WINDOWS\Explorer.EXE[200] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 00B7000C
.text C:\WINDOWS\System32\svchost.exe[1172] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00D3000A
.text C:\WINDOWS\System32\svchost.exe[1172] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 00D4000A
.text C:\WINDOWS\System32\svchost.exe[1172] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 00D2000C
.text C:\WINDOWS\System32\svchost.exe[1172] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0088000A
.text C:\WINDOWS\System32\svchost.exe[1172] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00EE000A

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A6FC298
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A6FC298
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-4 8A6FC298
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 8A6FC298

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Device\Ide\IdeDeviceP1T0L0-17 -> \??\IDE#DiskMaxtor_6Y080M0__________________________YAR51HW0#3259483344424332202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 2
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 35
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\Services\MRxDAV\EncryptedDirectories@
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 156249744 (+255): rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 Michael Calkins

Michael Calkins
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Floresville, Texas
  • Local time:05:57 PM

Posted 02 January 2011 - 01:42 AM

A few things I forgot to mention, or didn't notice before:

I install a number of programs on computers I do cleanups on. Some of the software you see listed is stuff I installed or updated. A lot of it is stuff the customer already had, some of which I am completely unfamiliar with.

I stopped recommending AVG quite some time ago. (I think MSE has a better interface, and I've seen AVG miss some nasty fake antivirus programs that MSE can detect.) For that reason, I am not familiar with modern AVG antivirus. Notice that AVG is listed in the log as up to date. It is not. I tried manually removing it, as explained before.

I do not know what Tune Up Utilities is. The customer already had that. A breif search seems to indicate it is legitimate.

I assume Ati2evxx.exe is associated with his video driver, but am not sure.

I installed ProcessExplorer, and added a shortcut to it in the start up folder.

I uninstalled the old Java versions, and installed the current one. I think I installed the current IE and non-IE flash players also. He had Firefox already, but it was one or two revisions old. I usually install several addons, such as flashblock, unplug, and mozilla archive format.

The customer already had Spybot. He was using TeaTimer, and was using the full immunization. (I usually don't use TeaTimer, and I usually disable the host file immunization (I've seen it cause Sprint broadband to not work a few years ago.))

I installed .NET 4. I think he already had the older versions.

ZD1211BU.sys is my wireless adapter driver.

Winboard, Deepburner, GNU PG, spywareblaster, FileZilla, and K-Lite were all installed by me.

He had WMP 10, which I upgraded to WMP 11.

I did use sysinternals page file defrag.

I would have tried to remove My Way search assistant. I assumed Spybot would have gotten it.

I don't usually use MalwareBytes, but he already had it, and it seems to have a good reputation.

Anyway, this is probably too much info, but I'd rather give too much than too little.

Regards,
Michael

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:57 PM

Posted 02 January 2011 - 09:49 AM

Hello Michael ,

Posted Image

Download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 Michael Calkins

Michael Calkins
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Floresville, Texas
  • Local time:05:57 PM

Posted 02 January 2011 - 06:35 PM

Hello, tea:

Nice to meet a fellow Texan. I didn't expect a reply so soon. Thanks for the help.

From what i've read about TDL4, it's not just the MBR, but the kernel debugger, or something like that, right?

Why is number of processors shown as 2? The Pentium 4 is a single core, I think.

Regards, Michael

2011/01/02 17:16:21.0046 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2011/01/02 17:16:21.0046 ================================================================================
2011/01/02 17:16:21.0046 SystemInfo:
2011/01/02 17:16:21.0046
2011/01/02 17:16:21.0046 OS Version: 5.1.2600 ServicePack: 3.0
2011/01/02 17:16:21.0046 Product type: Workstation
2011/01/02 17:16:21.0046 ComputerName: D1MY7Z61
2011/01/02 17:16:21.0046 UserName: bear
2011/01/02 17:16:21.0046 Windows directory: C:\WINDOWS
2011/01/02 17:16:21.0046 System windows directory: C:\WINDOWS
2011/01/02 17:16:21.0046 Processor architecture: Intel x86
2011/01/02 17:16:21.0046 Number of processors: 2
2011/01/02 17:16:21.0046 Page size: 0x1000
2011/01/02 17:16:21.0046 Boot type: Normal boot
2011/01/02 17:16:21.0046 ================================================================================
2011/01/02 17:16:21.0687 Initialize success
2011/01/02 17:16:33.0859 ================================================================================
2011/01/02 17:16:33.0859 Scan started
2011/01/02 17:16:33.0859 Mode: Manual;
2011/01/02 17:16:33.0859 ================================================================================
2011/01/02 17:16:34.0312 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/01/02 17:16:34.0359 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/01/02 17:16:34.0406 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/01/02 17:16:34.0437 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/01/02 17:16:34.0515 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/01/02 17:16:34.0562 AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys
2011/01/02 17:16:34.0593 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/01/02 17:16:34.0640 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/01/02 17:16:34.0687 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/01/02 17:16:34.0718 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/01/02 17:16:34.0765 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/01/02 17:16:34.0796 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/01/02 17:16:34.0828 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/01/02 17:16:34.0843 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/01/02 17:16:34.0906 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/01/02 17:16:34.0968 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/01/02 17:16:35.0000 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/01/02 17:16:35.0031 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/01/02 17:16:35.0093 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/01/02 17:16:35.0140 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/01/02 17:16:35.0312 ati2mtag (8763ede3e0cd40f5c3450571ac57f205) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/01/02 17:16:35.0390 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/01/02 17:16:35.0437 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/01/02 17:16:35.0500 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/01/02 17:16:35.0562 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/01/02 17:16:35.0593 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/01/02 17:16:35.0625 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/01/02 17:16:35.0671 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/01/02 17:16:35.0703 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/01/02 17:16:35.0750 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/01/02 17:16:35.0828 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/01/02 17:16:35.0890 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/01/02 17:16:35.0953 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/01/02 17:16:36.0000 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/01/02 17:16:36.0062 dfg (744f4990513c2a8f3da6fce0abecbe11) C:\WINDOWS\system32\DRIVERS\dfg.sys
2011/01/02 17:16:36.0140 DgiVecp (770471de2550820feeb7e5d24bf2e273) C:\WINDOWS\system32\Drivers\DgiVecp.sys
2011/01/02 17:16:36.0187 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/01/02 17:16:36.0312 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/01/02 17:16:36.0359 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
2011/01/02 17:16:36.0390 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/01/02 17:16:36.0468 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/01/02 17:16:36.0531 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/01/02 17:16:36.0578 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/01/02 17:16:36.0718 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
2011/01/02 17:16:36.0781 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
2011/01/02 17:16:36.0890 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/01/02 17:16:36.0953 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/01/02 17:16:37.0000 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/01/02 17:16:37.0062 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/01/02 17:16:37.0109 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/01/02 17:16:37.0187 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/01/02 17:16:37.0234 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/01/02 17:16:37.0281 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/01/02 17:16:37.0312 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/01/02 17:16:37.0343 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/01/02 17:16:37.0390 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/01/02 17:16:37.0453 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/01/02 17:16:37.0531 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/01/02 17:16:37.0562 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/01/02 17:16:37.0593 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/01/02 17:16:37.0625 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/01/02 17:16:37.0656 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/01/02 17:16:37.0703 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/01/02 17:16:37.0796 IntelC51 (7509c548400f4c9e0211e3f6e66abbe6) C:\WINDOWS\system32\DRIVERS\IntelC51.sys
2011/01/02 17:16:37.0890 IntelC52 (9584ffdd41d37f2c239681d0dac2513e) C:\WINDOWS\system32\DRIVERS\IntelC52.sys
2011/01/02 17:16:37.0937 IntelC53 (cf0b937710cec6ef39416edecd803cbb) C:\WINDOWS\system32\DRIVERS\IntelC53.sys
2011/01/02 17:16:37.0968 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/01/02 17:16:38.0015 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/01/02 17:16:38.0046 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/01/02 17:16:38.0109 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/01/02 17:16:38.0156 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/01/02 17:16:38.0203 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/01/02 17:16:38.0234 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/01/02 17:16:38.0265 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/01/02 17:16:38.0312 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/01/02 17:16:38.0359 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/01/02 17:16:38.0390 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/01/02 17:16:38.0484 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/01/02 17:16:38.0515 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/01/02 17:16:38.0625 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/01/02 17:16:38.0671 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/01/02 17:16:38.0718 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/01/02 17:16:38.0734 mohfilt (59b8b11ff70728eec60e72131c58b716) C:\WINDOWS\system32\DRIVERS\mohfilt.sys
2011/01/02 17:16:38.0765 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/01/02 17:16:38.0812 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/01/02 17:16:38.0859 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/01/02 17:16:38.0921 MpFilter (c98301ad8173a2235a9ab828955c32bb) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2011/01/02 17:16:38.0968 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/01/02 17:16:39.0015 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/01/02 17:16:39.0046 MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/01/02 17:16:39.0093 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/01/02 17:16:39.0140 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/01/02 17:16:39.0187 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/01/02 17:16:39.0234 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/01/02 17:16:39.0296 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/01/02 17:16:39.0328 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/01/02 17:16:39.0375 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/01/02 17:16:39.0406 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/01/02 17:16:39.0468 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/01/02 17:16:39.0500 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/01/02 17:16:39.0531 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/01/02 17:16:39.0546 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/01/02 17:16:39.0578 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/01/02 17:16:39.0640 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/01/02 17:16:39.0687 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/01/02 17:16:39.0750 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/01/02 17:16:39.0859 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/01/02 17:16:39.0984 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/01/02 17:16:40.0031 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/01/02 17:16:40.0078 omci (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys
2011/01/02 17:16:40.0156 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/01/02 17:16:40.0187 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/01/02 17:16:40.0250 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/01/02 17:16:40.0281 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/01/02 17:16:40.0359 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/01/02 17:16:40.0421 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/01/02 17:16:40.0593 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/01/02 17:16:40.0625 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/01/02 17:16:40.0671 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/01/02 17:16:40.0718 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/01/02 17:16:40.0750 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/01/02 17:16:40.0796 PxHelp20 (0c8da0a8b0d227319c285e0eae65defd) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/01/02 17:16:40.0859 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/01/02 17:16:40.0890 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/01/02 17:16:40.0921 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/01/02 17:16:40.0968 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/01/02 17:16:41.0000 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/01/02 17:16:41.0031 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/01/02 17:16:41.0078 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/01/02 17:16:41.0109 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/01/02 17:16:41.0156 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/01/02 17:16:41.0203 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/01/02 17:16:41.0234 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/01/02 17:16:41.0281 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/01/02 17:16:41.0343 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/01/02 17:16:41.0390 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/01/02 17:16:41.0500 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/01/02 17:16:41.0578 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
2011/01/02 17:16:41.0640 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/01/02 17:16:41.0671 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/01/02 17:16:41.0718 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/01/02 17:16:41.0796 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/01/02 17:16:41.0859 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
2011/01/02 17:16:41.0906 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2011/01/02 17:16:42.0000 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/01/02 17:16:42.0046 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/01/02 17:16:42.0078 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/01/02 17:16:42.0125 Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/01/02 17:16:42.0218 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/01/02 17:16:42.0234 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/01/02 17:16:42.0296 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/01/02 17:16:42.0343 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/01/02 17:16:42.0375 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/01/02 17:16:42.0406 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/01/02 17:16:42.0453 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/01/02 17:16:42.0515 Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/01/02 17:16:42.0562 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/01/02 17:16:42.0609 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/01/02 17:16:42.0656 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/01/02 17:16:42.0718 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/01/02 17:16:42.0796 TuneUpUtilitiesDrv (f2107c9d85ec0df116939ccce06ae697) C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys
2011/01/02 17:16:42.0875 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/01/02 17:16:42.0921 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/01/02 17:16:42.0968 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/01/02 17:16:43.0031 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/01/02 17:16:43.0062 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/01/02 17:16:43.0093 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/01/02 17:16:43.0140 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/01/02 17:16:43.0187 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/01/02 17:16:43.0234 usb_rndis (bee793d4a059caea55d6ac20e19b3a8f) C:\WINDOWS\system32\DRIVERS\usb8023.sys
2011/01/02 17:16:43.0265 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/01/02 17:16:43.0296 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/01/02 17:16:43.0328 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/01/02 17:16:43.0359 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/02 17:16:43.0421 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/01/02 17:16:43.0531 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/01/02 17:16:43.0656 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/01/02 17:16:43.0718 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/01/02 17:16:43.0781 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/01/02 17:16:43.0843 ZD1211BU(ZyDAS) (56122eb6a52378b0ccf5bff1ff96989d) C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys
2011/01/02 17:16:43.0906 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/01/02 17:16:43.0921 ================================================================================
2011/01/02 17:16:43.0921 Scan finished
2011/01/02 17:16:43.0921 ================================================================================
2011/01/02 17:16:43.0921 Detected object count: 1
2011/01/02 17:17:55.0171 \HardDisk0 - will be cured after reboot
2011/01/02 17:17:55.0171 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/01/02 17:18:01.0437 Deinitialize success

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:57 PM

Posted 02 January 2011 - 07:05 PM

Hello,

You're welcome. :)

TDSSKiller gets its information directly from WMI, so it's probably accurate. Let's see for sure :

Please download this little script from here, just click it to run, and let me know what it says. :)

How is it running now please?

As far as I know this doesn't affect anything but the MBR.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 Michael Calkins

Michael Calkins
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Floresville, Texas
  • Local time:05:57 PM

Posted 02 January 2011 - 07:39 PM

NumberOfCores: 1

It may be because of hyper threading that the other said 2?

As I've said, I don't have high speed here. I'm using dial up on my computer and sharing it to the customer computer using internet connection sharing. So far, there doesn't seem to be any search redirection, and i can finally get to the windows update site. I'll wait until i go to the library tomorrow before i give it a thorough workout. I'll probably go ahead and do another MSE scan with the somewhat newer definitions, now that the rootkit is gone.

I'll post back later, probably tomorrow.

Aside from the TDL4 and the My way, did you see anything else suspicious in the logs?

Thank you. Regards, Michael.

Edited by Michael Calkins, 02 January 2011 - 07:44 PM.


#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:57 PM

Posted 02 January 2011 - 07:43 PM

Hi Michael,

Could be....not seen it do that before.

No, looks pretty good now. :thumbup2: Take it for a spin....lol...and let me know how it does. Post when you're ready. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 Michael Calkins

Michael Calkins
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Floresville, Texas
  • Local time:05:57 PM

Posted 04 January 2011 - 11:15 PM

Hello, Tea:

The library was closed Monday. I got most of the updates on the library's high speed connection today, and am getting the remaining ones now on dial up.

So far the computer has been working quite well. No search redirects since the running of tdsskiller, and microsoft update continues to work as expected.

anyway, after the rootkit removal and updating MSE, it flagged 3 of the files I suspected, including both .dll files.

Win32/Hiloti.gen!D

file:C:\calkins\suspect\egapelepixoxiwak.dll
file:C:\calkins\suspect\w3hebcp.dll
file:C:\calkins\suspect\xdsfi.exe.bad
file:C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP37\A0131479.dll
file:C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP37\A0131480.dll
file:C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP37\A0132484.lnk
file:C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP37\A0132520.dll
file:C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP37\A0132521.dll
file:C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP38\A0132557.dll
file:C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP38\A0132558.dll

Java/CVE-2010-0840.W

containerfile:C:\Documents and Settings\bear\Application Data\Sun\Java\Deployment\cache\6.0\11\16818dcb-3ab597de
file:C:\Documents and Settings\bear\Application Data\Sun\Java\Deployment\cache\6.0\11\16818dcb-3ab597de->bpac/a.class

The other 2 .exe files that I suspected, I submitted to VirusTotal.
dxfh.exe was identified as "Zugo (fs)".
mpqte.exe was identified as "Gen:Variant.Kazy.6762", "W32/Damaged_File.B.gen!Eldorado", "Corrupt-AG!1CBE32F95D49", "Trojan.Agent/Gen-Venue", and "W32/Behav-Heuristic-CorruptFile-EP".

sha1 hashes:
e4c60ad6fe382d7388a1379c49eef11f6f09b44a dxfh.exe.bad (478868 bytes)
edc453073fc35090ef90f8beb99900ba41ffdc34 mpqte.exe.bad (88064 bytes)

I'd like to run dds and/or gmer one more time, just to be sure, but I'll wait until after I finish getting the updates and doing the tweaking (probably tomorrow).

Regards, Michael

Edited by Michael Calkins, 04 January 2011 - 11:34 PM.


#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:57 PM

Posted 04 January 2011 - 11:23 PM

Hi Michael,

Post when you're ready. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:57 PM

Posted 10 January 2011 - 12:40 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users