Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect Virus


  • This topic is locked This topic is locked
2 replies to this topic

#1 Dale Butler

Dale Butler

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 13 April 2011 - 12:01 PM

DDS Log

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Judy at 11:27:00.29 on Wed 04/13/2011
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.473 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Acer\Acer VCM\RS_Service.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\PersistenceThread.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Acer\Acer VCM\AcerVCM.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxext.exe
C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Judy\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0311&m=ao751h
mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0311&m=ao751h
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0311&m=ao751h
uInternet Connection Wizard,ShellNext = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0311&m=ao751h
uInternet Settings,ProxyServer = proxy.breck.kyschools.us:8080
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.415.1646\swg.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [AzMixerSel] c:\program files\realtek\audio\drivers\AzMixerSel.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [PersistenceThread] c:\windows\system32\PersistenceThread.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [snp2uvc] rundll32.exe c:\windows\system32\csnp2uvc.dll,ResetCIDS
mRun: [PLFSetL] c:\windows\PLFSetL.exe
mRun: [LManager] c:\program files\launch manager\LManager.exe
mRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"
mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - c:\program files\yahoo!\search protection\ysp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\acer\acer vcm\Skype4COM.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igdlogin - igdlogin.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2009-4-15 237568]
R3 igd;igd;c:\windows\system32\drivers\igxpmp32.sys [2009-4-15 5096544]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-4-15 1684736]
S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-4-15 24064]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\rtsustor.sys --> c:\windows\system32\drivers\RtsUStor.sys [?]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
.
=============== Created Last 30 ================
.
2011-04-08 00:14:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-08 00:14:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-04-06 01:57:47 -------- d-----w- c:\docume~1\judy\applic~1\SUPERAntiSpyware.com
2011-04-06 01:57:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-04-06 01:54:29 -------- d-----w- c:\program files\SUPERAntiSpyware
.
==================== Find3M ====================
.
2011-03-02 21:35:33 29480 ----a-w- c:\windows\system32\msxml3a.dll
2011-03-02 21:35:32 353576 ----a-w- c:\windows\system32\msvcr71.dll
2011-03-02 21:35:31 505128 ----a-w- c:\windows\system32\msvcp71.dll
2011-03-02 21:30:37 178 ----a-w- c:\windows\CLEANUP.CMD
2011-03-02 21:19:59 2014 ----a-w- c:\windows\net_CLEANUP.CMD
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST9160310AS rev.0303 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8654D439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x865537d0]; MOV EAX, [0x8655384c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86579AB8]
3 CLASSPNP[0xF767DFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000008d[0x865881F0]
5 ACPI[0xF7494620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8655D940]
\Driver\atapi[0x865792E0] -> IRP_MJ_CREATE -> 0x8654D439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST9160310AS_____________________________0303____#5&17e46ae0&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8654D27F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 11:28:42.53 ===============

Attach Log

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 3/2/2011 10:35:36 AM
System Uptime: 4/13/2011 11:09:51 AM (0 hours ago)
.
Motherboard: Acer | | JV11-ML
Processor: Intel® Atom™ CPU Z520 @ 1.33GHz | U3E1 | 1330/mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 141 GiB total, 129.719 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 3/2/2011 10:35:42 AM - System Checkpoint
RP2: 3/2/2011 3:15:57 PM - Removed Atheros Driver Installation Program
RP3: 3/2/2011 3:18:19 PM - Installed Atheros Driver Installation Program
RP4: 3/2/2011 3:20:17 PM - Installed REALTEK GbE & FE Ethernet PCI-E NIC Driver
RP5: 3/2/2011 3:22:36 PM - Installed Windows XP Wdf01007.
RP6: 3/2/2011 3:24:50 PM - Installed Realtek High Definition Audio Driver
RP7: 3/2/2011 3:29:30 PM - Installed WebCam
RP8: 3/2/2011 3:38:41 PM - Configured PowerDVD
RP9: 3/2/2011 3:40:20 PM - Installed Acer Crystal Eye webcam 2.2.0.2
RP10: 3/7/2011 7:14:36 PM - System Checkpoint
RP11: 3/7/2011 7:17:46 PM - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
RP12: 3/7/2011 7:18:01 PM - Installed AVG 2011
RP13: 3/7/2011 7:24:55 PM - Installed AVG 2011
RP14: 4/10/2011 1:59:30 PM - System Checkpoint
RP15: 4/13/2011 10:03:41 AM - Removed AVG 2011
RP16: 4/13/2011 10:05:14 AM - Removed AVG 2011
.
==== Installed Programs ======================
.
2007 Microsoft Office Suite Service Pack 1 (SP1)
Acer Crystal Eye webcam 2.2.0.2
Acer ScreenSaver
Acer VCM
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9
Air Strike 2
Atheros Driver Installation Program
Bejeweled 2 Deluxe
C:\Program Files\Acer GameZone\GameConsole
Cake Mania 2
Carbonite Online Backup Setup
Choice Guard
Compatibility Pack for the 2007 Office system
Cooking Dash
CyberLink PowerDVD 8
Dream Day First Home
Dream Day Wedding
eSobi v2
Farm Frenzy
Galapago
Google Desktop
Google Toolbar for Internet Explorer
Home Sweet Home
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB949764)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954708)
Intel® Graphics Media Accelerator 500
Jewel Quest Solitaire
Junk Mail filter update
Launch Manager
Mahjong Escape Ancient China
Microsoft .NET Framework 2.0
Microsoft Application Error Reporting
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
MSVCRT
MSXML 4.0 SP2 (KB954430)
Parking Dash
Peggle
Rainbow Web
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Segoe UI
Star Defender 4
SUPERAntiSpyware
Synaptics Pointing Device Driver
Tradewinds 2
Tri-Peaks Solitaire To Go
Update for Office 2007 (KB946691)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
USB2.0 Card Reader Software
WebCam
WebFldrs XP
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Yahoo! Messenger
Yahoo! Search Protection
Yahoo! Software Update
Yahoo! Toolbar
Zuma Deluxe
.
==== Event Viewer Messages From Past Week ========
.
4/8/2011 6:38:52 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Image Acquisition (WIA) service to connect.
4/8/2011 6:38:52 AM, error: Service Control Manager [7000] - The Windows Image Acquisition (WIA) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/7/2011 6:18:59 PM, error: ACPIEC [1] - \Device\ACPIEC: The embedded controller (EC) hardware didn't respond within the timeout period. This may indicate an error in the EC hardware or firmware, or possibly a poorly designed BIOS which accesses the EC in an unsafe manner. The EC driver will retry the failed transaction if possible.
4/13/2011 9:51:56 AM, error: Dhcp [1002] - The IP address lease 192.168.1.102 for the Network Card with network address 002556063106 has been denied by the DHCP server 10.253.45.12 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================

Ark Log

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-13 11:53:36
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST9160310AS rev.0303
Running: gmer.exe; Driver: C:\DOCUME~1\Judy\LOCALS~1\Temp\kgndykog.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEE497620]

---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\Judy\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1084] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00EB000A
.text C:\WINDOWS\System32\svchost.exe[1084] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 00EC000A
.text C:\WINDOWS\System32\svchost.exe[1084] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 00BD000C
.text C:\WINDOWS\System32\svchost.exe[1084] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0106000A
.text C:\WINDOWS\System32\svchost.exe[1084] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 0107000A
.text C:\WINDOWS\System32\svchost.exe[1084] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 0108000A
.text C:\WINDOWS\System32\svchost.exe[1084] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00FE000A
.text C:\WINDOWS\system32\wuauclt.exe[1644] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 02D4000A
.text C:\WINDOWS\system32\wuauclt.exe[1644] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 02D5000A
.text C:\WINDOWS\system32\wuauclt.exe[1644] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 02D3000C
.text C:\WINDOWS\Explorer.EXE[1716] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00F6000A
.text C:\WINDOWS\Explorer.EXE[1716] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 00F7000A
.text C:\WINDOWS\Explorer.EXE[1716] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 00F5000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8654D27F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8654D27F
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST9160310AS_____________________________0303____#5&17e46ae0&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

Attached Files

  • Attached File  DDS.txt   9.17KB   0 downloads
  • Attached File  ark.txt   4.84KB   0 downloads


BC AdBot (Login to Remove)

 


#2 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:22 PM

Posted 13 April 2011 - 01:14 PM

:welcome: to BC!

There is a Bootkit in there that need to be taken care of.

Step 1.
TDSSKiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Step 2.
ComboFix:

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Step 3.
Things I would like to see in your reply:

  • The content of the log from TDSSKiller in step 1.
  • The content of C:\ComboFix.txt from step 2.
  • Information on how your computer is running after those steps.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#3 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:22 PM

Posted 19 April 2011 - 03:22 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users