Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Problems


  • This topic is locked This topic is locked
6 replies to this topic

#1 ward_214

ward_214

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:24 PM

Posted 17 April 2011 - 10:23 PM

Hello,
I'm having some trouble with things popping up randomly(Browsers that wasn't mean't to appear, useless ads, and things of that nature)
I'm currently in Safe Mode right now because when I log into my account it logs me back out but then works in Safe Mode.

Here are my documents, please help!

Attached File  MBRCheck_04.17.11_23.12.21.txt   8.04KB   3 downloads
Attached File  DDS.txt   16.99KB   6 downloads
Attached File  remover.txt   497bytes   3 downloads

BC AdBot (Login to Remove)

 


#2 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:24 AM

Posted 18 April 2011 - 05:27 AM

:welcome: to BC!

Looks as there is a rootkit playing around in there.

Please don't attach logs if you aren't specifically asked to do so.

Step 1.
TDSSKiller:

Do this from Safemode

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Step 2.
Things I would like to see in your reply:

  • The content of the log from TDSSKiller in step 1.
  • The content of Attach.txt on your desktop.
  • Can you log into normal mode now?

Edited by heir, 18 April 2011 - 05:28 AM.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#3 ward_214

ward_214
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:24 PM

Posted 19 April 2011 - 10:16 PM

Well, I can log into normal mode without errors.

Although, browsers are still popping up and things are showing up that aren't supposed to.. And also, sometimes the browser(that's working) goes to "Not Responding" so I have to close it out and reopen it.

There is one thing that keeps showing up.. it says "A program cannot display a message on your desktop" and they're two options, to 'Show me the Message' and 'Remind me in a few minutes'.

2011/04/18 22:35:41.0499 4008 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/18 22:35:42.0731 4008 ================================================================================
2011/04/18 22:35:42.0731 4008 SystemInfo:
2011/04/18 22:35:42.0731 4008
2011/04/18 22:35:42.0731 4008 OS Version: 6.0.6000 ServicePack: 0.0
2011/04/18 22:35:42.0731 4008 Product type: Workstation
2011/04/18 22:35:42.0747 4008 ComputerName: ADAM-PC
2011/04/18 22:35:42.0747 4008 UserName: Adam
2011/04/18 22:35:42.0747 4008 Windows directory: C:\Windows
2011/04/18 22:35:42.0747 4008 System windows directory: C:\Windows
2011/04/18 22:35:42.0747 4008 Processor architecture: Intel x86
2011/04/18 22:35:42.0747 4008 Number of processors: 2
2011/04/18 22:35:42.0747 4008 Page size: 0x1000
2011/04/18 22:35:42.0747 4008 Boot type: Safe boot with network
2011/04/18 22:35:42.0747 4008 ================================================================================
2011/04/18 22:35:43.0012 4008 Initialize success
2011/04/18 22:35:45.0664 3708 ================================================================================
2011/04/18 22:35:45.0664 3708 Scan started
2011/04/18 22:35:45.0664 3708 Mode: Manual;
2011/04/18 22:35:45.0664 3708 ================================================================================
2011/04/18 22:35:46.0538 3708 ACPI (84fc6df81212d16be5c4f441682feccc) C:\Windows\system32\drivers\acpi.sys
2011/04/18 22:35:46.0584 3708 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
2011/04/18 22:35:46.0600 3708 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
2011/04/18 22:35:46.0616 3708 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
2011/04/18 22:35:46.0631 3708 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
2011/04/18 22:35:46.0678 3708 AFD (5d24caf8efd924a875698ff28384db8b) C:\Windows\system32\drivers\afd.sys
2011/04/18 22:35:46.0725 3708 agp440 (8b10ce1c1f9f1d47e4deb1a547a00cd4) C:\Windows\system32\drivers\agp440.sys
2011/04/18 22:35:46.0756 3708 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2011/04/18 22:35:46.0818 3708 aliide (dc67a153fdb8105b25d05334b5e1d8e2) C:\Windows\system32\drivers\aliide.sys
2011/04/18 22:35:46.0850 3708 amdagp (848f27e5b27c1c253f6cefdc1a5d8f21) C:\Windows\system32\drivers\amdagp.sys
2011/04/18 22:35:46.0865 3708 amdide (835c4c3355088298a5ebd818fa31430f) C:\Windows\system32\drivers\amdide.sys
2011/04/18 22:35:46.0912 3708 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
2011/04/18 22:35:46.0943 3708 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
2011/04/18 22:35:46.0974 3708 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
2011/04/18 22:35:46.0990 3708 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
2011/04/18 22:35:47.0037 3708 AsyncMac (e86cf7ce67d5de898f27ef884dc357d8) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/04/18 22:35:47.0052 3708 atapi (e03e8c99d15d0381e02743c36afc7c6f) C:\Windows\system32\drivers\atapi.sys
2011/04/18 22:35:47.0115 3708 Beep (ac3dd1708b22761ebd7cbe14dcc3b5d7) C:\Windows\system32\drivers\Beep.sys
2011/04/18 22:35:47.0177 3708 bowser (913cd06fbe9105ce6077e90fd4418561) C:\Windows\system32\DRIVERS\bowser.sys
2011/04/18 22:35:47.0208 3708 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2011/04/18 22:35:47.0255 3708 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2011/04/18 22:35:47.0302 3708 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2011/04/18 22:35:47.0333 3708 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2011/04/18 22:35:47.0349 3708 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2011/04/18 22:35:47.0364 3708 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2011/04/18 22:35:47.0380 3708 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2011/04/18 22:35:47.0489 3708 cdfs (6c3a437fc873c6f6a4fc620b6888cb86) C:\Windows\system32\DRIVERS\cdfs.sys
2011/04/18 22:35:47.0505 3708 cdrom (8d1866e61af096ae8b582454f5e4d303) C:\Windows\system32\DRIVERS\cdrom.sys
2011/04/18 22:35:47.0536 3708 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
2011/04/18 22:35:47.0583 3708 CLFS (1b84fd0937d3b99af9ba38ddff3daf54) C:\Windows\system32\CLFS.sys
2011/04/18 22:35:47.0630 3708 cmdide (e79cbb2195e965f6e3256e2c1b23fd1c) C:\Windows\system32\drivers\cmdide.sys
2011/04/18 22:35:47.0692 3708 Compbatt (722936afb75a7f509662b69b5632f48a) C:\Windows\system32\drivers\compbatt.sys
2011/04/18 22:35:47.0754 3708 crcdisk (227ae84676df55a74f4c609b900551e4) C:\Windows\system32\drivers\crcdisk.sys
2011/04/18 22:35:47.0754 3708 Suspicious file (Forged): C:\Windows\system32\drivers\crcdisk.sys. Real md5: 227ae84676df55a74f4c609b900551e4, Fake md5: 2a213ae086bbec5e937553c7d9a2b22c
2011/04/18 22:35:47.0754 3708 crcdisk - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/04/18 22:35:47.0770 3708 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
2011/04/18 22:35:47.0817 3708 DfsC (a7179de59ae269ab70345527894ccd7c) C:\Windows\system32\Drivers\dfsc.sys
2011/04/18 22:35:47.0848 3708 disk (841af4c4d41d3e3b2f244e976b0f7963) C:\Windows\system32\drivers\disk.sys
2011/04/18 22:35:47.0910 3708 Driver (ede98e6840cf1f3c40ef10fc3aaac210) C:\Windows\system32\nso12k.sys
2011/04/18 22:35:47.0926 3708 drmkaud (ee472cd2c01f6f8e8aa1fa06ffef61b6) C:\Windows\system32\drivers\drmkaud.sys
2011/04/18 22:35:48.0004 3708 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
2011/04/18 22:35:48.0035 3708 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\Windows\system32\DRIVERS\dsunidrv.sys
2011/04/18 22:35:48.0082 3708 DXGKrnl (b95202efd0464d226e7542c1e319c028) C:\Windows\System32\drivers\dxgkrnl.sys
2011/04/18 22:35:48.0129 3708 e1express (04944f4fc4f0477185f5d26ae0ddb90e) C:\Windows\system32\DRIVERS\e1e6032.sys
2011/04/18 22:35:48.0222 3708 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
2011/04/18 22:35:48.0254 3708 Ecache (0efc7531b936ee57fdb4e837664c509f) C:\Windows\system32\drivers\ecache.sys
2011/04/18 22:35:48.0332 3708 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
2011/04/18 22:35:48.0394 3708 fastfat (84a317cb0b3954d3768cdcd018dbf670) C:\Windows\system32\drivers\fastfat.sys
2011/04/18 22:35:48.0425 3708 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
2011/04/18 22:35:48.0456 3708 FileInfo (65773d6115c037ffd7ef8280ae85eb9d) C:\Windows\system32\drivers\fileinfo.sys
2011/04/18 22:35:48.0472 3708 Filetrace (c226dd0de060745f3e042f58dcf78402) C:\Windows\system32\drivers\filetrace.sys
2011/04/18 22:35:48.0550 3708 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/04/18 22:35:48.0581 3708 FltMgr (a6a8da7ae4d53394ab22ac3ab6d3f5d3) C:\Windows\system32\drivers\fltmgr.sys
2011/04/18 22:35:48.0612 3708 Fs_Rec (66a078591208baa210c7634b11eb392c) C:\Windows\system32\drivers\Fs_Rec.sys
2011/04/18 22:35:48.0644 3708 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
2011/04/18 22:35:48.0690 3708 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
2011/04/18 22:35:48.0753 3708 HDAudBus (0db613a7e427b5663563677796fd5258) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/04/18 22:35:48.0768 3708 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2011/04/18 22:35:48.0800 3708 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2011/04/18 22:35:48.0846 3708 HidUsb (3c64042b95e583b366ba4e5d2450235e) C:\Windows\system32\DRIVERS\hidusb.sys
2011/04/18 22:35:48.0862 3708 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
2011/04/18 22:35:48.0924 3708 HSF_DPV (53229dcf431d76434816cd29251168a0) C:\Windows\system32\DRIVERS\HSX_DPV.sys
2011/04/18 22:35:48.0956 3708 HSXHWBS2 (ed98350ecd4a5a9c9f1e641c09872bb2) C:\Windows\system32\DRIVERS\HSXHWBS2.sys
2011/04/18 22:35:49.0002 3708 HTTP (ea24fe637d974a8a31bc650f478e3533) C:\Windows\system32\drivers\HTTP.sys
2011/04/18 22:35:49.0034 3708 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
2011/04/18 22:35:49.0065 3708 i8042prt (1c9ee072baa3abb460b91d7ee9152660) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/04/18 22:35:49.0096 3708 iaStor (997e8f5939f2d12cd9f2e6b395724c16) C:\Windows\system32\drivers\iastor.sys
2011/04/18 22:35:49.0158 3708 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
2011/04/18 22:35:49.0236 3708 igfx (bbace0293b73bf8c7cb591f2d06f26fa) C:\Windows\system32\DRIVERS\igdkmd32.sys
2011/04/18 22:35:49.0283 3708 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2011/04/18 22:35:49.0377 3708 IntcAzAudAddService (4eae74c8bcbca309a5d7cbad7e231427) C:\Windows\system32\drivers\RTKVHDA.sys
2011/04/18 22:35:49.0424 3708 intelide (0084046c084d68e494f8cf36bcf08186) C:\Windows\system32\DRIVERS\intelide.sys
2011/04/18 22:35:49.0455 3708 intelppm (ce44cc04262f28216dd4341e9e36a16f) C:\Windows\system32\DRIVERS\intelppm.sys
2011/04/18 22:35:49.0502 3708 IpFilterDriver (880c6f86cc3f551b8fea2c11141268c0) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/04/18 22:35:49.0548 3708 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
2011/04/18 22:35:49.0626 3708 IPNAT (10077c35845101548037df04fd1a420b) C:\Windows\system32\DRIVERS\ipnat.sys
2011/04/18 22:35:49.0704 3708 IRENUM (a82f328f4792304184642d6d397bb1e3) C:\Windows\system32\drivers\irenum.sys
2011/04/18 22:35:49.0751 3708 isapnp (2f8ece2699e7e2070545e9b0960a8ed2) C:\Windows\system32\drivers\isapnp.sys
2011/04/18 22:35:49.0798 3708 iScsiPrt (4dca456d4d5723f8fa9c6760d240b0df) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/04/18 22:35:49.0829 3708 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2011/04/18 22:35:49.0860 3708 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2011/04/18 22:35:49.0907 3708 kbdclass (b076b2ab806b3f696dab21375389101c) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/04/18 22:35:49.0923 3708 kbdhid (ed61dbc6603f612b7338283edbacbc4b) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/04/18 22:35:49.0970 3708 KSecDD (0a829977b078dea11641fc2af87ceade) C:\Windows\system32\Drivers\ksecdd.sys
2011/04/18 22:35:50.0001 3708 lltdio (fd015b4f95daa2b712f0e372a116fbad) C:\Windows\system32\DRIVERS\lltdio.sys
2011/04/18 22:35:50.0063 3708 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
2011/04/18 22:35:50.0063 3708 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
2011/04/18 22:35:50.0094 3708 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
2011/04/18 22:35:50.0110 3708 luafv (42885bb44b6e065b8575a8dd6c430c52) C:\Windows\system32\drivers\luafv.sys
2011/04/18 22:35:50.0204 3708 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
2011/04/18 22:35:50.0219 3708 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
2011/04/18 22:35:50.0266 3708 mfehidk (32f7298664874715ce469a79078853c4) C:\Windows\system32\drivers\mfehidk.sys
2011/04/18 22:35:50.0282 3708 mfetdi2k (3363aca7b66bd6b37d0f5c148dc9d34b) C:\Windows\system32\drivers\mfetdi2k.sys
2011/04/18 22:35:50.0313 3708 Modem (21755967298a46fb6adfec9db6012211) C:\Windows\system32\drivers\modem.sys
2011/04/18 22:35:50.0344 3708 monitor (7446e104a5fe5987ca9e4983fbac4f97) C:\Windows\system32\DRIVERS\monitor.sys
2011/04/18 22:35:50.0360 3708 mouclass (5fba13c1a1841b0885d316ed3589489d) C:\Windows\system32\DRIVERS\mouclass.sys
2011/04/18 22:35:50.0391 3708 mouhid (b569b5c5d3bde545df3a6af512cccdba) C:\Windows\system32\DRIVERS\mouhid.sys
2011/04/18 22:35:50.0406 3708 MountMgr (01f1e5a3e4877c931cbb31613fec16a6) C:\Windows\system32\drivers\mountmgr.sys
2011/04/18 22:35:50.0438 3708 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
2011/04/18 22:35:50.0469 3708 mpsdrv (6e7a7f0c1193ee5648443fe2d4b789ec) C:\Windows\system32\drivers\mpsdrv.sys
2011/04/18 22:35:50.0484 3708 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2011/04/18 22:35:50.0500 3708 MRxDAV (1d8828b98ee309d65e006f0829e280e5) C:\Windows\system32\drivers\mrxdav.sys
2011/04/18 22:35:50.0531 3708 mrxsmb (8af705ce1bb907932157fab821170f27) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/04/18 22:35:50.0578 3708 mrxsmb10 (47e13ab23371be3279eef22bbfa2c1be) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/04/18 22:35:50.0609 3708 mrxsmb20 (90b3fc7bd6b3d7ee7635debba2187f66) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/04/18 22:35:50.0640 3708 msahci (d420bc42a637ac3cc4f411220549c0dc) C:\Windows\system32\drivers\msahci.sys
2011/04/18 22:35:50.0718 3708 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
2011/04/18 22:35:50.0750 3708 Msfs (729eafefd4e7417165f353a18dbe947d) C:\Windows\system32\drivers\Msfs.sys
2011/04/18 22:35:50.0796 3708 msisadrv (207df26dbb2537c20276da0e15892274) C:\Windows\system32\drivers\msisadrv.sys
2011/04/18 22:35:50.0812 3708 MSKSSRV (892cedefa7e0ffe7be8da651b651d047) C:\Windows\system32\drivers\MSKSSRV.sys
2011/04/18 22:35:50.0843 3708 MSPCLOCK (ae2cb1da69b2676b4cee2a501af5871c) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/04/18 22:35:50.0859 3708 MSPQM (f910da84fa90c44a3addb7cd874463fd) C:\Windows\system32\drivers\MSPQM.sys
2011/04/18 22:35:50.0890 3708 MsRPC (84571c0ae07647ba38d493f5f0015df7) C:\Windows\system32\drivers\MsRPC.sys
2011/04/18 22:35:50.0921 3708 mssmbios (7dbaa028f625aa46b95dda4fbe4b602b) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/04/18 22:35:50.0952 3708 MSTEE (c826dd1373f38afd9ca46ec3c436a14e) C:\Windows\system32\drivers\MSTEE.sys
2011/04/18 22:35:50.0968 3708 Mup (fa7aa70050cf5e2d15de00941e5665e5) C:\Windows\system32\Drivers\mup.sys
2011/04/18 22:35:51.0030 3708 NativeWifiP (1d162e52fb691eb555a476b04b4bff3f) C:\Windows\system32\DRIVERS\nwifi.sys
2011/04/18 22:35:51.0077 3708 NDIS (227c11e1e7cf6ef8afb2a238d209760c) C:\Windows\system32\drivers\ndis.sys
2011/04/18 22:35:51.0108 3708 NdisTapi (81659cdcbd0f9a9e07e6878ad8c78d3f) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/04/18 22:35:51.0140 3708 Ndisuio (5de5ee546bf40838ebe0e01cb629df64) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/04/18 22:35:51.0202 3708 NdisWan (397402adcbb8946223a1950101f6cd94) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/04/18 22:35:51.0218 3708 NDProxy (1b24fa907af283199a81b3bb37e5e526) C:\Windows\system32\drivers\NDProxy.sys
2011/04/18 22:35:51.0233 3708 NetBIOS (356dbb9f98e8dc1028dd3092fceeb877) C:\Windows\system32\DRIVERS\netbios.sys
2011/04/18 22:35:51.0264 3708 netbt (e3a168912e7eefc3bd3b814720d68b41) C:\Windows\system32\DRIVERS\netbt.sys
2011/04/18 22:35:51.0311 3708 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2011/04/18 22:35:51.0342 3708 Npfs (4f9832beb9fafd8ceb0e541f1323b26e) C:\Windows\system32\drivers\Npfs.sys
2011/04/18 22:35:51.0358 3708 nsiproxy (b488dfec274de1fc9d653870ef2587be) C:\Windows\system32\drivers\nsiproxy.sys
2011/04/18 22:35:51.0420 3708 Ntfs (37430aa7a66d7a63407adc2c0d05e9f6) C:\Windows\system32\drivers\Ntfs.sys
2011/04/18 22:35:51.0452 3708 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2011/04/18 22:35:51.0467 3708 Null (ec5efb3c60f1b624648344a328bce596) C:\Windows\system32\drivers\Null.sys
2011/04/18 22:35:51.0514 3708 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
2011/04/18 22:35:51.0639 3708 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
2011/04/18 22:35:51.0779 3708 nv_agp (055081fd5076401c1ee1bcab08d81911) C:\Windows\system32\drivers\nv_agp.sys
2011/04/18 22:35:51.0826 3708 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
2011/04/18 22:35:51.0888 3708 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2011/04/18 22:35:51.0920 3708 partmgr (84be786f33fdbd8765e05df3b7f5b9e6) C:\Windows\system32\drivers\partmgr.sys
2011/04/18 22:35:51.0935 3708 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2011/04/18 22:35:51.0982 3708 pci (bdd96f9cf34d58958aff1be6ef4c8020) C:\Windows\system32\drivers\pci.sys
2011/04/18 22:35:52.0013 3708 pciide (b2fc76090ef1003463ccb07cabb35cff) C:\Windows\system32\drivers\pciide.sys
2011/04/18 22:35:52.0029 3708 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
2011/04/18 22:35:52.0076 3708 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2011/04/18 22:35:52.0169 3708 PptpMiniport (c04dec5ace67c5247b150c4223970bb7) C:\Windows\system32\DRIVERS\raspptp.sys
2011/04/18 22:35:52.0232 3708 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
2011/04/18 22:35:52.0325 3708 PSched (2c8bae55247c4e09352e870292e4d1ab) C:\Windows\system32\DRIVERS\pacer.sys
2011/04/18 22:35:52.0356 3708 PxHelp20 (feffcfdc528764a04c8ed63d5fa6e711) C:\Windows\system32\Drivers\PxHelp20.sys
2011/04/18 22:35:52.0419 3708 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
2011/04/18 22:35:52.0466 3708 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2011/04/18 22:35:52.0481 3708 QWAVEdrv (d2b3e2b7426dc23e185fbc73c8936c12) C:\Windows\system32\drivers\qwavedrv.sys
2011/04/18 22:35:52.0559 3708 R300 (e642b131fb74caf4bb8a014f31113142) C:\Windows\system32\DRIVERS\atikmdag.sys
2011/04/18 22:35:52.0606 3708 RasAcd (bd7b30f55b3649506dd8b3d38f571d2a) C:\Windows\system32\DRIVERS\rasacd.sys
2011/04/18 22:35:52.0637 3708 Rasl2tp (68b0019fee429ec49d29017af937e482) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/04/18 22:35:52.0668 3708 RasPppoe (ccf4e9c6cbbac81437f88cb2ae0b6c96) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/04/18 22:35:52.0715 3708 rdbss (54129c5d9581bbec8bd1ebd3ba813f47) C:\Windows\system32\DRIVERS\rdbss.sys
2011/04/18 22:35:52.0731 3708 RDPCDD (794585276b5d7fca9f3fc15543f9f0b9) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/04/18 22:35:52.0856 3708 rdpdr (0245418224cfa77bf4b41c2fe0622258) C:\Windows\system32\drivers\rdpdr.sys
2011/04/18 22:35:52.0856 3708 RDPENCDD (980b56e2e273e19d3a9d72d5c420f008) C:\Windows\system32\drivers\rdpencdd.sys
2011/04/18 22:35:52.0934 3708 RDPWD (e2afac98fc6ca2ad2d09f2de1bc71ad9) C:\Windows\system32\drivers\RDPWD.sys
2011/04/18 22:35:52.0996 3708 RimUsb (f17713d108aca124a139fde877eef68a) C:\Windows\system32\Drivers\RimUsb.sys
2011/04/18 22:35:53.0058 3708 rspndr (97e939d2128fec5d5a3e6e79b290a2f4) C:\Windows\system32\DRIVERS\rspndr.sys
2011/04/18 22:35:53.0090 3708 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2011/04/18 22:35:53.0136 3708 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/04/18 22:35:53.0168 3708 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2011/04/18 22:35:53.0214 3708 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2011/04/18 22:35:53.0230 3708 sermouse (450accd77ec5cea720c1cdb9e26b953b) C:\Windows\system32\drivers\sermouse.sys
2011/04/18 22:35:53.0292 3708 sffdisk (51cf56aa8bcc241f134b420b8f850406) C:\Windows\system32\drivers\sffdisk.sys
2011/04/18 22:35:53.0324 3708 sffp_mmc (96ded8b20c734ac41641ce275250e55d) C:\Windows\system32\drivers\sffp_mmc.sys
2011/04/18 22:35:53.0339 3708 sffp_sd (8b08cab1267b2c377883fc9e56981f90) C:\Windows\system32\drivers\sffp_sd.sys
2011/04/18 22:35:53.0355 3708 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2011/04/18 22:35:53.0402 3708 sisagp (08072b2fb92477fc813271a84b3a8698) C:\Windows\system32\drivers\sisagp.sys
2011/04/18 22:35:53.0417 3708 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
2011/04/18 22:35:53.0433 3708 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
2011/04/18 22:35:53.0511 3708 Smb (46baf398809a0f3b2d3300a1760e4b91) C:\Windows\system32\DRIVERS\smb.sys
2011/04/18 22:35:53.0542 3708 spldr (426f9b029aa9162ceccf65369457d046) C:\Windows\system32\drivers\spldr.sys
2011/04/18 22:35:53.0604 3708 sp_rsdrv2 (8831252bcf05fcfb5abd116a22e552d8) C:\Windows\system32\drivers\sp_rsdrv2.sys
2011/04/18 22:35:53.0651 3708 srv (038579c35f7cad4a4bbf735dbf83277d) C:\Windows\system32\DRIVERS\srv.sys
2011/04/18 22:35:53.0682 3708 srv2 (6971a757af8cb5e2cbcbb76cc530db6c) C:\Windows\system32\DRIVERS\srv2.sys
2011/04/18 22:35:53.0714 3708 srvnet (9e1a4603b874eebce0298113951abefb) C:\Windows\system32\DRIVERS\srvnet.sys
2011/04/18 22:35:53.0745 3708 swenum (3b80b4383c9bce13279c8482734b32b2) C:\Windows\system32\DRIVERS\swenum.sys
2011/04/18 22:35:53.0776 3708 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2011/04/18 22:35:53.0792 3708 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2011/04/18 22:35:53.0838 3708 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2011/04/18 22:35:53.0932 3708 Tcpip (2c1f7005aa3b62721bfdb307bd5f5010) C:\Windows\system32\drivers\tcpip.sys
2011/04/18 22:35:53.0979 3708 Tcpip6 (2c1f7005aa3b62721bfdb307bd5f5010) C:\Windows\system32\DRIVERS\tcpip.sys
2011/04/18 22:35:54.0010 3708 tcpipreg (5ce0c4a7b12d0067dad527d72b68c726) C:\Windows\system32\drivers\tcpipreg.sys
2011/04/18 22:35:54.0026 3708 TDPIPE (964248aef49c31fa6a93201a73ffaf50) C:\Windows\system32\drivers\tdpipe.sys
2011/04/18 22:35:54.0057 3708 TDTCP (7d2c1ae1648a60fce4aa0f7982e419d3) C:\Windows\system32\drivers\tdtcp.sys
2011/04/18 22:35:54.0072 3708 tdx (ab4fde8af4a0270a46a001c08cbce1c2) C:\Windows\system32\DRIVERS\tdx.sys
2011/04/18 22:35:54.0104 3708 TermDD (849ed71967d45f15c3e0abfc633fdf2a) C:\Windows\system32\DRIVERS\termdd.sys
2011/04/18 22:35:54.0150 3708 tssecsrv (29f0eca726f0d51f7e048bdb0b372f29) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/04/18 22:35:54.0197 3708 tunmp (65e953bc0084d44498b51f59784d2a82) C:\Windows\system32\DRIVERS\tunmp.sys
2011/04/18 22:35:54.0260 3708 tunnel (4a39bda5e0fd30bdf4884f9d33ae6105) C:\Windows\system32\DRIVERS\tunnel.sys
2011/04/18 22:35:54.0306 3708 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
2011/04/18 22:35:54.0353 3708 udfs (6348da98707ceda8a0dfb05820e17732) C:\Windows\system32\DRIVERS\udfs.sys
2011/04/18 22:35:54.0416 3708 uliagpkx (6d72ef05921abdf59fc45c7ebfe7e8dd) C:\Windows\system32\drivers\uliagpkx.sys
2011/04/18 22:35:54.0447 3708 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
2011/04/18 22:35:54.0462 3708 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2011/04/18 22:35:54.0509 3708 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2011/04/18 22:35:54.0556 3708 umbus (3fb78f1d1dd86d87bececd9dffa24dd9) C:\Windows\system32\DRIVERS\umbus.sys
2011/04/18 22:35:54.0603 3708 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\Windows\system32\Drivers\usbaapl.sys
2011/04/18 22:35:54.0650 3708 usbaudio (f6bf998ae33e3fb6c7d27f0560f1173f) C:\Windows\system32\drivers\usbaudio.sys
2011/04/18 22:35:54.0696 3708 usbccgp (b0ba9caffe9b0555ec0317f30cb79cd2) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/04/18 22:35:54.0728 3708 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2011/04/18 22:35:54.0759 3708 usbehci (c9fcd05b0a80ea08c2768e5a279b14de) C:\Windows\system32\DRIVERS\usbehci.sys
2011/04/18 22:35:54.0790 3708 usbhub (5e44f7d957f7560da06bfe6b84b58a35) C:\Windows\system32\DRIVERS\usbhub.sys
2011/04/18 22:35:54.0806 3708 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
2011/04/18 22:35:54.0821 3708 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\drivers\usbprint.sys
2011/04/18 22:35:54.0868 3708 USBSTOR (7887ce56934e7f104e98c975f47353c5) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/04/18 22:35:54.0899 3708 usbuhci (d864735b0bfcb65440960a0b7cc1a38d) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/04/18 22:35:54.0993 3708 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/04/18 22:35:55.0040 3708 VgaSave (17a8f877314e4067f8c8172cc6d9101c) C:\Windows\System32\drivers\vga.sys
2011/04/18 22:35:55.0086 3708 viaagp (d5929a28bdff4367a12caf06af901971) C:\Windows\system32\drivers\viaagp.sys
2011/04/18 22:35:55.0102 3708 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
2011/04/18 22:35:55.0164 3708 viaide (f3b4762eb85a2aff4999401f14c3262b) C:\Windows\system32\drivers\viaide.sys
2011/04/18 22:35:55.0196 3708 volmgr (fd16fac15f9f165ac19a618e7b391f5c) C:\Windows\system32\drivers\volmgr.sys
2011/04/18 22:35:55.0258 3708 volmgrx (420c48e593b9520c2dee45d671f923e1) C:\Windows\system32\drivers\volmgrx.sys
2011/04/18 22:35:55.0289 3708 volsnap (80dc0c9bcb579ed9815001a4d37cbfd5) C:\Windows\system32\drivers\volsnap.sys
2011/04/18 22:35:55.0305 3708 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
2011/04/18 22:35:55.0352 3708 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2011/04/18 22:35:55.0383 3708 Wanarp (6798c1209a53b5a0ded8d437c45145ff) C:\Windows\system32\DRIVERS\wanarp.sys
2011/04/18 22:35:55.0398 3708 Wanarpv6 (6798c1209a53b5a0ded8d437c45145ff) C:\Windows\system32\DRIVERS\wanarp.sys
2011/04/18 22:35:55.0414 3708 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
2011/04/18 22:35:55.0461 3708 Wdf01000 (7b5f66e4a2219c7d9daf9e738480e534) C:\Windows\system32\drivers\Wdf01000.sys
2011/04/18 22:35:55.0523 3708 winachsf (6d2350bb6e77e800fc4be4e5b7a2e89a) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
2011/04/18 22:35:55.0601 3708 WmiAcpi (17eac0d023a65fa9b02114cc2baacad5) C:\Windows\system32\drivers\wmiacpi.sys
2011/04/18 22:35:55.0679 3708 WpdUsb (2d27171b16a577ef14c1273668753485) C:\Windows\system32\DRIVERS\wpdusb.sys
2011/04/18 22:35:55.0695 3708 ws2ifsl (84620aecdcfd2a7a14e6263927d8c0ed) C:\Windows\system32\drivers\ws2ifsl.sys
2011/04/18 22:35:55.0757 3708 WUDFRd (a2aafcc8a204736296d937c7c545b53f) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/04/18 22:35:55.0773 3708 XAudio (5a7ff9a18ff6d7e0527fe3abf9204ef8) C:\Windows\system32\DRIVERS\xaudio.sys
2011/04/18 22:35:55.0820 3708 ================================================================================
2011/04/18 22:35:55.0820 3708 Scan finished
2011/04/18 22:35:55.0820 3708 ================================================================================
2011/04/18 22:35:55.0820 3096 Detected object count: 1
2011/04/18 22:36:01.0295 3096 crcdisk (227ae84676df55a74f4c609b900551e4) C:\Windows\system32\drivers\crcdisk.sys
2011/04/18 22:36:01.0295 3096 Suspicious file (Forged): C:\Windows\system32\drivers\crcdisk.sys. Real md5: 227ae84676df55a74f4c609b900551e4, Fake md5: 2a213ae086bbec5e937553c7d9a2b22c
2011/04/18 22:36:01.0373 3096 Backup copy found, using it..
2011/04/18 22:36:01.0389 3096 C:\Windows\system32\drivers\crcdisk.sys - will be cured after reboot
2011/04/18 22:36:01.0389 3096 Rootkit.Win32.TDSS.tdl3(crcdisk) - User select action: Cure
2011/04/18 22:36:09.0251 1708 Deinitialize success


Attached File  Attach.txt   10.41KB   1 downloads
Attached File  TDSSKiller.2.4.21.0_18.04.2011_22.35.41_log.txt   58.56KB   3 downloads

Edited by heir, 20 April 2011 - 01:41 AM.
pasted in log


#4 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:24 AM

Posted 20 April 2011 - 01:45 AM

Lets follow up with this then.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#5 ward_214

ward_214
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:24 PM

Posted 20 April 2011 - 09:59 PM

Thanks!

It seems to have worked correctly without any errors!

Here is my log:

Attached File  log.txt   16.06KB   1 downloads


Now I'm wondering if I can find a legit FREE virus, trojan, and malware protection program?

Sorry for any inconvienence I have caused you. Your help is very, very appreciated.

ComboFix 11-04-20.03 - Adam 04/20/2011 22:42:46.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2037.1364 [GMT -4:00]
Running from: c:\users\Adam\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\program files\OfferBox
c:\program files\OfferBox\OfferBox.exe
c:\program files\OfferBox\OfferBoxBHO.dll
c:\program files\OfferBox\OfferBoxChromeExtension.crx
c:\program files\OfferBox\OfferBoxEngine.dll
c:\program files\OfferBox\offerboxffx@offerbox.com\chrome.manifest
c:\program files\OfferBox\offerboxffx@offerbox.com\chrome\content\events.js
c:\program files\OfferBox\offerboxffx@offerbox.com\chrome\content\overlay.xul
c:\program files\OfferBox\offerboxffx@offerbox.com\components\OfferBoxXpCom.dll
c:\program files\OfferBox\offerboxffx@offerbox.com\components\OfferBoxXpCom.xpt
c:\program files\OfferBox\offerboxffx@offerbox.com\install.rdf
c:\program files\OfferBox\OfferBoxLauncher.exe
c:\program files\OfferBox\res\language.xml
c:\program files\OfferBox\res\loader.gif
c:\program files\OfferBox\uninst.exe
c:\programdata\bCg28610hIdEp28610
c:\programdata\bCg28610hIdEp28610\bCg28610hIdEp28610
c:\programdata\bCg28610hIdEp28610\bCg28610hIdEp28610.exe
c:\programdata\Microsoft\Windows\Start Menu\Programs\OfferBox Browser.lnk
c:\users\Adam\AppData\Local\{AB6B4B37-04D6-47A7-BF59-54120B7E72B1}
c:\users\Adam\AppData\Local\{AB6B4B37-04D6-47A7-BF59-54120B7E72B1}\chrome.manifest
c:\users\Adam\AppData\Local\{AB6B4B37-04D6-47A7-BF59-54120B7E72B1}\chrome\content\_cfg.js
c:\users\Adam\AppData\Local\{AB6B4B37-04D6-47A7-BF59-54120B7E72B1}\chrome\content\overlay.xul
c:\users\Adam\AppData\Local\{AB6B4B37-04D6-47A7-BF59-54120B7E72B1}\install.rdf
c:\users\Adam\AppData\Local\NPIKBDI.dll
c:\users\Adam\AppData\Local\ugilayotevokomas.dll
c:\users\Adam\AppData\Roaming\OfferBox
c:\users\Adam\AppData\Roaming\OfferBox\config.dat
c:\users\Adam\AppData\Roaming\OfferBox\config.xml
c:\windows\avp.exe
c:\windows\avp32.exe
c:\windows\cmd.exe
c:\windows\csrss.exe
c:\windows\debug.exe
c:\windows\drweb.exe
c:\windows\gdi32.exe
c:\windows\hexdump.exe
c:\windows\iexplarer.exe
c:\windows\install.exe
c:\windows\login.exe
c:\windows\lsass.exe
c:\windows\mdll.dl
c:\windows\mdm.exe
c:\windows\msmgm.exe
c:\windows\nvsvc32.exe
c:\windows\services.exe
c:\windows\setup.exe
c:\windows\smss.exe
c:\windows\spoolsv.exe
c:\windows\svchost.exe
c:\windows\sysedit.exe
c:\windows\sysmgm.exe
c:\windows\system.exe
c:\windows\system32\cssrss.exe
c:\windows\system32\nso12k.sys
c:\windows\system32\test.exe
c:\windows\taskmgr.exe
c:\windows\user.exe
c:\windows\win.exe
c:\windows\win16.exe
c:\windows\win32.exe
c:\windows\winamp.exe
c:\windows\wininst.exe
c:\windows\winlogon.exe
c:\windows\Xjicab.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_DRIVER
-------\Service_Driver
.
.
((((((((((((((((((((((((( Files Created from 2011-03-21 to 2011-04-21 )))))))))))))))))))))))))))))))
.
.
2011-04-21 02:40 . 2011-04-21 02:40 -------- d-----w- C:\32788R22FWJFW
2011-04-17 19:15 . 2011-04-17 19:15 50000 ----a-w- c:\windows\system32\uuakw.dll
2011-04-17 19:15 . 2011-04-17 19:15 50000 ----a-w- c:\windows\system32\eguhxmzg.dll
2011-03-28 03:12 . 2011-03-28 03:12 -------- d-----w- c:\program files\Crawler
2011-03-28 03:12 . 2011-03-28 03:12 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2011-03-28 03:12 . 2011-04-18 02:51 -------- d-----w- c:\users\Adam\AppData\Roaming\Spyware Terminator
2011-03-28 03:12 . 2011-04-20 10:33 -------- d-----w- c:\programdata\Spyware Terminator
2011-03-28 03:12 . 2011-03-28 11:28 -------- d-----w- c:\program files\Spyware Terminator
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-20 05:44 . 2011-03-20 03:11 0 ----a-w- c:\users\Adam\AppData\Local\Lpogo.bin
2011-04-19 02:36 . 2006-11-02 08:52 22632 ----a-w- c:\windows\system32\drivers\crcdisk.sys
2011-03-20 03:09 . 2011-03-20 03:09 137216 ----a-w- c:\windows\Xjicaa.exe
2011-02-18 20:36 . 2011-02-18 20:36 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 20:36 . 2011-02-18 20:36 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{f78bf7a8-cf12-4de7-a6da-c463d1b539a7}"= "c:\program files\Dogpile Bundle Toolbar\Helper.dll" [2010-11-01 373760]
.
[HKEY_CLASSES_ROOT\clsid\{f78bf7a8-cf12-4de7-a6da-c463d1b539a7}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{C766F9AD-E91E-43DE-91DC-D007680ED4AF}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9B220C2-A500-99BD-F120-04B53A2C8952}]
2011-04-17 19:15 50000 ----a-w- c:\windows\System32\uuakw.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{C80BDEB2-8735-44C6-BD55-A1CCD555667A}"= "c:\program files\Dogpile Bundle Toolbar\Toolbar.dll" [2010-11-01 1530368]
.
[HKEY_CLASSES_ROOT\clsid\{c80bdeb2-8735-44c6-bd55-a1ccd555667a}]
[HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{CCBDEEA9-517A-4862-B0A1-862AE9532228}]
[HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{C80BDEB2-8735-44C6-BD55-A1CCD555667A}"= "c:\program files\Dogpile Bundle Toolbar\Toolbar.dll" [2010-11-01 1530368]
.
[HKEY_CLASSES_ROOT\clsid\{c80bdeb2-8735-44c6-bd55-a1ccd555667a}]
[HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{CCBDEEA9-517A-4862-B0A1-862AE9532228}]
[HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 2159104]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"cdloader"="c:\users\Adam\AppData\Roaming\mjusbsp\cdloader2.exe" [2010-12-03 50592]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"SpywareTerminatorUpdate"="c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe" [2011-03-28 3318784]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-11 4452352]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-25 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-25 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-25 129560]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-3-5 50688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{B9B220C2-A500-99BD-F120-04B53A2C8952}"= "c:\windows\system32\uuakw.dll" [2011-04-17 50000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 135664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [x]
R2 MouseDriver;MouseDriver;c:\windows\TEMP\MouseDriver.bat [x]
S1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-08-24 84072]
S1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2011-03-28 142592]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-08-24 141792]
S2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2010-05-21 173352]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 22:12]
.
2011-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 22:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Crawler Search - tbr:iemenu
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\Toolbar\ctbr.dll
FF - ProfilePath - c:\users\Adam\AppData\Roaming\Mozilla\Firefox\Profiles\hvhw0c43.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com?o=14196&l=dis
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=FWV5&o=14193&locale=en_US&apn_uid=3830594A-A973-46F8-9FB8-59D64256A6CC&apn_ptnrs=FM&apn_sauid=5769A5B9-4C42-42C6-98D8-40E14563C740&apn_dtid=TES001YYUS&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - %profile%\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Crawler Toolbar: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - c:\program files\Crawler\Toolbar\firefox
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{00000000-6E41-4FD3-8538-502F5495E5FC} - c:\program files\Ask.com\GenericAskToolbar.dll
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
HKCU-Run-Nqoye - c:\users\Adam\AppData\Local\NPIKBDI.dll
HKCU-Run-Mqsrc - c:\windows\login.exe
HKCU-Run-Mquta - c:\windows\services.exe
HKCU-Run-Mque - c:\windows\user.exe
HKCU-Run-Mqrtc - c:\windows\hexdump.exe
HKCU-Run-Mqurb - c:\windows\taskmgr.exe
HKCU-Run-Mqug - c:\windows\smss.exe
HKCU-Run-MqrMc - c:\windows\gdi32.exe
HKCU-Run-Mquvc - c:\windows\setup.exe
HKCU-Run-Mqpe - c:\windows\avp.exe
HKCU-Run-Mqva - c:\windows\win.exe
HKCU-Run-Mqrta - c:\windows\install.exe
HKCU-Run-Mqsuc - c:\windows\lsass.exe
HKCU-Run-MqvPc - c:\windows\win32.exe
HKCU-Run-Mqvpe - c:\windows\winamp.exe
HKCU-Run-MqqZ - c:\windows\cmd.exe
HKCU-Run-Mqqoc - c:\windows\debug.exe
HKCU-Run-Mqutc - c:\windows\sysedit.exe
HKCU-Run-Mquwe - c:\windows\sysmgm.exe
HKCU-Run-Mqruqc - c:\windows\iexplarer.exe
HKCU-Run-Mqvre - c:\windows\wininst.exe
HKCU-Run-MqsZ - c:\windows\mdm.exe
HKCU-Run-Mquuf - c:\windows\spoolsv.exe
HKCU-Run-Mqstc - c:\windows\msmgm.exe
HKCU-Run-Mqqsc - c:\windows\drweb.exe
HKCU-Run-Mqtw+ - c:\windows\nvsvc32.exe
HKCU-Run-Mquxe - c:\windows\system.exe
HKCU-Run-Mquse - c:\windows\svchost.exe
HKCU-Run-Mqqyc - c:\windows\csrss.exe
HKCU-Run-MqpSc - c:\windows\avp32.exe
HKCU-Run-Mqvsc - c:\windows\winlogon.exe
HKLM-Run-Dganapuyuqi - c:\users\Adam\AppData\Local\ugilayotevokomas.dll
HKLM-Run-Mqsrc - c:\windows\login.exe
HKLM-Run-Mquta - c:\windows\services.exe
HKLM-Run-Mque - c:\windows\user.exe
HKLM-Run-Mqrtc - c:\windows\hexdump.exe
HKLM-Run-Mqurb - c:\windows\taskmgr.exe
HKLM-Run-Mqug - c:\windows\smss.exe
HKLM-Run-MqrMc - c:\windows\gdi32.exe
HKLM-Run-Mquvc - c:\windows\setup.exe
HKLM-Run-Mqpe - c:\windows\avp.exe
HKLM-Run-Mqva - c:\windows\win.exe
HKLM-Run-Mqrta - c:\windows\install.exe
HKLM-Run-Mqsuc - c:\windows\lsass.exe
HKLM-Run-MqvPc - c:\windows\win32.exe
HKLM-Run-Mqvpe - c:\windows\winamp.exe
HKLM-Run-MqqZ - c:\windows\cmd.exe
HKLM-Run-Mqqoc - c:\windows\debug.exe
HKLM-Run-Mqutc - c:\windows\sysedit.exe
HKLM-Run-Mquwe - c:\windows\sysmgm.exe
HKLM-Run-Mqruqc - c:\windows\iexplarer.exe
HKLM-Run-Mqvre - c:\windows\wininst.exe
HKLM-Run-MqsZ - c:\windows\mdm.exe
HKLM-Run-Mquuf - c:\windows\spoolsv.exe
HKLM-Run-Mqstc - c:\windows\msmgm.exe
HKLM-Run-Mqqsc - c:\windows\drweb.exe
HKLM-Run-Mqtw+ - c:\windows\nvsvc32.exe
HKLM-Run-Mquxe - c:\windows\system.exe
HKLM-Run-Mquse - c:\windows\svchost.exe
HKLM-Run-Mqqyc - c:\windows\csrss.exe
HKLM-Run-MqpSc - c:\windows\avp32.exe
HKLM-Run-Mqvsc - c:\windows\winlogon.exe
SafeBoot-klmdb.sys
AddRemove-OfferBox Browser - c:\program files\OfferBox\uninst.exe
AddRemove-Pharaoh - c:\sierra\Pharaoh\Uninst.isu
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-20 22:51
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\MouseDriver]
"ImagePath"="%SystemRoot%\TEMP\MouseDriver.bat"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3176)
c:\windows\system32\uuakw.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\system32\WUDFHost.exe
c:\windows\RtHDVCpl.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2011-04-20 22:55:33 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-21 02:55
.
Pre-Run: 464,805,425,152 bytes free
Post-Run: 464,848,105,472 bytes free
.
- - End Of File - - 7C0C67B0A2BD6F679AB4A78C5EB32179

Edited by heir, 21 April 2011 - 04:08 AM.
pasted in the log


#6 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:24 AM

Posted 21 April 2011 - 04:28 AM

Now I'm wondering if I can find a legit FREE virus, trojan, and malware protection program?

We'll come to that eventually. First though.

Have you disabled UAC on purpose?

Step 1.
Uninstall unwanted software:

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Ask Toolbar
Dogpile Bundle Toolbar


Optional removals
Ask Toolbar and Dogpile Bundle Toolbar are considered to be Foistware.

It's up to you if you want to remove the above programs, however I recommend you do.


Step 2.
CFScript:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

File::
c:\windows\system32\uuakw.dll
c:\windows\system32\eguhxmzg.dll
c:\users\Adam\AppData\Local\Lpogo.bin
c:\windows\Xjicaa.exe

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 3.
Things I would like to see in your reply:

  • Which programs were uninstalled in step 1.
  • The content of C:\ComboFix.txt from step 2.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#7 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:24 AM

Posted 26 April 2011 - 04:15 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users