Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirects, Computer Restart During Gmer Scan, Possible SDSS Rootkit Infection?


  • This topic is locked This topic is locked
28 replies to this topic

#1 greenisorabracadabra

greenisorabracadabra

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, WI
  • Local time:06:47 AM

Posted 14 January 2011 - 06:44 PM

Hello,

Here is a brief story: A few weeks ago I thought I had some kind of malware on my computer, because my computer showed the symptoms I described in another post. About three weeks ago, I reinstalled Windows XP (Home Edition 2002 Version Service Pack One) onto my computer (Sony Vaio Model PCV-2222) and everything seemed fine. A few days later I started getting Google redirects. A few days after that I couldn't open certain image files on my computer.

I was growing worried today when I couldn't open images on my computer, so I decided to run a Gmer scan, when all of a sudden something strange happened. Shortly after I started the scan, the Gmer program found hundreds of files in the registry, and it identified the "type" of those files as "SDSS." Then the computer restarted itself. I ran the scan again, and it only found one file. I'll post the results below.

I don't know what to do, but I will be very helpful if anyone can lend a hand.

Cordially,
Abra


Here's the dds:

DDS (Ver_10-12-12.02) - NTFSx86
Run by [ABRA] at 14:00:42.92 on Fri 01/14/2011
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.760.455 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\WScript.exe
C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SoftwareDistribution\Download\52c3c5fcac76d5dae0028af881d97be2\update\update.exe
C:\Documents and Settings\[ABRA]\My Documents\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sony.com/vaiopeople
mDefault_Page_URL = hxxp://www.sony.com/vaiopeople
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: CheckHO Class: {576eb0ad-6980-11d5-a9cd-0001032fee17} - c:\program files\yahoo!\common\ycheckh.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [Mozilla Quick Launch] "c:\program files\netscape\netscape\Netscp.exe" -turbo
uRun: [MSMSGS] "c:\program files\messenger\MSMSGS.EXE" /background
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [VAIOSurvey] c:\program files\sony\vaio survey\surveysa.exe
mRun: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
mRun: [CreateCD_Reminder] c:\windows\sonysys\vaio recovery\reminder.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
StartupFolder: c:\docume~1\dougla~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.3\program\quickstart.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\MSMSGS.EXE
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_4_0_03-win.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dougla~1\applic~1\mozilla\firefox\profiles\5bonvh3h.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2011-01-02 20:09:31 -------- d-----w- c:\docume~1\dougla~1\locals~1\applic~1\CutePDF Writer
2010-12-31 15:33:02 -------- d-----w- c:\docume~1\dougla~1\locals~1\applic~1\Identities
2010-12-17 03:41:23 -------- d-----w- c:\docume~1\alluse~1\applic~1\GoldWave
2010-12-17 03:38:12 -------- d-----w- c:\program files\GoldWave

==================== Find3M ====================


============= FINISH: 14:01:50.64 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:47 PM

Posted 19 January 2011 - 06:35 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 greenisorabracadabra

greenisorabracadabra
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, WI
  • Local time:06:47 AM

Posted 20 January 2011 - 09:44 AM

Hi m0le,

Thank you so much for your help. I'm ready for your instructions.

Abra

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:47 PM

Posted 20 January 2011 - 06:41 PM

I think you mean TDSS rather than SDSS but let's check

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#5 greenisorabracadabra

greenisorabracadabra
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, WI
  • Local time:06:47 AM

Posted 21 January 2011 - 10:39 AM

Hi m0le,

Thank you so much for your help. The TDSS Killer program didn't find anything malicious on my system. I'll copy and paste the report below. What can I try next? I am thankful for any advice you can give me.

Cordially,
Abra

Here is the report:

2011/01/21 09:36:21.0703 TDSS rootkit removing tool 2.4.14.0 Jan 18 2011 09:33:51
2011/01/21 09:36:21.0703 ================================================================================
2011/01/21 09:36:21.0703 SystemInfo:
2011/01/21 09:36:21.0703
2011/01/21 09:36:21.0703 OS Version: 5.1.2600 ServicePack: 1.0
2011/01/21 09:36:21.0703 Product type: Workstation
2011/01/21 09:36:21.0703 ComputerName: SONY-VAIO
2011/01/21 09:36:21.0703 UserName: [Abra]
2011/01/21 09:36:21.0703 Windows directory: C:\WINDOWS
2011/01/21 09:36:21.0703 System windows directory: C:\WINDOWS
2011/01/21 09:36:21.0703 Processor architecture: Intel x86
2011/01/21 09:36:21.0703 Number of processors: 1
2011/01/21 09:36:21.0703 Page size: 0x1000
2011/01/21 09:36:21.0703 Boot type: Normal boot
2011/01/21 09:36:21.0703 ================================================================================
2011/01/21 09:36:22.0078 Initialize success
2011/01/21 09:36:28.0937 ================================================================================
2011/01/21 09:36:28.0937 Scan started
2011/01/21 09:36:28.0937 Mode: Manual;
2011/01/21 09:36:28.0937 ================================================================================
2011/01/21 09:36:29.0687 ACPI (94ddd4b3acbd7a9558e1762cd58386f9) C:\WINDOWS\System32\DRIVERS\ACPI.sys
2011/01/21 09:36:29.0890 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\System32\drivers\ACPIEC.sys
2011/01/21 09:36:30.0234 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\System32\drivers\aeaudio.sys
2011/01/21 09:36:30.0421 aec (ff773feda15e8bd97fd54fe87a0acdbe) C:\WINDOWS\System32\drivers\aec.sys
2011/01/21 09:36:30.0625 AFD (51b1872b62d1c335bac53313913c8d5b) C:\WINDOWS\System32\drivers\afd.sys
2011/01/21 09:36:30.0859 AgereSoftModem (58041495e6d3650c02b1aec525d24089) C:\WINDOWS\System32\DRIVERS\AGRSM.sys
2011/01/21 09:36:31.0109 agp440 (65880045c51aa36184841cee915a61df) C:\WINDOWS\System32\DRIVERS\agp440.sys
2011/01/21 09:36:31.0859 ALCXWDM (18d0ae5bc1d09d55bd6837a409bb2ffc) C:\WINDOWS\System32\drivers\ALCXWDM.SYS
2011/01/21 09:36:32.0375 Arp1394 (e47ae30589d7195bb044847fbb63a06e) C:\WINDOWS\System32\DRIVERS\arp1394.sys
2011/01/21 09:36:33.0000 AsyncMac (03f403b07a884fc2aa54a0916c410931) C:\WINDOWS\System32\DRIVERS\asyncmac.sys
2011/01/21 09:36:33.0203 atapi (95b858761a00e1d4f81f79a0da019aca) C:\WINDOWS\System32\DRIVERS\atapi.sys
2011/01/21 09:36:33.0640 ati2mtag (4fb6bb54371b3829dd15fd42188a99e6) C:\WINDOWS\System32\DRIVERS\ati2mtag.sys
2011/01/21 09:36:33.0921 Atmarpc (8d735ca1cbdb0081b0e3b9ff0eb222d0) C:\WINDOWS\System32\DRIVERS\atmarpc.sys
2011/01/21 09:36:34.0125 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\System32\DRIVERS\audstub.sys
2011/01/21 09:36:34.0328 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\System32\drivers\Beep.sys
2011/01/21 09:36:34.0500 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\System32\drivers\cbidf2k.sys
2011/01/21 09:36:34.0703 CCDECODE (fdc06e2ada8c468ebb161624e03976cf) C:\WINDOWS\System32\DRIVERS\CCDECODE.sys
2011/01/21 09:36:35.0078 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\System32\drivers\Cdaudio.sys
2011/01/21 09:36:35.0265 Cdfs (049a38451f2611caf2fd528e023a0b5a) C:\WINDOWS\System32\drivers\Cdfs.sys
2011/01/21 09:36:35.0453 Cdrom (6506e033ad04cfec9ee56dbefd1083dd) C:\WINDOWS\System32\DRIVERS\cdrom.sys
2011/01/21 09:36:36.0421 Disk (d1b16340ceaceecbf52340a0cbdf43e1) C:\WINDOWS\System32\DRIVERS\disk.sys
2011/01/21 09:36:36.0656 dmboot (e18132d39407aadca6b1d19adf408a8a) C:\WINDOWS\System32\drivers\dmboot.sys
2011/01/21 09:36:36.0890 DMICall (526192bf7696f72e29777bf4a180513a) C:\WINDOWS\System32\DRIVERS\DMICall.sys
2011/01/21 09:36:37.0093 dmio (aca44e9a8e2ff7c833664263c8478629) C:\WINDOWS\System32\drivers\dmio.sys
2011/01/21 09:36:37.0312 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\System32\drivers\dmload.sys
2011/01/21 09:36:37.0531 DMusic (ef05974d47d56fa8387f170f05bae5e7) C:\WINDOWS\System32\drivers\DMusic.sys
2011/01/21 09:36:37.0875 drmkaud (fd859e517fa2abb53654afa7ec9e3a94) C:\WINDOWS\System32\drivers\drmkaud.sys
2011/01/21 09:36:38.0078 E1000 (2476936f4994e9084ccfe75ed4f6226a) C:\WINDOWS\System32\DRIVERS\e1000325.sys
2011/01/21 09:36:38.0265 E100B (98b46b331404a951cabad8b4877e1276) C:\WINDOWS\System32\DRIVERS\e100b325.sys
2011/01/21 09:36:38.0484 FA312 (aa855fb8a866281aacb393c1feab91ae) C:\WINDOWS\System32\DRIVERS\FA312nd5.sys
2011/01/21 09:36:38.0687 Fastfat (e4a3a8f3e60b542a747b10e86faa5dad) C:\WINDOWS\System32\drivers\Fastfat.sys
2011/01/21 09:36:38.0875 Fdc (19c5c7eac0190a42522290bf002f64ea) C:\WINDOWS\System32\DRIVERS\fdc.sys
2011/01/21 09:36:39.0062 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\System32\drivers\Fips.sys
2011/01/21 09:36:39.0234 Flpydisk (8f70d1f7606f7442e2f7383f3701d728) C:\WINDOWS\System32\DRIVERS\flpydisk.sys
2011/01/21 09:36:39.0437 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\System32\drivers\Fs_Rec.sys
2011/01/21 09:36:39.0625 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\System32\DRIVERS\ftdisk.sys
2011/01/21 09:36:39.0828 Gpc (13591e0a02e85de2a388f3ec4bd206df) C:\WINDOWS\System32\DRIVERS\msgpc.sys
2011/01/21 09:36:40.0484 i8042prt (7080f46568108cc6ea73e460ee6ee702) C:\WINDOWS\System32\DRIVERS\i8042prt.sys
2011/01/21 09:36:40.0671 ialm (a79029861cb69cd3cf4eab9ebfee32dd) C:\WINDOWS\System32\DRIVERS\ialmnt5.sys
2011/01/21 09:36:40.0859 Imapi (3cb4410747f2330d97b10b656d5bb2ac) C:\WINDOWS\System32\DRIVERS\imapi.sys
2011/01/21 09:36:41.0234 IntelIde (3049227da71a4a68515dcdce3030eacd) C:\WINDOWS\System32\DRIVERS\intelide.sys
2011/01/21 09:36:41.0437 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys
2011/01/21 09:36:41.0609 IpInIp (f56dd863ba732a4e8ee58d486c31250f) C:\WINDOWS\System32\DRIVERS\ipinip.sys
2011/01/21 09:36:41.0765 IpNat (fc672ad6e9676814a0c844912f2abcff) C:\WINDOWS\System32\DRIVERS\ipnat.sys
2011/01/21 09:36:42.0000 IPSec (5b09ea8abb09c22f7574fa52dc9bd752) C:\WINDOWS\System32\DRIVERS\ipsec.sys
2011/01/21 09:36:42.0203 IRENUM (b43201394646b7e98c89056edda686b5) C:\WINDOWS\System32\DRIVERS\irenum.sys
2011/01/21 09:36:42.0406 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\System32\DRIVERS\isapnp.sys
2011/01/21 09:36:42.0625 Kbdclass (1e7f78c2fc393356cd884c6fde7966f9) C:\WINDOWS\System32\DRIVERS\kbdclass.sys
2011/01/21 09:36:42.0812 kmixer (10e0feb086d8c1419b958c9034e4668a) C:\WINDOWS\System32\drivers\kmixer.sys
2011/01/21 09:36:43.0015 KSecDD (abc70e8b89cce44731a346deb764bf95) C:\WINDOWS\System32\drivers\KSecDD.sys
2011/01/21 09:36:43.0421 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\System32\drivers\mnmdd.sys
2011/01/21 09:36:43.0609 Modem (7760873e4ec17f288e61f00044dea000) C:\WINDOWS\System32\drivers\Modem.sys
2011/01/21 09:36:43.0781 Mouclass (81fb25d6ee5e0728d2c0630c58d7d908) C:\WINDOWS\System32\DRIVERS\mouclass.sys
2011/01/21 09:36:43.0984 MountMgr (d4face53a1c48cf8419b4cf494d2ee2e) C:\WINDOWS\System32\drivers\MountMgr.sys
2011/01/21 09:36:44.0312 MRxDAV (d30cba20cc355d3648b9fed5bb55a9d5) C:\WINDOWS\System32\DRIVERS\mrxdav.sys
2011/01/21 09:36:44.0546 MRxSmb (dd2b4d4403191b06bb0309144dda7883) C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
2011/01/21 09:36:44.0750 Msfs (a1831538e119363d0d90d757ac8a2012) C:\WINDOWS\System32\drivers\Msfs.sys
2011/01/21 09:36:44.0937 MSKSSRV (85736f804191cb420a31aca2a7f0674f) C:\WINDOWS\System32\drivers\MSKSSRV.sys
2011/01/21 09:36:45.0296 MSPCLOCK (e943adb93d83c5cbc0ca3f53f53b48cc) C:\WINDOWS\System32\drivers\MSPCLOCK.sys
2011/01/21 09:36:45.0484 MSPQM (f6a726b8832db1f88326b8be98b11981) C:\WINDOWS\System32\drivers\MSPQM.sys
2011/01/21 09:36:45.0656 MSTEE (d5059366b361f0e1124753447af08aa2) C:\WINDOWS\System32\drivers\MSTEE.sys
2011/01/21 09:36:45.0859 Mup (08c56887f06473b09fc1b39e7dec0fb6) C:\WINDOWS\System32\drivers\Mup.sys
2011/01/21 09:36:46.0093 NABTSFEC (ac31b352ce5e92704056d409834beb74) C:\WINDOWS\System32\DRIVERS\NABTSFEC.sys
2011/01/21 09:36:46.0328 NDIS (3b350e5a2a5e951453f3993275a4523a) C:\WINDOWS\System32\drivers\NDIS.sys
2011/01/21 09:36:46.0515 NdisIP (abd7629cf2796250f315c1dd0b6cf7a0) C:\WINDOWS\System32\DRIVERS\NdisIP.sys
2011/01/21 09:36:46.0750 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\System32\DRIVERS\ndistapi.sys
2011/01/21 09:36:46.0968 Ndisuio (e6b6d5e4c9c199b7bb56d7862ea68fbc) C:\WINDOWS\System32\DRIVERS\ndisuio.sys
2011/01/21 09:36:47.0156 NdisWan (15787deca8c5428beeaa8044f544fd85) C:\WINDOWS\System32\DRIVERS\ndiswan.sys
2011/01/21 09:36:47.0359 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\System32\drivers\NDProxy.sys
2011/01/21 09:36:47.0546 NetBIOS (e351339fa17c4a70940e15b5e3dae6e2) C:\WINDOWS\System32\DRIVERS\netbios.sys
2011/01/21 09:36:47.0750 NetBT (d96f3bc5a6e7452b0e3275b560dc8528) C:\WINDOWS\System32\DRIVERS\netbt.sys
2011/01/21 09:36:47.0968 NIC1394 (ff4ceca01030be87d530e2c5859738db) C:\WINDOWS\System32\DRIVERS\nic1394.sys
2011/01/21 09:36:48.0156 Npfs (20aba9f035e3a98877480e34fcc4dcb3) C:\WINDOWS\System32\drivers\Npfs.sys
2011/01/21 09:36:48.0375 Ntfs (e3ae9c79498210a5f39fe5a9ad62bc55) C:\WINDOWS\System32\drivers\Ntfs.sys
2011/01/21 09:36:48.0656 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\System32\drivers\Null.sys
2011/01/21 09:36:48.0906 nv (dcab0a5017772e75eb63a790aa224573) C:\WINDOWS\System32\DRIVERS\nv4_mini.sys
2011/01/21 09:36:49.0093 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\System32\DRIVERS\nwlnkflt.sys
2011/01/21 09:36:49.0296 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\System32\DRIVERS\nwlnkfwd.sys
2011/01/21 09:36:49.0484 ohci1394 (52c36c911f83f200130b2f84e01f3511) C:\WINDOWS\System32\DRIVERS\ohci1394.sys
2011/01/21 09:36:49.0734 Parport (67fd105f525a94c0246c9088e85a2f3b) C:\WINDOWS\System32\DRIVERS\parport.sys
2011/01/21 09:36:49.0906 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\System32\drivers\PartMgr.sys
2011/01/21 09:36:50.0140 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\System32\drivers\ParVdm.sys
2011/01/21 09:36:50.0328 PCI (9390447f3b1be5064a3ebe98c555a1e5) C:\WINDOWS\System32\DRIVERS\pci.sys
2011/01/21 09:36:50.0687 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\System32\DRIVERS\pciide.sys
2011/01/21 09:36:50.0875 Pcmcia (4ca446e011e2f61ac45eb2e3bc3f1584) C:\WINDOWS\System32\drivers\Pcmcia.sys
2011/01/21 09:36:52.0015 PptpMiniport (a33601c20fca262a3fabe3730c2faa62) C:\WINDOWS\System32\DRIVERS\raspptp.sys
2011/01/21 09:36:52.0187 Processor (0f8a31ab9d8963f66ad93d3f69a1914c) C:\WINDOWS\System32\DRIVERS\processr.sys
2011/01/21 09:36:52.0390 PSched (944440247fe6988c88b376ed85a0cd1a) C:\WINDOWS\System32\DRIVERS\psched.sys
2011/01/21 09:36:52.0593 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\System32\DRIVERS\ptilink.sys
2011/01/21 09:36:52.0781 PxHelp20 (cdd1ff48a4e21e0c40d62c15d9c87785) C:\WINDOWS\System32\DRIVERS\PxHelp20.sys
2011/01/21 09:36:53.0765 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\System32\DRIVERS\rasacd.sys
2011/01/21 09:36:53.0953 Rasl2tp (4c242c79a9c0d98d52d6f8cb9248d528) C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
2011/01/21 09:36:54.0156 RasPppoe (888335b3be346119cf7b4eff3a3fca7c) C:\WINDOWS\System32\DRIVERS\raspppoe.sys
2011/01/21 09:36:54.0343 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\System32\DRIVERS\raspti.sys
2011/01/21 09:36:54.0531 Rdbss (8f4262835676a30e7cbd6baee5ad18f3) C:\WINDOWS\System32\DRIVERS\rdbss.sys
2011/01/21 09:36:54.0734 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
2011/01/21 09:36:54.0937 RDPWD (0486381b7d2f64bedc4d7be935d8d8ab) C:\WINDOWS\System32\drivers\RDPWD.sys
2011/01/21 09:36:55.0187 redbook (ab56d6ed4e86d2b6f819a24a070f35f7) C:\WINDOWS\System32\DRIVERS\redbook.sys
2011/01/21 09:36:55.0406 rtl8139 (d0ac0b0355a3ffb85eb77b083cd0627c) C:\WINDOWS\System32\DRIVERS\R8139n51.SYS
2011/01/21 09:36:55.0593 sbp2port (afb6fcf53bc93266fcab2f269b212cf1) C:\WINDOWS\System32\DRIVERS\sbp2port.sys
2011/01/21 09:36:55.0843 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\System32\DRIVERS\secdrv.sys
2011/01/21 09:36:56.0046 Serenum (65a7c4d86c153c82e33a552c217abb29) C:\WINDOWS\System32\DRIVERS\serenum.sys
2011/01/21 09:36:56.0234 Serial (dc7cbfec14b1b38bcf32aba922ffeaad) C:\WINDOWS\System32\DRIVERS\serial.sys
2011/01/21 09:36:56.0437 Sfloppy (4e1b8866f3d208dee3906a191cb493e3) C:\WINDOWS\System32\drivers\Sfloppy.sys
2011/01/21 09:36:56.0781 SLIP (1ffc44d6787ec1ea9a2b1440a90fa5c1) C:\WINDOWS\System32\DRIVERS\SLIP.sys
2011/01/21 09:36:57.0046 smrt (764772be4478405c2f77a3a59b63d96f) C:\WINDOWS\System32\DRIVERS\smrt.sys
2011/01/21 09:36:57.0250 smwdm (58dc61df8df8dbbed38ce511b5ea0eb9) C:\WINDOWS\System32\drivers\smwdm.sys
2011/01/21 09:36:57.0437 SONYWBMS (073457b2d8b919fa7bdcf3fd9226e30c) C:\WINDOWS\System32\DRIVERS\SonyWBMS.SYS
2011/01/21 09:36:57.0812 splitter (32c54211e9e8a45cbcb097beaeb1999a) C:\WINDOWS\System32\drivers\splitter.sys
2011/01/21 09:36:58.0031 sr (cd952661dbdf31c42e325a06bc67fd0e) C:\WINDOWS\System32\DRIVERS\sr.sys
2011/01/21 09:36:58.0250 Srv (522143dc4ae9f2916c917f43c5eab814) C:\WINDOWS\System32\DRIVERS\srv.sys
2011/01/21 09:36:58.0468 streamip (a9f9fd0212e572b84edb9eb661f6bc04) C:\WINDOWS\System32\DRIVERS\StreamIP.sys
2011/01/21 09:36:58.0671 swenum (616a013d3ea068b6dee83d905e92ee9f) C:\WINDOWS\System32\DRIVERS\swenum.sys
2011/01/21 09:36:58.0875 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\System32\drivers\swmidi.sys
2011/01/21 09:36:59.0687 sysaudio (b0b19f036f76333ab3338c7493e87b12) C:\WINDOWS\System32\drivers\sysaudio.sys
2011/01/21 09:36:59.0968 Tcpip (b8158e2a6112c0a5ca67bc158fc70218) C:\WINDOWS\System32\DRIVERS\tcpip.sys
2011/01/21 09:37:00.0156 TDPIPE (1a96630babbd59e8b885eae0dfbe6a3e) C:\WINDOWS\System32\drivers\TDPIPE.sys
2011/01/21 09:37:00.0343 TDTCP (d1c578c6b37713694c5edd7c2d7f7451) C:\WINDOWS\System32\drivers\TDTCP.sys
2011/01/21 09:37:00.0515 TermDD (194c51bc28a7ce9818012142b062e431) C:\WINDOWS\System32\DRIVERS\termdd.sys
2011/01/21 09:37:00.0890 Udfs (77d91b5e0fb463c9a2779b829bb5723c) C:\WINDOWS\System32\drivers\Udfs.sys
2011/01/21 09:37:01.0265 Update (164cfae1d766905f56c432acfc54f28c) C:\WINDOWS\System32\DRIVERS\update.sys
2011/01/21 09:37:01.0468 usbehci (c8e54732dd5696e451cb0b96acdaa15c) C:\WINDOWS\System32\DRIVERS\usbehci.sys
2011/01/21 09:37:01.0671 usbhub (d7bf70ac85e48b6c4df953401eccb75a) C:\WINDOWS\System32\DRIVERS\usbhub.sys
2011/01/21 09:37:01.0859 USBSTOR (4923c60f9c381eae679db04021d26abb) C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS
2011/01/21 09:37:02.0093 usbuhci (49ec068278d85bc1e20ac7f3d315e940) C:\WINDOWS\System32\DRIVERS\usbuhci.sys
2011/01/21 09:37:02.0343 VgaSave (08d2edfd7261242b8aea27f1fe11e120) C:\WINDOWS\System32\drivers\vga.sys
2011/01/21 09:37:02.0671 VolSnap (6fdc9523ef81617cf5028f47fcaf0fbe) C:\WINDOWS\System32\drivers\VolSnap.sys
2011/01/21 09:37:02.0906 Wanarp (484af08f15d1306ff2e8b64fe62a160c) C:\WINDOWS\System32\DRIVERS\wanarp.sys
2011/01/21 09:37:03.0265 wdmaud (499b653356a9e5589ee83ac47e5d2a8c) C:\WINDOWS\System32\drivers\wdmaud.sys
2011/01/21 09:37:03.0531 WSTCODEC (233cdd1c06942115802eb7ce6669e099) C:\WINDOWS\System32\DRIVERS\WSTCODEC.SYS
2011/01/21 09:37:03.0765 {6080A529-897E-4629-A488-ABA0C29B635E} (3ee36328e860fbf102b54608a055c6be) C:\WINDOWS\System32\drivers\ialmsbw.sys
2011/01/21 09:37:04.0156 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (17f39a1916733ed228eb46ad67c35426) C:\WINDOWS\System32\drivers\ialmkchw.sys
2011/01/21 09:37:04.0406 ================================================================================
2011/01/21 09:37:04.0406 Scan finished
2011/01/21 09:37:04.0406 ================================================================================

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:47 PM

Posted 21 January 2011 - 07:00 PM

Next, please run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 greenisorabracadabra

greenisorabracadabra
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, WI
  • Local time:06:47 AM

Posted 22 January 2011 - 09:19 AM

Hi m0le,

Thank you again for your help. I'll attach the combofix log. Please let me know what I should do next.

Abra

Attached Files



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:47 PM

Posted 22 January 2011 - 09:22 PM

Next please run MBAM

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
Posted Image
m0le is a proud member of UNITE

#9 greenisorabracadabra

greenisorabracadabra
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, WI
  • Local time:06:47 AM

Posted 23 January 2011 - 10:40 AM

Hi m0le,

Thank you again for your continued help. I'll paste the log from Malwarebytes below. What can I do next?

Cordially,
Abra

Malware Log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5576

Windows 5.1.2600 Service Pack 1
Internet Explorer 6.0.2800.1106

1/23/2011 9:37:11 AM
mbam-log-2011-01-23 (09-37-11).txt

Scan type: Full scan (A:\|C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 197119
Time elapsed: 1 hour(s), 23 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
g:\Music\mp3 plugin 2.0\damn_mp3plugin_kg.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:47 PM

Posted 23 January 2011 - 06:38 PM

Please scan with ESET

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Leave the top box checked and then check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#11 greenisorabracadabra

greenisorabracadabra
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, WI
  • Local time:06:47 AM

Posted 24 January 2011 - 11:39 AM

Hi m0le,

Thank you as always for your help. Here is what the ESET scan turned up:

C:\WINDOWS\Drivers\Audio2\COMMON\CtSpkHlp.dll probably a variant of Win32/Spy.Agent.CVQMXMH trojan cleaned by deleting - quarantined

Please let me know what I should do next. Thank you again.

Sincerely,
Abra

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:47 PM

Posted 24 January 2011 - 02:42 PM

How's the PC running? That last ESET scan removed the trojan that began the infection and you're looking good to go now.
Posted Image
m0le is a proud member of UNITE

#13 greenisorabracadabra

greenisorabracadabra
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, WI
  • Local time:06:47 AM

Posted 24 January 2011 - 08:47 PM

Hey m0le,

Thank you as always for your continued help. Unfortunately, there still seems to be something wrong with my computer. Some things still cause my computer memory to all but die. For instance, if I try and open the "my images" folder, the computer practically freezes. If I press control, alt, & delete, I find that the CPU Usage meter has jumped up to %100, with almost all of the memory being used up by internet explorer. Do you know why that might be happening? Please let me know if you do.

Cordially,
Abra

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:47 PM

Posted 25 January 2011 - 01:38 PM

It could be a hardware problem but let's just check

Please download Process Explorer

Please open Process Explorer.

Select the Svchost process that is using the high CPU.

Right click it and select Properties, then the Services tab.

Under Services Registered in Process, you will find the Service and Display name.

Please take note of what these are and include it in your next reply.
Posted Image
m0le is a proud member of UNITE

#15 greenisorabracadabra

greenisorabracadabra
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Milwaukee, WI
  • Local time:06:47 AM

Posted 25 January 2011 - 07:14 PM

Hey m0le,

I wasn't sure how to check the svchosts for explorer.exe (which appears to be using up all of the computer's memory here), so I took a picture of the process explorer program to show you what it looks like (I've attached the picture to this reply). Is there a way for me to check the svchosts for explorer.exe? Please let me know what I should do next. Thank you as always for your help.

Cordially,
Abra

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users