Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit.win32.backboot.gen


  • This topic is locked This topic is locked
2 replies to this topic

#1 jaxmom

jaxmom

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 15 March 2011 - 08:41 PM

Computer started redirecting me in searches today, so I ran Malwarebytes (which found nothing) and then TDSSKiller v2.4.7.0 (because I didn't believe MBAM). TDSSKiller found rootkit.win32.backboot.gen in Hardrive(0). The only options are to skip, quarantine, or restore (cure doesn't show up). I have tried both skip and quarantine, with subsequent manual reboots, with no change. System files such as the general Windows folder are still unavailable in Windows Explorer, redirects still occurring, browser launches sporadic and redirects guaranteed.

Chrome most often returns "aw snap," though it might load; will redirect outside of cache. Firefox loads usually but redirects (again, outside of cache) and tends to hang. IE7 (required for work) may or may not load, always hangs, always redirects (except for cache).

TaskMan functions but shows nothing amiss, as does ProcExplorer, though sometimes additional iexplore processes run, I cannot track the program calling them (and they don't run all the time). A win32 error occurs if I try to access Windows update service.

It is a svchost process eating my CPU, but with ProcExp not showing a strange call line, I can't identify further.

I have admin rights but cannot access safe mode. I cannot turn off Trend Micro real-time scan (work issue). Running Win XP pro on a Dell Latitude D630 laptop. Any help would be most appreciated.

___________________

I have followed the steps in the prep guide - could not run Defogger as admin rights have apparently been disabled. Also, my background image has changed from moonscape to the default light blue. I've now turned off my radio button (wifi only on infected computer) so it cannot access the internet. Random Acrobat processes sometimes appear in TaskMan.

DDS.txt is:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by JPL03 at 20:50:34.85 on Tue 03/15/2011
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1295 [GMT -4:00]
.
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {CFA3A29D-B643-4196-8DD5-72308F38BB4F}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\jpl03\Local Settings\Application Data\ATT Connect\Participant\pull.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Documents and Settings\jpl03\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
uRun: [Push Client] c:\documents and settings\jpl03\local settings\application data\att connect\participant\pull.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [LLSync6] c:\lbsbin\llsync6.exe /AddRunOnce
mRun: [IntelAPMClient] "c:\program files\landesk\ldclient\amclient.exe" /apm /s /ro /Retry=2 /Tspan=60 /Rstart
mRun: [SDClientMonitor] "c:\program files\landesk\ldclient\webportal\sdclientmonitor.exe"
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRunOnce: [llsync6] c:\lbsbin\llsync6.exe /RunOnce
mRunOnce: [DCERegBootClean] c:\windows\RegBootClean.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft access 2000\office\OSA9.EXE
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {58D47A56-C89C-4BC7-A22E-33592CBBDDA5} - hxxps://secure.acuitybrandslighting.net/CabFiles_Std/ABLSecAX.cab
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://zone.msn.com/bingame/dsh2/default/DinerDash2.1.0.0.68.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238090794937
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} - hxxp://zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab
DPF: {A4110378-789B-455F-AE86-3A1BFC402853} - hxxp://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFECAFE-0013-0001-0024-ABCDEFABCDEF}
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://attwm.webex.com/client/T25L10NSP41EP15-attwm/webex/ieatgpc.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://secure.acuitybrands.com/dana-cached/sc/JuniperSetupClient.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R2 Softmon;LANDesk® Software Monitoring Service;c:\program files\landesk\ldclient\SoftMon.exe [2007-9-11 266240]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXPFlt.sys [2009-6-16 249424]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2009-6-16 36432]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [2007-9-11 3328]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [2007-9-11 3712]
S2 CBA8;LANDesk® Management Agent;c:\program files\landesk\shared files\residentAgent.exe [2007-1-9 122880]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 135664]
S2 LLLogSvc;LLLogSvc;c:\lbsbin\platfo~1\LLLogSvc.exe [2007-9-11 49211]
S3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [2007-9-11 11904]
S3 Teardes;Teardes; [x]
S3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-10-5 51792]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2009-2-23 689416]
.
=============== Created Last 30 ================
.
2011-03-16 00:14:58 102400 ----a-w- c:\windows\RegBootClean.exe
2011-03-15 23:14:10 -------- d-----w- C:\TDSSKiller_Quarantine
2011-03-12 16:37:33 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-03-12 16:35:48 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-03-12 16:24:39 -------- d-----w- c:\program files\iPod
2011-02-19 19:32:20 -------- d-----w- c:\program files\Westward Kingdoms
2011-02-18 20:31:57 62736 ----a-r- c:\docume~1\jpl03\applic~1\microsoft\installer\{cdd4495b-0424-42f0-8d89-70d47e21bd69}\PullClientStartSho_CD6A27034E724245941D2EB3A8CF0DD5.exe
2011-02-18 20:31:57 62736 ----a-r- c:\docume~1\jpl03\applic~1\microsoft\installer\{cdd4495b-0424-42f0-8d89-70d47e21bd69}\ParticipantStartSh_DF0BA5751BF84E0AABDD4B6DA83B3B0C.exe
2011-02-18 20:31:57 62736 ----a-r- c:\docume~1\jpl03\applic~1\microsoft\installer\{cdd4495b-0424-42f0-8d89-70d47e21bd69}\NewShortcut11_0A40599CA5B444D89111273D573729A6.exe
2011-02-18 20:31:57 62736 ----a-r- c:\docume~1\jpl03\applic~1\microsoft\installer\{cdd4495b-0424-42f0-8d89-70d47e21bd69}\MyATTStartShortcut_37B266125E564D7BBC298658403757C7.exe
2011-02-18 20:31:57 62736 ----a-r- c:\docume~1\jpl03\applic~1\microsoft\installer\{cdd4495b-0424-42f0-8d89-70d47e21bd69}\LSUStartShortcut1_0C445A24F06A4871AC024995E6B63EA6.exe
2011-02-18 20:31:57 62736 ----a-r- c:\docume~1\jpl03\applic~1\microsoft\installer\{cdd4495b-0424-42f0-8d89-70d47e21bd69}\LSUDesktopShortcut_5E8B335F6B1645798E61AE17118989A8.exe
2011-02-18 20:31:57 62736 ----a-r- c:\docume~1\jpl03\applic~1\microsoft\installer\{cdd4495b-0424-42f0-8d89-70d47e21bd69}\ARPPRODUCTICON.exe
2011-02-18 20:31:57 58640 ----a-r- c:\docume~1\jpl03\applic~1\microsoft\installer\{cdd4495b-0424-42f0-8d89-70d47e21bd69}\MyATTDesktopShortc_F98F597BB2C24BCA8A2E00E99FF50C40.exe
2011-02-18 20:31:57 46352 ----a-r- c:\docume~1\jpl03\applic~1\microsoft\installer\{cdd4495b-0424-42f0-8d89-70d47e21bd69}\ParticipantHelpSta_AFE5E24C07B1432883124EEC348980E5.exe
2011-02-18 20:31:44 -------- d-----w- c:\docume~1\jpl03\locals~1\applic~1\ATT Connect
2011-02-18 20:31:44 -------- d-----w- c:\docume~1\jpl03\applic~1\ATT Connect
2011-02-18 20:31:07 -------- d-----w- c:\docume~1\jpl03\locals~1\applic~1\Downloaded Installations
2011-02-16 01:09:49 -------- d-----w- c:\docume~1\jpl03\applic~1\GOA
2011-02-16 01:09:49 -------- d-----w- c:\docume~1\alluse~1\applic~1\GOA
2011-02-16 00:55:01 -------- d-----w- c:\program files\Little Folk of Faery
2011-02-16 00:51:23 -------- d-----w- c:\docume~1\alluse~1\applic~1\Big Fish Games
.
==================== Find3M ====================
.
2011-02-06 09:28:32 479 ----a-w- c:\program files\020620114283184.bat
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-27 01:26:34 252080 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-01-27 01:26:34 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-01-27 01:26:31 252080 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-01-21 14:44:37 8462336 ----a-w- c:\windows\system32\SETC1.tmp
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-08 03:27:00 941160 ----a-w- c:\windows\system32\nvdispco322090.dll
2011-01-08 03:27:00 837736 ----a-w- c:\windows\system32\nvgenco322040.dll
2011-01-08 03:27:00 6397824 ----a-w- c:\windows\system32\nv4_disp.dll
2011-01-08 03:27:00 61440 ----a-w- c:\windows\system32\OpenCL.dll
2011-01-08 03:27:00 4980736 ----a-w- c:\windows\system32\nvcuda.dll
2011-01-08 03:27:00 2916968 ----a-w- c:\windows\system32\nvcuvid.dll
2011-01-08 03:27:00 2292678 ----a-w- c:\windows\system32\nvdata.bin
2011-01-08 03:27:00 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-01-08 03:27:00 1958400 ----a-w- c:\windows\system32\nvapi.dll
2011-01-08 03:27:00 14671872 ----a-w- c:\windows\system32\nvoglnt.dll
2011-01-08 03:27:00 13004800 ----a-w- c:\windows\system32\nvcompiler.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\SETDD.tmp
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:25 389120 ----a-w- c:\windows\system32\html.iec
2010-08-23 20:05:09 438 ----a-w- c:\program files\0823201016050894.bat
2010-06-03 02:22:51 440 ----a-w- c:\program files\0602201022225141.bat
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HTS722080K9A300 rev.DCBOC54P -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskHitachi_HTS722080K9A300_________________DCBOC54P#3730313132315044423030315144444753385045#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A9C441F
user & kernel MBR OK
.
============= FINISH: 20:56:51.85 ===============





************************************************************************************************
GMER Attach and ark.txt are attached.

Thanks in advance for your assistance. You guys are wonderful for volunteering this way.

Attached Files


Edited by jaxmom, 15 March 2011 - 09:12 PM.


BC AdBot (Login to Remove)

 


#2 jaxmom

jaxmom
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 16 March 2011 - 09:43 AM

After updating TDSSKiller to v 2.4.21.0, rootkit was identified as TDSS.tld4. Kaspersky was able to clean it.

Reboot has redirects gone and Windows files showing in explorer. CPU has normalized and new TDSS/MBAM scans are clean.

I think I've gotten it for now. :)

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:21 AM

Posted 16 March 2011 - 04:10 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users