Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus removal


  • This topic is locked This topic is locked
9 replies to this topic

#1 dan5

dan5

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 16 January 2011 - 06:11 PM

Hi, my laptop recently started acting really funky. Google Chrome no longer works (it doesn't open up any pages), I get popups pretty frequently and there are other small things that happen as well, such as a "profile can't be found" message when I reboot, and a "OnDblClick() failed" window when I try to double click on my Avira Antivir icon (my antivirus software). Avira found a few viruses and Spybot found some adware and deleted it, but I'm still having problems.
When I ran GMER, i got a BSOD with the following message: "A problem was detected and windows needs to shut down to prevent further damage to your computer: PFN_LIST_CORRUPT" in in there as well was "STOP: 0X0000004E". I reran GMER and same thing happened so I dont have the GMER log.

I also noticed 3 items in Startup in the System configuration utility: Yc0, Yc1 and Ydi which looked weird. After google told me they were malware, i unchecked them to ensure they didn't start up again.

This all started happening in the last few days. It's a nearly 5 year old Dell that I'm sure I'll have to replace soon, but considering my needs (just surfing, music and movies) I'd rather not have to spend on a new machine if i can get more out of this piece of junk.

any help would be appreciated.

thanks.


DDS (Ver_10-12-12.02) - NTFSx86
Run by Daniel Bonder at 17:41:21.75 on 16/01/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1040 [GMT -5:00]

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Sierra Wireless Inc\WebUpdater\TRUUpdater.exe
C:\Program Files\Sierra Wireless Inc\Watcher\WaHelper.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Daniel Bonder\Desktop\ChromeSetup.exe
C:\Documents and Settings\Daniel Bonder\Local Settings\Application Data\Google\Chrome\Application\8.0.552.237\Installer\setup.exe
C:\Documents and Settings\Daniel Bonder\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Daniel Bonder\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\daniel bonder\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [AtiPTA] atiptaxx.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [TRUUpdater] "c:\program files\sierra wireless inc\webupdater\TRUUpdater.exe" /bkground
mRun: [AirCardEnabler]
mRun: [WatcherHelper] "c:\program files\sierra wireless inc\watcher\WaHelper.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241732084656
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: acaptuser32.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\daniel~1\applic~1\mozilla\firefox\profiles\scn1glqt.default\
FF - component: c:\documents and settings\daniel bonder\application data\mozilla\firefox\profiles\scn1glqt.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\documents and settings\daniel bonder\application data\mozilla\firefox\profiles\scn1glqt.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\daniel bonder\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: XULRunner: {DB04AF64-D80D-4CD6-8431-2843C63250F4} - c:\documents and settings\daniel bonder\local settings\application data\{DB04AF64-D80D-4CD6-8431-2843C63250F4}
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-7 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-7 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-7 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-7 61960]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 SlingAgentService;SlingAgentService;c:\program files\sling media\slingagent\SlingAgentService.exe [2009-3-9 93960]

=============== Created Last 30 ================

2011-01-16 20:21:29 -------- d-----w- c:\windows\pss
2011-01-15 22:09:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2011-01-15 16:35:50 -------- d-----w- c:\docume~1\daniel~1\locals~1\applic~1\Mozilla
2011-01-15 03:23:05 212992 ----a-w- c:\windows\Ysokyb.exe
2011-01-15 02:42:26 0 ----a-w- c:\windows\Pzeqozecahexofip.bin
2011-01-15 02:42:24 -------- d-----w- c:\docume~1\daniel~1\locals~1\applic~1\{DB04AF64-D80D-4CD6-8431-2843C63250F4}
2011-01-15 02:41:20 77824 --sha-r- c:\windows\system32\pidgenw.dll
2011-01-15 02:41:19 77824 --sha-r- c:\windows\system32\grpconv4.dll
2011-01-15 02:41:19 77824 --sha-r- c:\windows\system32\atttrkxx6.dll
2011-01-15 02:40:45 212992 ----a-w- c:\windows\Ysokya.exe
2010-12-20 03:52:07 -------- d-----w- c:\docume~1\daniel~1\applic~1\Avira

==================== Find3M ====================

2010-12-06 03:02:18 256 ----a-w- c:\windows\system32\pool.bin

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1200BEVS-75LAT0 rev.02.06M02 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A925555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a92b7b0]; MOV EAX, [0x8a92b82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A992AB8]
3 CLASSPNP[0xF74E7FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000006f[0x8A999260]
5 ACPI[0xF7245620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A93ED98]
\Driver\atapi[0x8A9C7738] -> IRP_MJ_CREATE -> 0x8A925555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD1200BEVS-75LAT0___________________02.06M02#5&19c84639&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A92539B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 17:42:54.87 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:54 AM

Posted 17 January 2011 - 01:53 AM

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.




Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 dan5

dan5
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 17 January 2011 - 05:58 PM

Hi, the TDSS log is below. I tied running ComboFix but when I ran it, i got the message: "Windows cannot access the specified device, path or file. You may not have appropriate permission to access the file". I click OK and i get the same message over and over with different files appearing at the top of the warning, so i don't have the ComboFix log.
FYI i'm the only user and am logged in as an administrator.


2011/01/17 17:44:35.0890 TDSS rootkit removing tool 2.4.13.0 Jan 12 2011 09:51:11
2011/01/17 17:44:35.0890 ================================================================================
2011/01/17 17:44:35.0890 SystemInfo:
2011/01/17 17:44:35.0890
2011/01/17 17:44:35.0890 OS Version: 5.1.2600 ServicePack: 3.0
2011/01/17 17:44:35.0890 Product type: Workstation
2011/01/17 17:44:35.0890 ComputerName: DANIEL
2011/01/17 17:44:35.0890 UserName: Daniel Bonder
2011/01/17 17:44:35.0890 Windows directory: C:\WINDOWS
2011/01/17 17:44:35.0890 System windows directory: C:\WINDOWS
2011/01/17 17:44:35.0890 Processor architecture: Intel x86
2011/01/17 17:44:35.0890 Number of processors: 2
2011/01/17 17:44:35.0890 Page size: 0x1000
2011/01/17 17:44:35.0890 Boot type: Normal boot
2011/01/17 17:44:35.0890 ================================================================================
2011/01/17 17:44:37.0625 Initialize success
2011/01/17 17:44:49.0015 ================================================================================
2011/01/17 17:44:49.0015 Scan started
2011/01/17 17:44:49.0015 Mode: Manual;
2011/01/17 17:44:49.0015 ================================================================================
2011/01/17 17:44:50.0062 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/01/17 17:44:50.0125 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/01/17 17:44:50.0203 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/01/17 17:44:50.0296 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/01/17 17:44:50.0484 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
2011/01/17 17:44:50.0578 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/01/17 17:44:50.0718 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/01/17 17:44:50.0734 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/01/17 17:44:50.0984 ati2mtag (ec2743bf722d4356375a0a01b69a81e0) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/01/17 17:44:51.0062 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/01/17 17:44:51.0140 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/01/17 17:44:51.0296 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2011/01/17 17:44:51.0406 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2011/01/17 17:44:51.0484 avipbb (da39805e2bad99d37fce9477dd94e7f2) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2011/01/17 17:44:51.0593 bcm4sbxp (c768c8a463d32c219ce291645a0621a4) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
2011/01/17 17:44:51.0656 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/01/17 17:44:51.0734 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/01/17 17:44:51.0781 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/01/17 17:44:51.0843 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/01/17 17:44:51.0875 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/01/17 17:44:51.0953 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2011/01/17 17:44:52.0015 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/01/17 17:44:52.0093 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/01/17 17:44:52.0203 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/01/17 17:44:52.0296 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/01/17 17:44:52.0484 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/01/17 17:44:52.0578 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/01/17 17:44:52.0640 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/01/17 17:44:52.0703 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/01/17 17:44:52.0781 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/01/17 17:44:52.0828 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/01/17 17:44:52.0859 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/01/17 17:44:52.0890 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/01/17 17:44:52.0968 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/01/17 17:44:53.0046 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/01/17 17:44:53.0078 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/01/17 17:44:53.0156 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/01/17 17:44:53.0218 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/01/17 17:44:53.0312 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/01/17 17:44:53.0359 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/01/17 17:44:53.0515 HSF_DPV (e8ec1767ea315a39a0dd8989952ca0e9) C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys
2011/01/17 17:44:53.0703 HSXHWAZL (61478fa42ee04562e7f11f4dca87e9c8) C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
2011/01/17 17:44:53.0859 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/01/17 17:44:53.0937 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/01/17 17:44:53.0984 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/01/17 17:44:54.0093 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/01/17 17:44:54.0171 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/01/17 17:44:54.0250 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/01/17 17:44:54.0296 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/01/17 17:44:54.0359 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/01/17 17:44:54.0406 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/01/17 17:44:54.0468 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/01/17 17:44:54.0546 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/01/17 17:44:54.0593 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/01/17 17:44:54.0718 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/01/17 17:44:54.0765 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/01/17 17:44:54.0921 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/01/17 17:44:55.0031 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2011/01/17 17:44:55.0109 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/01/17 17:44:55.0171 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/01/17 17:44:55.0203 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/01/17 17:44:55.0250 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/01/17 17:44:55.0265 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/01/17 17:44:55.0359 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/01/17 17:44:55.0453 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/01/17 17:44:55.0562 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/01/17 17:44:55.0625 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/01/17 17:44:55.0718 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/01/17 17:44:55.0812 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/01/17 17:44:55.0875 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/01/17 17:44:55.0968 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/01/17 17:44:56.0062 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/01/17 17:44:56.0140 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/01/17 17:44:56.0171 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/01/17 17:44:56.0218 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/01/17 17:44:56.0281 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/01/17 17:44:56.0296 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/01/17 17:44:56.0390 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/01/17 17:44:56.0812 NETw5x32 (91f027c242d3ff6e5c09f92a0518297f) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys
2011/01/17 17:44:57.0140 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/01/17 17:44:57.0218 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/01/17 17:44:57.0265 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/01/17 17:44:57.0343 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/01/17 17:44:57.0406 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/01/17 17:44:57.0421 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/01/17 17:44:57.0468 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/01/17 17:44:57.0515 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
2011/01/17 17:44:57.0562 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/01/17 17:44:57.0593 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/01/17 17:44:57.0656 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/01/17 17:44:57.0734 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/01/17 17:44:57.0828 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/01/17 17:44:57.0937 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/01/17 17:44:58.0140 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/01/17 17:44:58.0187 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/01/17 17:44:58.0265 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/01/17 17:44:58.0375 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/01/17 17:44:58.0515 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/01/17 17:44:58.0593 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/01/17 17:44:58.0671 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/01/17 17:44:58.0703 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/01/17 17:44:58.0734 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/01/17 17:44:58.0765 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/01/17 17:44:58.0796 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/01/17 17:44:58.0906 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/01/17 17:44:58.0984 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/01/17 17:44:59.0078 RimUsb (f17713d108aca124a139fde877eef68a) C:\WINDOWS\system32\Drivers\RimUsb.sys
2011/01/17 17:44:59.0187 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2011/01/17 17:44:59.0265 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2011/01/17 17:44:59.0421 s24trans (96b4494d4734970f47c566e098c4f527) C:\WINDOWS\system32\DRIVERS\s24trans.sys
2011/01/17 17:44:59.0531 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/01/17 17:44:59.0609 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/01/17 17:44:59.0671 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/01/17 17:44:59.0765 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
2011/01/17 17:44:59.0812 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
2011/01/17 17:45:00.0046 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/01/17 17:45:00.0468 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/01/17 17:45:00.0921 sptd (d15da1ba189770d93eea2d7e18f95af9) C:\WINDOWS\system32\Drivers\sptd.sys
2011/01/17 17:45:00.0921 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: d15da1ba189770d93eea2d7e18f95af9
2011/01/17 17:45:00.0921 sptd - detected Locked file (1)
2011/01/17 17:45:01.0156 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/01/17 17:45:01.0515 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/01/17 17:45:01.0703 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2011/01/17 17:45:02.0296 STHDA (3ad78e22210d3fbd9f76de84a8df19b5) C:\WINDOWS\system32\drivers\sthda.sys
2011/01/17 17:45:02.0640 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/01/17 17:45:02.0828 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/01/17 17:45:03.0031 swmsflt (eda7336cd2e334b4db321bc60b7da11e) C:\WINDOWS\System32\drivers\swmsflt.sys
2011/01/17 17:45:03.0421 SWMX00 (2bcdcf7e2a3a707e74ad4cdcb420225a) C:\WINDOWS\system32\DRIVERS\swmx00.sys
2011/01/17 17:45:03.0734 SWNC5E00 (47edcd5fdd249e5273cb90e56be97a5d) C:\WINDOWS\system32\DRIVERS\SWNC5E00.sys
2011/01/17 17:45:04.0500 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/01/17 17:45:04.0968 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/01/17 17:45:05.0156 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/01/17 17:45:05.0234 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/01/17 17:45:05.0406 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/01/17 17:45:05.0921 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/01/17 17:45:06.0578 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/01/17 17:45:06.0875 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/01/17 17:45:07.0234 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/01/17 17:45:07.0406 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/01/17 17:45:07.0609 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/01/17 17:45:08.0046 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/01/17 17:45:08.0125 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/01/17 17:45:08.0656 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/01/17 17:45:08.0750 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/01/17 17:45:08.0937 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/17 17:45:09.0593 w39n51 (b1f126e7e28877106d60e6ff3998d033) C:\WINDOWS\system32\DRIVERS\w39n51.sys
2011/01/17 17:45:10.0000 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/01/17 17:45:10.0156 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/01/17 17:45:10.0500 winachsf (ba6b6fb242a6ba4068c8b763063beb63) C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
2011/01/17 17:45:10.0953 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/01/17 17:45:11.0062 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/01/17 17:45:11.0062 ================================================================================
2011/01/17 17:45:11.0062 Scan finished
2011/01/17 17:45:11.0062 ================================================================================
2011/01/17 17:45:11.0093 Detected object count: 2
2011/01/17 17:45:54.0968 Locked file(sptd) - User select action: Skip
2011/01/17 17:45:54.0984 \HardDisk0 - will be cured after reboot
2011/01/17 17:45:54.0984 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/01/17 17:46:00.0640 Deinitialize success

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:54 AM

Posted 17 January 2011 - 11:49 PM

Hi, sorry but first, may I know what type of the infected computer? Is it Dell, HP, or something?

That computer's MBR (master boot record) seems to be infected.. Please reboot the computer and do below first.. We'll need to check on something..

Please download MBRCheck from Here or Here To your Desktop.
  • Double click MBRCheck.exe and let it run.
  • After it is finished press Enter to close the command window.
  • Please post the contents of the MBR text log that is created on your Desktop.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 dan5

dan5
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 18 January 2011 - 07:44 PM

Hi, it's a Dell, nearly 5 years old and ready to be replaced but thought I might be able to keep it running a little longer.
Log:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 137):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF7285000 spjf.sys
0xF7989000 \WINDOWS\System32\Drivers\WMILIB.SYS
0xF726D000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xF723F000 ACPI.sys
0xF722E000 pci.sys
0xF7487000 ohci1394.sys
0xF7497000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF74A7000 isapnp.sys
0xF789B000 compbatt.sys
0xF789F000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF74B7000 MountMgr.sys
0xF720F000 ftdisk.sys
0xF798B000 dmload.sys
0xF71E9000 dmio.sys
0xF770F000 PartMgr.sys
0xF74C7000 VolSnap.sys
0xF71D1000 atapi.sys
0xF7717000 cercsr6.sys
0xF74D7000 disk.sys
0xF74E7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF71B1000 fltmgr.sys
0xF719F000 sr.sys
0xF74F7000 PxHelp20.sys
0xF7188000 KSecDD.sys
0xF70FB000 Ntfs.sys
0xF70CE000 NDIS.sys
0xF70B4000 Mup.sys
0xF686A000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF7977000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF797B000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF64EF000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF64DB000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF64B3000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF77DF000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6088000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF77E7000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF685A000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0xF684A000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF6074000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xF683A000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF77EF000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF77F7000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF682A000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF681A000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF680A000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF6051000 \SystemRoot\system32\DRIVERS\ks.sys
0xF77FF000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF6019000 \SystemRoot\System32\Drivers\a8xn70xw.SYS
0xF7AD5000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF79B1000 \SystemRoot\System32\Drivers\RootMdm.sys
0xF7867000 \SystemRoot\System32\Drivers\Modem.SYS
0xF67FA000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7088000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6002000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF67EA000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF67DA000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF786F000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF5FF1000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7517000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7877000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF787F000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7887000 \SystemRoot\system32\DRIVERS\RimSerial.sys
0xF5FC1000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7527000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF79B3000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF5F63000 \SystemRoot\system32\DRIVERS\update.sys
0xF706C000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7537000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xEDE09000 \SystemRoot\system32\drivers\sthda.sys
0xEDDE5000 \SystemRoot\system32\drivers\portcls.sys
0xF7567000 \SystemRoot\system32\drivers\drmk.sys
0xEDDAB000 \SystemRoot\system32\DRIVERS\HSXHWAZL.sys
0xEDCB4000 \SystemRoot\system32\DRIVERS\HSX_DPV.sys
0xEDBFE000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0xF7577000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF79B9000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF79C1000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7B4B000 \SystemRoot\System32\Drivers\Null.SYS
0xF79C3000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7757000 \SystemRoot\System32\drivers\vga.sys
0xF79C5000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79C7000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF775F000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7767000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF793B000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xEDBA3000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xEDB4A000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xEDB22000 \SystemRoot\system32\DRIVERS\netbt.sys
0xEDAFC000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xEDADA000 \SystemRoot\System32\drivers\afd.sys
0xF7587000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF776F000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0xEDAAF000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF7957000 \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS
0xEDA3F000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF75A7000 \SystemRoot\System32\Drivers\Fips.SYS
0xEDA19000 \SystemRoot\system32\DRIVERS\avipbb.sys
0xF795F000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF75B7000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF7777000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF79CD000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
0xF7963000 \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS
0xF7967000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF75C7000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF75D7000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xF75F7000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xED939000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF79E3000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF5F4F000 \SystemRoot\System32\drivers\Dxapi.sys
0xF777F000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7B1E000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF058000 \SystemRoot\System32\ati2cqag.dll
0xBF0D2000 \SystemRoot\System32\atikvmag.dll
0xBF140000 \SystemRoot\System32\atiok3x2.dll
0xBF170000 \SystemRoot\System32\ati3duag.dll
0xBF43F000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xEB5E4000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0xEB5FD000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xEB5F9000 \SystemRoot\system32\DRIVERS\s24trans.sys
0xEB287000 \SystemRoot\system32\drivers\wdmaud.sys
0xEB4B4000 \SystemRoot\system32\drivers\sysaudio.sys
0xF6EF4000 \SystemRoot\System32\Drivers\HTTP.sys
0xEB159000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xF6E7A000 \SystemRoot\system32\DRIVERS\srv.sys
0xB9E25000 \SystemRoot\system32\drivers\kmixer.sys
0xB9906000 \SystemRoot\system32\DRIVERS\NETw5x32.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 56):
0 System Idle Process
4 System
792 C:\WINDOWS\system32\smss.exe
844 csrss.exe
880 C:\WINDOWS\system32\winlogon.exe
924 C:\WINDOWS\system32\services.exe
936 C:\WINDOWS\system32\lsass.exe
1132 C:\WINDOWS\system32\ati2evxx.exe
1148 C:\WINDOWS\system32\svchost.exe
1232 svchost.exe
1272 C:\WINDOWS\system32\svchost.exe
1360 C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
1428 svchost.exe
1520 C:\WINDOWS\system32\ati2evxx.exe
1544 svchost.exe
1800 C:\WINDOWS\system32\spoolsv.exe
1840 C:\Program Files\Avira\AntiVir Desktop\sched.exe
1848 C:\WINDOWS\system32\rundll32.exe
256 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
324 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
328 C:\WINDOWS\explorer.exe
424 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
460 C:\Program Files\Bonjour\mDNSResponder.exe
492 C:\Program Files\Intel\WiFi\bin\EvtEng.exe
784 C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
940 C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
1316 svchost.exe
1372 C:\WINDOWS\system32\svchost.exe
984 mcrdsvc.exe
176 wmiprvse.exe
900 C:\WINDOWS\ehome\ehtray.exe
1048 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
1204 C:\WINDOWS\stsystra.exe
1536 C:\Program Files\Dell\QuickSet\quickset.exe
1516 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
2004 C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
2052 C:\Program Files\Sierra Wireless Inc\WebUpdater\TRUUpdater.exe
2076 C:\Program Files\Sierra Wireless Inc\Watcher\WaHelper.exe
2096 C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
2112 C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
2128 C:\Program Files\DivX\DivX Update\DivXUpdate.exe
2148 C:\Program Files\iTunes\iTunesHelper.exe
2168 C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
2220 C:\WINDOWS\system32\ctfmon.exe
2252 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
2612 alg.exe
3200 C:\WINDOWS\system32\wbem\unsecapp.exe
3248 C:\WINDOWS\ehome\ehmsas.exe
3392 wmiprvse.exe
3568 C:\Program Files\iPod\bin\iPodService.exe
3696 C:\WINDOWS\ehome\ehSched.exe
2624 C:\WINDOWS\system32\wuauclt.exe
828 C:\WINDOWS\system32\dllhost.exe
3840 C:\Program Files\Mozilla Firefox\firefox.exe
2240 C:\Program Files\Mozilla Firefox\plugin-container.exe
1308 C:\Documents and Settings\Daniel Bonder\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00 (NTFS)

PhysicalDrive0 Model Number: WDCWD1200BEVS-75LAT0, Rev: 02.06M02

Size Device Name MBR Status
--------------------------------------------
110 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

thanks

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:54 AM

Posted 18 January 2011 - 09:37 PM

Okay.. can you run the TDSSKiller once again and post the new log here? I need to check out on something..

After run the TDSSKiller, do below..



Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 dan5

dan5
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 18 January 2011 - 11:25 PM

Hi, TDSSKiller only found one thing but didn't give me the option to "cure", so i selected "move to quarantine". Didn't generate a report but did give me this: C:\WINDOWS\system32\Drivers\sptd.sys - copied to quarantine

FYI i've been running Avira Antivirus scan every day and it keeps finding new things. Last scan found 8 infections but only moved 3 to quarantine. I tried to generate a report to post it here but it didn't let me...

Here's the MBAM log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5551

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

18/01/2011 11:24:33 PM
mbam-log-2011-01-18 (23-24-33).txt

Scan type: Full scan (C:\|)
Objects scanned: 200674
Time elapsed: 48 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\JP595IR86O (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MFJJEC0A1L (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:54 AM

Posted 18 January 2011 - 11:35 PM

Ok, try using your computer for a couple of days, and then tell me how it goes.. If anything wrong, we'll continue with the fixing process :)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 dan5

dan5
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 23 January 2011 - 07:10 PM

so far so good, i keep scanning and no viruses or anything come up. thanks very much for you help!

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:54 AM

Posted 23 January 2011 - 11:14 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users