Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

can't reboot after TDSSKiller


  • This topic is locked This topic is locked
5 replies to this topic

#1 Modesto_73

Modesto_73

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 03 February 2011 - 02:16 PM

Hi,

I'm trying to clean my computer at work. Running XP Pro 32-bit. SP3. I've run some scans and found that I have the TDSS virus/trojan/rootkit whatever term you wish to use, and yes I know... they are not the same thing. Point is I ran TDSSKiller, but it requires reboot to clean the file (AFD), which it can't do because windows won't reboot... I have to choose "Last known good configuration" and that seems to bring back the infection. I do have logs for TDSSKiller if that helps, basically I'm looking for a way to clean up this mess. Any help would be greatly appreciated :)
Any chance it is as simple as manually copying afd.sys from a clean computer with the same os version?

Edit: Forgot to specify that I have tried the various Safe Mode reboot options, as well as Normal, to no avail.


2011/02/03 13:45:27.0992 2064 TDSS rootkit removing tool 2.4.16.0 Feb 1 2011 10:34:03
2011/02/03 13:45:28.0498 2064 ================================================================================
2011/02/03 13:45:28.0498 2064 SystemInfo:
2011/02/03 13:45:28.0498 2064
2011/02/03 13:45:28.0498 2064 OS Version: 5.1.2600 ServicePack: 3.0
2011/02/03 13:45:28.0498 2064 Product type: Workstation
2011/02/03 13:45:28.0498 2064 ComputerName: SHIPPING-02
2011/02/03 13:45:28.0498 2064 UserName: aromijn
2011/02/03 13:45:28.0498 2064 Windows directory: C:\WINDOWS
2011/02/03 13:45:28.0498 2064 System windows directory: C:\WINDOWS
2011/02/03 13:45:28.0498 2064 Processor architecture: Intel x86
2011/02/03 13:45:28.0498 2064 Number of processors: 2
2011/02/03 13:45:28.0498 2064 Page size: 0x1000
2011/02/03 13:45:28.0498 2064 Boot type: Normal boot
2011/02/03 13:45:28.0498 2064 ================================================================================
2011/02/03 13:45:28.0624 2064 Initialize success
2011/02/03 13:45:33.0759 2052 ================================================================================
2011/02/03 13:45:33.0759 2052 Scan started
2011/02/03 13:45:33.0759 2052 Mode: Manual;
2011/02/03 13:45:33.0759 2052 ================================================================================
2011/02/03 13:45:35.0166 2052 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/02/03 13:45:35.0229 2052 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/02/03 13:45:35.0276 2052 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/02/03 13:45:35.0324 2052 AFD (02e6b220f33e4df919575e21ccba3e2c) C:\WINDOWS\System32\drivers\afd.sys
2011/02/03 13:45:35.0324 2052 Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: 02e6b220f33e4df919575e21ccba3e2c, Fake md5: 7e775010ef291da96ad17ca4b17137d7
2011/02/03 13:45:35.0324 2052 AFD - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/02/03 13:45:35.0434 2052 Ambfilt (267fc636801edc5ab28e14036349e3be) C:\WINDOWS\system32\drivers\Ambfilt.sys
2011/02/03 13:45:35.0577 2052 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
2011/02/03 13:45:35.0671 2052 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/02/03 13:45:35.0719 2052 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/02/03 13:45:35.0766 2052 ati2mtaa (2d030c2f6b036ca0bc243e1b16d924d1) C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys
2011/02/03 13:45:35.0893 2052 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/02/03 13:45:35.0924 2052 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/02/03 13:45:35.0972 2052 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/02/03 13:45:36.0019 2052 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/02/03 13:45:36.0066 2052 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/02/03 13:45:36.0098 2052 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/02/03 13:45:36.0145 2052 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/02/03 13:45:36.0240 2052 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/02/03 13:45:36.0288 2052 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/02/03 13:45:36.0351 2052 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/02/03 13:45:36.0382 2052 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/02/03 13:45:36.0414 2052 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/02/03 13:45:36.0461 2052 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/02/03 13:45:36.0509 2052 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/02/03 13:45:36.0572 2052 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/02/03 13:45:36.0604 2052 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/02/03 13:45:36.0635 2052 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/02/03 13:45:36.0683 2052 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/02/03 13:45:36.0730 2052 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/02/03 13:45:36.0777 2052 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/02/03 13:45:36.0809 2052 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/02/03 13:45:36.0841 2052 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/02/03 13:45:36.0888 2052 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/02/03 13:45:36.0951 2052 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/02/03 13:45:37.0030 2052 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/02/03 13:45:37.0125 2052 ialm (748d242a1c1a92d14dfe225892a8749b) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/02/03 13:45:37.0220 2052 iaStor (d5edb998656e6ecf1a17c78dab019a3c) C:\WINDOWS\system32\DRIVERS\iaStor.sys
2011/02/03 13:45:37.0315 2052 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/02/03 13:45:37.0473 2052 IntcAzAudAddService (988a112c4061f309ce9c1abfc971d001) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/02/03 13:45:37.0583 2052 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/02/03 13:45:37.0615 2052 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/02/03 13:45:37.0646 2052 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/02/03 13:45:37.0678 2052 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/02/03 13:45:37.0694 2052 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/02/03 13:45:37.0725 2052 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/02/03 13:45:37.0789 2052 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/02/03 13:45:37.0836 2052 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/02/03 13:45:37.0883 2052 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/02/03 13:45:37.0947 2052 iteatapi (da1e87f07a64e144ca12843d9438e5f6) C:\WINDOWS\system32\DRIVERS\iteatapi.sys
2011/02/03 13:45:37.0962 2052 iteraid (c53360c1932904fe89c6be55378628cb) C:\WINDOWS\system32\DRIVERS\iteraid.sys
2011/02/03 13:45:37.0994 2052 KAPFA (d4c8c5525e478335cca41b30045dec01) C:\WINDOWS\system32\drivers\KAPFA.SYS
2011/02/03 13:45:38.0041 2052 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/02/03 13:45:38.0089 2052 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/02/03 13:45:38.0136 2052 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/02/03 13:45:38.0184 2052 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/02/03 13:45:38.0231 2052 L1e (964dadea4cce08f1de491e25ce50ba72) C:\WINDOWS\system32\DRIVERS\l1e51x86.sys
2011/02/03 13:45:38.0263 2052 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2011/02/03 13:45:38.0326 2052 m5287 (fc969e4e53c602884958a5fdffc53526) C:\WINDOWS\system32\DRIVERS\m5287.sys
2011/02/03 13:45:38.0357 2052 m5289 (2424b13987360840b4bf4e5fb5a66d3f) C:\WINDOWS\system32\DRIVERS\m5289.sys
2011/02/03 13:45:38.0405 2052 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/02/03 13:45:38.0436 2052 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/02/03 13:45:38.0515 2052 Monfilt (c7d9f9717916b34c1b00dd4834af485c) C:\WINDOWS\system32\drivers\Monfilt.sys
2011/02/03 13:45:38.0658 2052 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/02/03 13:45:38.0705 2052 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/02/03 13:45:38.0752 2052 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/02/03 13:45:38.0784 2052 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/02/03 13:45:38.0831 2052 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/02/03 13:45:38.0879 2052 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/02/03 13:45:38.0926 2052 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/02/03 13:45:38.0974 2052 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/02/03 13:45:39.0005 2052 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/02/03 13:45:39.0037 2052 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/02/03 13:45:39.0068 2052 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
2011/02/03 13:45:39.0100 2052 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/02/03 13:45:39.0147 2052 mv614x (9cc2eba4ccb35225b5597a78ca80084f) C:\WINDOWS\system32\DRIVERS\mv614x.sys
2011/02/03 13:45:39.0179 2052 mv61xx (86944f540289e16298af4f5b1c45fa4e) C:\WINDOWS\system32\DRIVERS\mv61xx.sys
2011/02/03 13:45:39.0226 2052 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/02/03 13:45:39.0242 2052 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/02/03 13:45:39.0258 2052 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/02/03 13:45:39.0290 2052 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/02/03 13:45:39.0321 2052 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/02/03 13:45:39.0337 2052 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/02/03 13:45:39.0353 2052 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/02/03 13:45:39.0416 2052 nmwcd (c3963d85b721a7f80d8a55f4e2867a3a) C:\WINDOWS\system32\drivers\ccdcmb.sys
2011/02/03 13:45:39.0495 2052 nmwcdc (3859c69a77793180548802dac9f34a38) C:\WINDOWS\system32\drivers\ccdcmbo.sys
2011/02/03 13:45:39.0543 2052 nmwcdnsu (338f83ee9cb9e15eeacf0cbb90218cbf) C:\WINDOWS\system32\drivers\nmwcdnsu.sys
2011/02/03 13:45:39.0574 2052 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/02/03 13:45:39.0606 2052 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/02/03 13:45:39.0653 2052 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/02/03 13:45:39.0669 2052 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/02/03 13:45:39.0685 2052 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/02/03 13:45:39.0732 2052 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/02/03 13:45:39.0764 2052 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/02/03 13:45:39.0795 2052 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/02/03 13:45:39.0827 2052 pccsmcfd (fd2041e9ba03db7764b2248f02475079) C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys
2011/02/03 13:45:39.0843 2052 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/02/03 13:45:39.0874 2052 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/02/03 13:45:39.0906 2052 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/02/03 13:45:40.0001 2052 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/02/03 13:45:40.0032 2052 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/02/03 13:45:40.0064 2052 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/02/03 13:45:40.0143 2052 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/02/03 13:45:40.0159 2052 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/02/03 13:45:40.0190 2052 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/02/03 13:45:40.0206 2052 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/02/03 13:45:40.0222 2052 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/02/03 13:45:40.0285 2052 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/02/03 13:45:40.0301 2052 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/02/03 13:45:40.0348 2052 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/02/03 13:45:40.0396 2052 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/02/03 13:45:40.0443 2052 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2011/02/03 13:45:40.0491 2052 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/02/03 13:45:40.0522 2052 Ser2pl (5d418bc3bd53a24a382988d5bef4fc27) C:\WINDOWS\system32\DRIVERS\ser2pl.sys
2011/02/03 13:45:40.0570 2052 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/02/03 13:45:40.0601 2052 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/02/03 13:45:40.0649 2052 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/02/03 13:45:40.0712 2052 Si3112r (39dcaa6a073c1be997ad7685b95685e1) C:\WINDOWS\system32\DRIVERS\si3112r.sys
2011/02/03 13:45:40.0759 2052 SI3132 (9604998d0c578608151b6e59266fcae1) C:\WINDOWS\system32\DRIVERS\SI3132.sys
2011/02/03 13:45:40.0791 2052 SiSRaid (4c597e4de6edf6453990059ba0eac7d0) C:\WINDOWS\system32\DRIVERS\SiSRaid.sys
2011/02/03 13:45:40.0807 2052 SiSRaid1 (52192d1a30ae56a203c047213b0f596b) C:\WINDOWS\system32\DRIVERS\SiSRaid1.sys
2011/02/03 13:45:40.0838 2052 SiSRaid2 (a2a23d27934e0d89a09efd02ac587269) C:\WINDOWS\system32\DRIVERS\SiSRaid2.sys
2011/02/03 13:45:40.0886 2052 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/02/03 13:45:40.0933 2052 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/02/03 13:45:40.0965 2052 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/02/03 13:45:41.0044 2052 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/02/03 13:45:41.0059 2052 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/02/03 13:45:41.0138 2052 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/02/03 13:45:41.0202 2052 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/02/03 13:45:41.0249 2052 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/02/03 13:45:41.0265 2052 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/02/03 13:45:41.0312 2052 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/02/03 13:45:41.0375 2052 tmcomm (c4ddce6124bf6a711ab14d8153eac61d) C:\WINDOWS\system32\drivers\tmcomm.sys
2011/02/03 13:45:41.0454 2052 TmFilter (3e615f370f0c7db414b6bcd1c18399d4) C:\Program Files\Trend Micro\Client Server Security Agent\TmXPFlt.sys
2011/02/03 13:45:41.0518 2052 TmPreFilter (c7c7959ec0940e0eddfc881fed8ec214) C:\Program Files\Trend Micro\Client Server Security Agent\TmPreFlt.sys
2011/02/03 13:45:41.0549 2052 tmtdi (44c262c1b2412ded35078b6166d2acc2) C:\WINDOWS\system32\DRIVERS\tmtdi.sys
2011/02/03 13:45:41.0612 2052 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/02/03 13:45:41.0676 2052 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/02/03 13:45:41.0723 2052 upperdev (0ccadc7391021376edbb8aa649d04e68) C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys
2011/02/03 13:45:41.0770 2052 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/02/03 13:45:41.0834 2052 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/02/03 13:45:41.0881 2052 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/02/03 13:45:41.0913 2052 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/02/03 13:45:41.0944 2052 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/02/03 13:45:41.0976 2052 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\drivers\usbser.sys
2011/02/03 13:45:41.0992 2052 UsbserFilt (68b4f83cccf70a2ff32ee142c234332a) C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys
2011/02/03 13:45:42.0039 2052 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/02/03 13:45:42.0071 2052 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/02/03 13:45:42.0102 2052 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/02/03 13:45:42.0134 2052 viasraid (8d20736efc3e9ac93f3721865cd69dab) C:\WINDOWS\system32\DRIVERS\viasraid.sys
2011/02/03 13:45:42.0197 2052 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/02/03 13:45:42.0308 2052 VSApiNt (60dfbc34228ca36221b03460789f5d4e) C:\Program Files\Trend Micro\Client Server Security Agent\VSApiNt.sys
2011/02/03 13:45:42.0371 2052 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/02/03 13:45:42.0434 2052 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/02/03 13:45:42.0529 2052 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/02/03 13:45:42.0592 2052 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
2011/02/03 13:45:42.0639 2052 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/02/03 13:45:42.0671 2052 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/02/03 13:45:42.0703 2052 ================================================================================
2011/02/03 13:45:42.0703 2052 Scan finished
2011/02/03 13:45:42.0703 2052 ================================================================================
2011/02/03 13:45:42.0703 3400 Detected object count: 1
2011/02/03 13:45:48.0344 3400 AFD (02e6b220f33e4df919575e21ccba3e2c) C:\WINDOWS\System32\drivers\afd.sys
2011/02/03 13:45:48.0344 3400 Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: 02e6b220f33e4df919575e21ccba3e2c, Fake md5: 7e775010ef291da96ad17ca4b17137d7
2011/02/03 13:45:48.0517 3400 Backup copy found, using it..
2011/02/03 13:45:48.0549 3400 C:\WINDOWS\System32\drivers\afd.sys - will be cured after reboot
2011/02/03 13:45:48.0549 3400 Rootkit.Win32.TDSS.tdl3(AFD) - User select action: Cure
2011/02/03 13:45:50.0619 3900 Deinitialize success

Edited by Modesto_73, 03 February 2011 - 02:23 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:13 PM

Posted 03 February 2011 - 02:57 PM

Since you say this a work computer, have you contacted and advised your IT Department? In most work environments, the IT staff implement specific policies and procedures for the use of computer equipment and related resources. In fact, many companies will require you to read those policies and sign a statement of understanding. These official procedures are designed and implemented to provide security and certain restrictions to protect the network. This allows all users to safely use business resources with minimum risk of malware infection, illegal software, and exposure to inappropriate Internet sites or other prohibited activity. We will not assist with attempts to circumvent those policies or security measures.

Our forums are set up to help the home computer user deal with issues and questions relating to personal computers. At most community security sites like this, we do not have the staff or resources to deal with numerous client machines or the complexities of network disinfection. A lot of helpers are not familiar with Servers and many of the tools we use are restricted to non-commercial use by their creators. Further, we are not equipped to involve ourselves in any legal issues that may arise due to loss of business data and loss of revenue as a result of malware infection or the disinfection process which in some instances require reformatting and reinstallation of the operating system.

A business IT staff generally has established procedures in place to deal with issues and infections on client machines on the network. As such, they may not approve of employees seeking help at an online forum or outside the business office as doing so could interfere or cause problems with their removal methods. The malware you are dealing with may have infected the network. If that's the case, the IT Department needs to be advised right away so they can take the appropriate disinfection measures.

If you're reluctant or embarrassed to inform the IT Team, keep in mind that they can easily trace the source of the infection. It is much better to bring this to their attention than to deal with the consequences of violating security policy once the IT Team and your supervisor finds out.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Modesto_73

Modesto_73
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 03 February 2011 - 03:49 PM

Thanks for your reply :)

I could contact the IT department, the problem is we have a contract with a computer store, and they do come in from time to time, but are not really on staff over here. I am usually the one who gets called in to deal with smaller issues, and I have mentioned to my supervisor what the issue is, so it certainly isn't embarassment or trying to cover up. As for actual direct source I'm not sure, since the computers are to be left on 24-7 so that the computer guys at the store we contract can have remote access to do occasional updates or maintenance.
In the past i've had several hardware obstacles, and trying to follow the chain of command (so to speak) I passed on the problem. Their answer: It can't be done. My answer: each of the 2 issues took less than 5 minutes to solve. Now I have a web page on my desktop, some Excel macros that took a long time to develop, and various database connections. I don't want to pass it on to someone whose "solution" is just formatting and then giving me back a fresh system so I can start all over again. Hence my search for a solution on my own... I hope you understand and might be able to help me out a tad.
Thanks either way :)

Edited by Modesto_73, 03 February 2011 - 03:50 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:13 PM

Posted 03 February 2011 - 06:48 PM

Since TDSSKiller is detecting a rootkit infection but you are having booting issues afterwards, I recommend further investigation to get a closer look at your system before trying anything else. Many of the tools we use in this forum are not capable of detecting (repairing/removing) all malware variants so more advanced tools are needed to investigate. Before that can be done you will need you to create and post a DDS log for further investigation.

Please read the pinned topic titled "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help".
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.
When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the Malware Response Team.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Modesto_73

Modesto_73
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 04 February 2011 - 07:58 AM

I have posted in the "Virus, Trojan, Spyware, and Malware Removal Logs" section. Here is my post.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:13 PM

Posted 04 February 2011 - 08:37 AM

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Response Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process or make things worst which would extend the time it takes to clean your computer.

From this point on the Malware Response Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic until you are cleared by the Malware Response Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users