Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS Rootkit Infection


  • This topic is locked This topic is locked
20 replies to this topic

#1 jsteed

jsteed

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 21 April 2011 - 06:03 PM

I noticed that my Google searches were being redirected. I ran an AVG scan and found that my computer was infected. AVG could not remove the programs labeled 'Object is inaccessible.'

"D:\WINDOWS\system32\wuauclt.exe (5256):\memory_001b0000";"Trojan horse Agent_r.XJ";"Object is inaccessible."
"D:\WINDOWS\system32\wuauclt.exe (5256)";"Trojan horse Agent_r.XJ";""
"D:\WINDOWS\system32\svchost.exe (1588):\memory_001a0000";"Trojan horse Agent_r.XJ";"Object is inaccessible."
"D:\WINDOWS\system32\svchost.exe (1588)";"Trojan horse Agent_r.XJ";""
"D:\WINDOWS\explorer.exe (1984):\memory_001a0000";"Trojan horse Agent_r.XJ";"Object is inaccessible."
"D:\WINDOWS\explorer.exe (1984)";"Trojan horse Agent_r.XJ";""

I did a search for this virus and found that it was the TDSS rootkit. I downloaded TDSSKiller ver. 2.4.21 but it would install to 80% and then crash with the MS grey box stating that a problem was encountered and it had to shut down. I tried renaming it to some random name.com as suggested. That did not change anything.

I also did an online scan with ESET. It found nothing. I then downloaded Malwarebytes which also found nothing. Finally I downloaded and ran SpywareDoctor which found a few tracking cookies but nothing else.

So I came here for advice. I downloaded and ran dss.scr (renamed zewyihle.exe). The file is attached/pasted. I could not attach ark.txt from gmer since it was 15MB and the site does not accept rar files for upload. Any help will be greatly appreciated.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Kevin at 15:39:30.29 on Wed 04/20/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3032.2081 [GMT -6:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
D:\WINDOWS\System32\WLTRYSVC.EXE
D:\WINDOWS\System32\bcmwltry.exe
D:\WINDOWS\system32\spoolsv.exe
d:\program files\idt\xpm09_6162v012\wdm\STacSV.exe
svchost.exe
F:\Program Files (x86)\avgwdsvc.exe
D:\WINDOWS\system32\dlbxcoms.exe
D:\WINDOWS\Explorer.EXE
F:\Program Files (x86)\PC Tools Security\pctsAuxs.exe
F:\Program Files (x86)\PC Tools Security\pctsSvc.exe
D:\Program Files\IDT\WDM\sttray.exe
D:\WINDOWS\system32\AESTFltr.exe
D:\Program Files\DellTPad\Apoint.exe
D:\WINDOWS\system32\WLTRAY.exe
D:\WINDOWS\system32\igfxpers.exe
D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
D:\WINDOWS\system32\igfxsrvc.exe
F:\Program Files (x86)\PC Tools Security\pctsGui.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\DellTPad\ApMsgFwd.exe
D:\Program Files\DellTPad\HidFind.exe
F:\Program Files (x86)\avgnsx.exe
F:\Program Files (x86)\avgemcx.exe
D:\Program Files\DellTPad\Apntex.exe
D:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files (x86)\Identity Protection\Agent\Bin\AVGIDSAgent.exe
F:\Program Files (x86)\avgchsvx.exe
F:\Program Files (x86)\avgrsx.exe
F:\Program Files (x86)\avgcsrvx.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Documents and Settings\Kevin\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://my.yahoo.com/
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - f:\program files (x86)\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - f:\program files (x86)\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - f:\progra~2\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - d:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - f:\program files (x86)\toolbar\IEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - f:\program files (x86)\toolbar\IEToolbar.dll
uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe
uRun: [Eraser] f:\program files (x86)\eraser\eraser.exe -hide
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [Apoint] d:\program files\delltpad\Apoint.exe
mRun: [Broadcom Wireless Manager UI] d:\windows\system32\WLTRAY.exe
mRun: [IgfxTray] d:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] d:\windows\system32\hkcmd.exe
mRun: [Persistence] d:\windows\system32\igfxpers.exe
mRun: [ISUSPM Startup] d:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "d:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [AVG_TRAY] f:\program files (x86)\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "d:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "d:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ISTray] "f:\program files (x86)\pc tools security\pctsGui.exe" /hideGUI
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - f:\progra~2\spybot~1\SDHelper.dll
LSP: d:\program files\common files\pc tools\lsp\PCTLsp.dll
Trusted Zone: care360.com
Trusted Zone: questdiagnostics.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {69D1E588-02F8-4C00-B311-5C581402C247} - hxxps://cas2.questdiagnostics.com/EREQ_SSLcabs/DGXDPCtr.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - f:\program files (x86)\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - f:\program files (x86)\avgpp.dll
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;d:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;d:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 PCTCore;PCTools KDS;d:\windows\system32\drivers\PCTCore.sys [2011-4-20 239168]
R0 pctDS;PC Tools Data Store;d:\windows\system32\drivers\pctDS.sys [2011-4-20 338880]
R0 pctEFA;PC Tools Extended File Attributes;d:\windows\system32\drivers\pctEFA.sys [2011-4-20 656320]
R1 Avgldx86;AVG AVI Loader Driver;d:\windows\system32\drivers\avgldx86.sys [2010-9-7 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;d:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;d:\windows\system32\drivers\avgtdix.sys [2010-9-7 299984]
R2 AVGIDSAgent;AVGIDSAgent;f:\program files (x86)\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
R2 avgwd;AVG WatchDog;f:\program files (x86)\avgwdsvc.exe [2010-10-22 265400]
R2 sdAuxService;PC Tools Auxiliary Service;f:\program files (x86)\pc tools security\pctsAuxs.exe [2011-4-20 366840]
R2 sdCoreService;PC Tools Security Service;f:\program files (x86)\pc tools security\pctsSvc.exe [2011-4-20 1150936]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]
R3 AESTAud;AE Audio Service;d:\windows\system32\drivers\AESTAud.sys [2010-8-26 113024]
R3 AVGIDSDriver;AVGIDSDriver;d:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;d:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;d:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
R3 OA009Afx;Provides a software interface to control audio effects of OA009 camera.;d:\windows\system32\drivers\OA009Afx.sys [2010-8-26 148056]
R3 OA009Ufd;Creative Camera OA009 Upper Filter Driver;d:\windows\system32\drivers\OA009Ufd.sys [2010-8-26 133632]
R3 OA009Vid;Creative Camera OA009 Function Driver;d:\windows\system32\drivers\OA009Vid.sys [2010-8-26 271552]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;d:\windows\system32\drivers\RTS5121.sys [2010-8-26 160256]
S3 AMBFilt;Creative AMB Service;d:\windows\system32\drivers\AMBFilt.sys [2010-8-26 1656960]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;f:\program files (x86)\toolbar\ToolbarBroker.exe [2010-10-28 517448]
S3 Rts516xIR;Realtek IR Driver;d:\windows\system32\drivers\rts516xir.sys --> d:\windows\system32\drivers\Rts516xIR.sys [?]
.
=============== Created Last 30 ================
.
2011-04-20 20:26:11 -------- d-----w- d:\docume~1\kevin\locals~1\applic~1\Temp
2011-04-20 19:05:43 656320 ----a-w- d:\windows\system32\drivers\pctEFA.sys
2011-04-20 19:05:43 338880 ----a-w- d:\windows\system32\drivers\pctDS.sys
2011-04-20 19:05:41 251560 ----a-w- d:\windows\system32\drivers\pctgntdi.sys
2011-04-20 19:05:34 239168 ----a-w- d:\windows\system32\drivers\PCTCore.sys
2011-04-20 19:05:34 160448 ----a-w- d:\windows\system32\drivers\PCTAppEvent.sys
2011-04-20 19:05:23 70536 ----a-w- d:\windows\system32\drivers\pctplsg.sys
2011-04-20 19:05:14 -------- d-----w- d:\program files\common files\PC Tools
2011-04-20 19:05:14 -------- d-----w- d:\docume~1\kevin\applic~1\PC Tools
2011-04-20 18:58:49 -------- d-----w- d:\docume~1\alluse~1\applic~1\PC Tools
2011-04-20 17:04:40 -------- d-----w- d:\program files\ESET
2011-04-19 23:31:31 -------- d-----w- d:\docume~1\kevin\applic~1\Malwarebytes
2011-04-19 23:31:26 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2011-04-19 23:31:21 20952 ----a-w- d:\windows\system32\drivers\mbam.sys
2011-04-19 23:31:21 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2011-04-19 23:09:02 -------- d-----w- d:\windows\system32\wbem\repository\FS
2011-04-19 23:09:02 -------- d-----w- d:\windows\system32\wbem\Repository
2011-04-19 23:08:43 -------- d-----w- d:\windows\system32\images
2011-04-19 23:08:43 -------- d-----w- d:\windows\system32\html
2011-04-19 23:08:43 -------- d-----w- d:\documents and settings\kevin\WINDOWS
2011-04-19 21:32:08 -------- d-----w- d:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-19 19:58:10 -------- d-----w- D:\ComboFix
2011-04-07 17:40:58 306688 ----a-w- d:\windows\IsUninst.exe
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- d:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- d:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- d:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- d:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- d:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- d:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- d:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- d:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- d:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- d:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- d:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- d:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- d:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- d:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- d:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- d:\windows\system32\shimgvw.dll
2005-11-15 22:03:54 434176 ----a-w- d:\program files\SOAPware.Support.EScripts.dll
2005-09-26 15:36:00 147456 ----a-w- d:\program files\SOAPware.Support.Helpers.dll
2005-09-19 19:32:00 24576 ----a-w- d:\program files\AxInterop.SW_USERSLib.dll
2005-09-19 19:32:00 13312 ----a-w- d:\program files\Interop.SW_USERSLib.dll
2005-09-19 19:07:00 8192 ----a-w- d:\program files\AxInterop.SW_CHARTRACKLib.dll
2005-09-19 19:07:00 10240 ----a-w- d:\program files\Interop.SW_CHARTRACKLib.dll
2005-09-19 19:06:00 45056 ----a-w- d:\program files\AxInterop.SW_CHARTDATAACCESSLib.dll
2005-09-19 19:06:00 40960 ----a-w- d:\program files\Interop.SW_CHARTDATAACCESSLib.dll
2005-07-29 05:20:00 294982 ----a-w- d:\program files\SW_Users.ocx
2005-07-29 05:01:00 81998 ----a-w- d:\program files\SW_ChartRack.ocx
2005-07-29 05:00:00 512090 ----a-w- d:\program files\SW_ChartDataAccess.ocx
2004-08-12 17:18:00 9216 ----a-w- d:\program files\Interop.BUGZSCOUTLib.dll
2004-03-01 20:58:18 561424 ----a-w- d:\program files\common files\dao360.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK3265GSX rev.GJ002D -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys >>UNKNOWN [0x8AB0B4F0]<<
d:\windows\system32\drivers\PCTCore.sys PC Tools Kernel Driver Suite
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8ab117d0]; MOV EAX, [0x8ab1184c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x808181A6] -> \Device\Harddisk0\DR0[0x8AA5DAB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x808181A6] -> [0x8AB1E920]
5 PCTCore[0xB9EAD099] -> ntkrnlpa!IofCallDriver[0x808181A6] -> [0x8AB22D98]
\Driver\atapi[0x8AB75E18] -> IRP_MJ_CREATE -> 0x8AB0B4F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AB0B33B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 15:41:25.29 ===============
Attached File  Attach.txt   17.09KB   1 downloads

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:48 AM

Posted 21 April 2011 - 07:33 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 jsteed

jsteed
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 22 April 2011 - 10:29 AM

Hi CatByte,
Thanks for volunteering to help me out. It is much appreciated. I've pasted the results from ComboFix. It finished in about 10 minutes. After it was done, I tried google and still get the redirects. I also get an ocassional crash after the generic process server stops.

ComboFix 11-04-19.01 - Kevin 04/22/2011 8:39.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3032.2345 [GMT -6:00]
Running from: d:\documents and settings\Kevin\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
d:\documents and settings\Kevin\WINDOWS
d:\windows\system32\html
d:\windows\system32\images
d:\windows\system32\w020t32w.dll
d:\windows\system32\w021t32w.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-03-22 to 2011-04-22 )))))))))))))))))))))))))))))))
.
.
2011-04-21 20:24 . 2010-08-19 19:17 1940656 ----a-w- D:\RegCureSetup_RW.exe
2011-04-20 20:26 . 2011-04-20 20:26 -------- d-----w- d:\documents and settings\Kevin\Local Settings\Application Data\Temp
2011-04-20 19:05 . 2010-07-16 20:59 656320 ----a-w- d:\windows\system32\drivers\pctEFA.sys
2011-04-20 19:05 . 2010-07-16 20:59 338880 ----a-w- d:\windows\system32\drivers\pctDS.sys
2011-04-20 19:05 . 2011-01-17 15:10 251560 ----a-w- d:\windows\system32\drivers\pctgntdi.sys
2011-04-20 19:05 . 2010-12-10 22:57 160448 ----a-w- d:\windows\system32\drivers\PCTAppEvent.sys
2011-04-20 19:05 . 2010-12-10 19:24 239168 ----a-w- d:\windows\system32\drivers\PCTCore.sys
2011-04-20 19:05 . 2010-12-16 14:46 70536 ----a-w- d:\windows\system32\drivers\pctplsg.sys
2011-04-20 19:05 . 2011-04-21 14:30 -------- d---a-w- d:\documents and settings\All Users\Application Data\TEMP
2011-04-20 19:05 . 2011-04-20 19:14 -------- d-----w- d:\program files\Common Files\PC Tools
2011-04-20 19:05 . 2011-04-20 19:05 -------- d-----w- d:\documents and settings\Kevin\Application Data\PC Tools
2011-04-20 18:58 . 2011-04-20 19:05 -------- d-----w- d:\documents and settings\All Users\Application Data\PC Tools
2011-04-20 17:04 . 2011-04-20 17:04 -------- d-----w- d:\program files\ESET
2011-04-19 23:31 . 2011-04-19 23:31 -------- d-----w- d:\documents and settings\Kevin\Application Data\Malwarebytes
2011-04-19 23:31 . 2010-12-21 00:09 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2011-04-19 23:31 . 2011-04-19 23:31 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2011-04-19 23:31 . 2010-12-21 00:08 20952 ----a-w- d:\windows\system32\drivers\mbam.sys
2011-04-19 23:09 . 2011-04-19 23:09 -------- d-----w- d:\windows\system32\wbem\Repository
2011-04-19 21:32 . 2011-04-19 21:32 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-07 17:40 . 1998-10-29 22:45 306688 ----a-w- d:\windows\IsUninst.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2010-08-26 16:59 692736 ----a-w- d:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2006-02-28 12:00 420864 ----a-w- d:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2006-02-28 12:00 1857920 ----a-w- d:\windows\system32\win32k.sys
2011-02-22 23:06 . 2006-02-28 12:00 916480 ----a-w- d:\windows\system32\wininet.dll
2011-02-22 23:06 . 2006-02-28 12:00 43520 ----a-w- d:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2006-02-28 12:00 1469440 ------w- d:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2006-02-28 12:00 385024 ----a-w- d:\windows\system32\html.iec
2011-02-17 13:18 . 2006-02-28 12:00 455936 ----a-w- d:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2006-02-28 12:00 357888 ----a-w- d:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2010-08-26 19:05 5120 ----a-w- d:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2006-02-28 12:00 290432 ----a-w- d:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2006-02-28 12:00 270848 ----a-w- d:\windows\system32\sbe.dll
2011-02-09 13:53 . 2006-02-28 12:00 186880 ----a-w- d:\windows\system32\encdec.dll
2011-02-08 13:33 . 2006-02-28 12:00 978944 ----a-w- d:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2006-02-28 12:00 974848 ----a-w- d:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2010-08-26 16:58 2067456 ----a-w- d:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2010-08-26 16:58 677888 ----a-w- d:\windows\system32\mstsc.exe
2005-11-15 22:03 . 2005-11-15 22:03 434176 ----a-w- d:\program files\SOAPware.Support.EScripts.dll
2005-09-26 15:36 . 2005-09-26 15:36 147456 ----a-w- d:\program files\SOAPware.Support.Helpers.dll
2005-09-19 19:32 . 2005-09-19 19:32 24576 ----a-w- d:\program files\AxInterop.SW_USERSLib.dll
2005-09-19 19:32 . 2005-09-19 19:32 13312 ----a-w- d:\program files\Interop.SW_USERSLib.dll
2005-09-19 19:07 . 2005-09-19 19:07 8192 ----a-w- d:\program files\AxInterop.SW_CHARTRACKLib.dll
2005-09-19 19:07 . 2005-09-19 19:07 10240 ----a-w- d:\program files\Interop.SW_CHARTRACKLib.dll
2005-09-19 19:06 . 2005-09-19 19:06 45056 ----a-w- d:\program files\AxInterop.SW_CHARTDATAACCESSLib.dll
2005-09-19 19:06 . 2005-09-19 19:06 40960 ----a-w- d:\program files\Interop.SW_CHARTDATAACCESSLib.dll
2005-07-29 05:20 . 2005-07-29 05:20 294982 ----a-w- d:\program files\SW_Users.ocx
2005-07-29 05:01 . 2005-07-29 05:01 81998 ----a-w- d:\program files\SW_ChartRack.ocx
2005-07-29 05:00 . 2005-07-29 05:00 512090 ----a-w- d:\program files\SW_ChartDataAccess.ocx
2004-08-12 17:18 . 2004-08-12 17:18 9216 ----a-w- d:\program files\Interop.BUGZSCOUTLib.dll
2004-03-01 20:58 . 2004-03-01 20:58 561424 ----a-w- d:\program files\Common Files\dao360.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-10-06 17:31 2475336 ----a-w- f:\program files (x86)\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "f:\program files (x86)\Toolbar\IEToolbar.dll" [2010-10-06 2475336]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "f:\program files (x86)\Toolbar\IEToolbar.dll" [2010-10-06 2475336]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Eraser"="f:\program files (x86)\Eraser\eraser.exe" [2006-11-11 634880]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AESTFltr"="d:\windows\system32\AESTFltr.exe" [2009-02-18 737280]
"Apoint"="d:\program files\DellTPad\Apoint.exe" [2009-01-23 217088]
"Broadcom Wireless Manager UI"="d:\windows\system32\WLTRAY.exe" [2008-11-26 2289664]
"IgfxTray"="d:\windows\system32\igfxtray.exe" [2008-09-16 150040]
"HotKeysCmds"="d:\windows\system32\hkcmd.exe" [2008-09-16 178712]
"Persistence"="d:\windows\system32\igfxpers.exe" [2008-09-16 150040]
"ISUSPM Startup"="d:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="d:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"AVG_TRAY"="f:\program files (x86)\avgtray.exe" [2011-01-07 2747744]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0f:\progra~2\avgchsvx.exe /sync\0f:\progra~2\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\Program Files (x86)\\Zetafax\\ZETAFAX.EXE"=
"f:\\Program Files (x86)\\IDA\\idag.exe"=
"f:\\Program Files (x86)\\IDA\\idag64.exe"=
"f:\\Program Files (x86)\\avgmfapx.exe"=
"d:\\WINDOWS\\system32\\dlbxcoms.exe"=
"f:\\Program Files (x86)\\avgdiagex.exe"=
"f:\\Program Files (x86)\\avgnsx.exe"=
"f:\\Program Files (x86)\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;d:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 4:27 PM 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;d:\windows\system32\drivers\avgrkx86.sys [9/7/2010 3:48 AM 26064]
R0 PCTCore;PCTools KDS;d:\windows\system32\drivers\PCTCore.sys [4/20/2011 1:05 PM 239168]
R0 pctDS;PC Tools Data Store;d:\windows\system32\drivers\pctDS.sys [4/20/2011 1:05 PM 338880]
R0 pctEFA;PC Tools Extended File Attributes;d:\windows\system32\drivers\pctEFA.sys [4/20/2011 1:05 PM 656320]
R1 Avgldx86;AVG AVI Loader Driver;d:\windows\system32\drivers\avgldx86.sys [9/7/2010 3:48 AM 251728]
R1 Avgtdix;AVG TDI Driver;d:\windows\system32\drivers\avgtdix.sys [9/7/2010 3:49 AM 299984]
R2 avgwd;AVG WatchDog;f:\program files (x86)\avgwdsvc.exe [10/22/2010 5:58 AM 265400]
R3 AESTAud;AE Audio Service;d:\windows\system32\drivers\AESTAud.sys [8/26/2010 11:43 AM 113024]
R3 AVGIDSDriver;AVGIDSDriver;d:\windows\system32\drivers\AVGIDSDriver.sys [8/19/2010 9:42 PM 123472]
R3 AVGIDSFilter;AVGIDSFilter;d:\windows\system32\drivers\AVGIDSFilter.sys [8/19/2010 9:42 PM 30288]
R3 AVGIDSShim;AVGIDSShim;d:\windows\system32\drivers\AVGIDSShim.sys [8/19/2010 9:42 PM 26192]
R3 OA009Afx;Provides a software interface to control audio effects of OA009 camera.;d:\windows\system32\drivers\OA009Afx.sys [8/26/2010 12:13 PM 148056]
R3 OA009Ufd;Creative Camera OA009 Upper Filter Driver;d:\windows\system32\drivers\OA009Ufd.sys [8/26/2010 12:13 PM 133632]
R3 OA009Vid;Creative Camera OA009 Function Driver;d:\windows\system32\drivers\OA009Vid.sys [8/26/2010 12:13 PM 271552]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;d:\windows\system32\drivers\RTS5121.sys [8/26/2010 12:08 PM 160256]
S2 AVGIDSAgent;AVGIDSAgent;f:\program files (x86)\Identity Protection\Agent\Bin\AVGIDSAgent.exe [1/6/2011 4:23 PM 6128720]
S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]
S3 AMBFilt;Creative AMB Service;d:\windows\system32\drivers\AMBFilt.sys [8/26/2010 11:43 AM 1656960]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;f:\program files (x86)\Toolbar\ToolbarBroker.exe [10/28/2010 9:34 AM 517448]
S3 Rts516xIR;Realtek IR Driver;d:\windows\system32\DRIVERS\Rts516xIR.sys --> d:\windows\system32\DRIVERS\Rts516xIR.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;f:\program files (x86)\PC Tools Security\pctsAuxs.exe [4/20/2011 1:05 PM 366840]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
LSP: d:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Trusted Zone: care360.com
Trusted Zone: questdiagnostics.com
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - f:\program files (x86)\Toolbar\IEToolbar.dll
DPF: {69D1E588-02F8-4C00-B311-5C581402C247} - hxxps://cas2.questdiagnostics.com/EREQ_SSLcabs/DGXDPCtr.cab
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SysTrayApp - %ProgramFiles%\IDT\WDM\sttray.exe
AddRemove-Office Hours Professional Demo 9 - f:\progra~2\NDCMED~1\BINDEM~1\UNWISE.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-22 08:49
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK3265GSX rev.GJ002D -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AAE933B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@d:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="d:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1072)
d:\windows\system32\WININET.dll
d:\windows\system32\BCMLogon.dll
d:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\MFC80.DLL
d:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
- - - - - - - > 'lsass.exe'(1136)
d:\windows\system32\WININET.dll
d:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
Completion time: 2011-04-22 08:53:26
ComboFix-quarantined-files.txt 2011-04-22 14:53
.
Pre-Run: 29,243,817,984 bytes free
Post-Run: 29,468,262,400 bytes free
.
- - End Of File - - 926276A80CAC3D906EF9E653BBF61344

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:48 AM

Posted 22 April 2011 - 11:25 AM

Hi

Please run the following:

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)


NEXT

Reset your Router:

  • This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router.
  • Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
  • If you dont know the router's default password, you can look it up. HERE
  • You also need to reconfigure any security settings you had in place prior to the reset.
  • You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.



NEXT



  • Go to Start > Run > type: cmd
  • Press OK or Hit Enter.
  • At the command prompt, type or copy/paste: ipconfig /flushdns (note the space between ..g /f it needs to be there)
  • Hit Enter.
  • You will get a confirmation that the flush was successful.
  • Close the command box.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 jsteed

jsteed
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 22 April 2011 - 11:58 AM

When I try to start TDSSKiller, it loads to 80%. Then the MS grey box pops up and says that an error has occured and the program must shut down. This is as before, no change. I also tried renaming it with such names as iexplore.exe and program.com. This did not make any difference.

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:48 AM

Posted 22 April 2011 - 12:10 PM

Please download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Posted Image
Click the "Scan" button to start scan


Posted Image
On completion of the scan click save log, save it to your desktop and post in your next reply

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 jsteed

jsteed
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 22 April 2011 - 12:21 PM

Hi CatByte,

Here is the log file. aswMBR also created a 1K file named mbr.dat.

aswMBR version 0.9.4 Copyright© 2011 AVAST Software
Run date: 2011-04-22 11:19:51
-----------------------------
11:19:51.906 OS Version: Windows 5.1.2600 Service Pack 3
11:19:51.906 Number of processors: 2 586 0x170A
11:19:51.906 ComputerName: KEVIN UserName: Kevin
11:19:52.500 Initialize success
11:20:09.140 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
11:20:09.140 Disk 0 Vendor: TOSHIBA_MK3265GSX GJ002D Size: 305245MB BusType: 3
11:20:09.140 Device \Driver\atapi -> DriverStartIo 8aaf333b
11:20:09.140 Disk 0 MBR read error
11:20:09.140 Disk 0 MBR scan
11:20:09.140 MBR BIOS signature not found 0
11:20:09.140 Disk 0 scanning sectors +625139712
11:20:09.140 Disk 0 scanning D:\WINDOWS\system32\drivers
11:20:16.765 Service scanning
11:20:17.687 Disk 0 trace - called modules:
11:20:17.687 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x88eb2cf0]<<
11:20:17.687 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aa5cab8]
11:20:17.687 Scan finished successfully

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:48 AM

Posted 22 April 2011 - 12:27 PM

FIX

Re-Run aswMBR

Click Scan

On completion of the scan

Click the Fix Button for FIXMBR

Posted Image



Save the log as before and post in your next reply

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 jsteed

jsteed
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 22 April 2011 - 12:42 PM

Hi CatByte,

Here is the log file after the scan and FixMBR.

aswMBR version 0.9.4 Copyright© 2011 AVAST Software
Run date: 2011-04-22 11:39:41
-----------------------------
11:39:41.265 OS Version: Windows 5.1.2600 Service Pack 3
11:39:41.265 Number of processors: 2 586 0x170A
11:39:41.265 ComputerName: KEVIN UserName: Kevin
11:39:41.625 Initialize success
11:39:43.937 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
11:39:43.937 Disk 0 Vendor: TOSHIBA_MK3265GSX GJ002D Size: 305245MB BusType: 3
11:39:43.937 Device \Driver\atapi -> DriverStartIo 8aaf333b
11:39:43.937 Disk 0 MBR read error
11:39:43.937 Disk 0 MBR scan
11:39:43.937 MBR BIOS signature not found 0
11:39:43.937 Disk 0 scanning sectors +625139712
11:39:43.937 Disk 0 scanning D:\WINDOWS\system32\drivers
11:39:51.171 Service scanning
11:39:52.281 Disk 0 trace - called modules:
11:39:52.281 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x88eb2cf0]<<
11:39:52.281 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aa5cab8]
11:39:52.281 Scan finished successfully
11:40:02.125 Disk 0 MBR fix error

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:48 AM

Posted 22 April 2011 - 12:51 PM

That didn't work, we will need to do it manually in the recovery console:

Earlier on ComboFix installed the Recovery Console. We're going to use that now.

Reboot your machine and when the Boot Menu flashes up - select "Microsoft Windows Recovery Console"
(you need to be very fast with the arrow key as you only have a couple of seconds before it defaults to the windows XP bootup)

Posted Image

Posted Image

When you get to the above screen, take note of the number that references your operating system.

If it's '1' like the picture above, type 1 and press Enter

Posted Image

Next type FIXMBR

Posted Image

If it ask if you're sure you want to write a new MBR, answer 'Y'

Then type EXIT to reboot the machine.



NEXT


rerun combofix - allow it to update if it requests to do do > post the resulting log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 jsteed

jsteed
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 22 April 2011 - 01:13 PM

Hi CatByte,

ComboFix seemed to run much faster after doing fixmbr. Here is the log.

ComboFix 11-04-19.01 - Kevin 04/22/2011 12:03:55.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3032.2488 [GMT -6:00]
Running from: d:\documents and settings\Kevin\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-22 to 2011-04-22 )))))))))))))))))))))))))))))))
.
.
2011-04-22 18:01 . 2011-04-22 18:01 1893 ----a-w- d:\windows\bcmwltrytmp.reg
2011-04-21 20:24 . 2010-08-19 19:17 1940656 ----a-w- D:\RegCureSetup_RW.exe
2011-04-20 20:26 . 2011-04-20 20:26 -------- d-----w- d:\documents and settings\Kevin\Local Settings\Application Data\Temp
2011-04-20 19:05 . 2010-07-16 20:59 656320 ----a-w- d:\windows\system32\drivers\pctEFA.sys
2011-04-20 19:05 . 2010-07-16 20:59 338880 ----a-w- d:\windows\system32\drivers\pctDS.sys
2011-04-20 19:05 . 2011-01-17 15:10 251560 ----a-w- d:\windows\system32\drivers\pctgntdi.sys
2011-04-20 19:05 . 2010-12-10 22:57 160448 ----a-w- d:\windows\system32\drivers\PCTAppEvent.sys
2011-04-20 19:05 . 2010-12-10 19:24 239168 ----a-w- d:\windows\system32\drivers\PCTCore.sys
2011-04-20 19:05 . 2010-12-16 14:46 70536 ----a-w- d:\windows\system32\drivers\pctplsg.sys
2011-04-20 19:05 . 2011-04-21 14:30 -------- d---a-w- d:\documents and settings\All Users\Application Data\TEMP
2011-04-20 19:05 . 2011-04-20 19:14 -------- d-----w- d:\program files\Common Files\PC Tools
2011-04-20 19:05 . 2011-04-20 19:05 -------- d-----w- d:\documents and settings\Kevin\Application Data\PC Tools
2011-04-20 18:58 . 2011-04-20 19:05 -------- d-----w- d:\documents and settings\All Users\Application Data\PC Tools
2011-04-20 17:04 . 2011-04-20 17:04 -------- d-----w- d:\program files\ESET
2011-04-19 23:31 . 2011-04-19 23:31 -------- d-----w- d:\documents and settings\Kevin\Application Data\Malwarebytes
2011-04-19 23:31 . 2010-12-21 00:09 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2011-04-19 23:31 . 2011-04-19 23:31 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2011-04-19 23:31 . 2010-12-21 00:08 20952 ----a-w- d:\windows\system32\drivers\mbam.sys
2011-04-19 23:09 . 2011-04-19 23:09 -------- d-----w- d:\windows\system32\wbem\Repository
2011-04-19 21:32 . 2011-04-19 21:32 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-07 17:40 . 1998-10-29 22:45 306688 ----a-w- d:\windows\IsUninst.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2010-08-26 16:59 692736 ----a-w- d:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2006-02-28 12:00 420864 ----a-w- d:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2006-02-28 12:00 1857920 ----a-w- d:\windows\system32\win32k.sys
2011-02-22 23:06 . 2006-02-28 12:00 916480 ----a-w- d:\windows\system32\wininet.dll
2011-02-22 23:06 . 2006-02-28 12:00 43520 ----a-w- d:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2006-02-28 12:00 1469440 ------w- d:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2006-02-28 12:00 385024 ----a-w- d:\windows\system32\html.iec
2011-02-17 13:18 . 2006-02-28 12:00 455936 ----a-w- d:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2006-02-28 12:00 357888 ----a-w- d:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2010-08-26 19:05 5120 ----a-w- d:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2006-02-28 12:00 290432 ----a-w- d:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2006-02-28 12:00 270848 ----a-w- d:\windows\system32\sbe.dll
2011-02-09 13:53 . 2006-02-28 12:00 186880 ----a-w- d:\windows\system32\encdec.dll
2011-02-08 13:33 . 2006-02-28 12:00 978944 ----a-w- d:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2006-02-28 12:00 974848 ----a-w- d:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2010-08-26 16:58 2067456 ----a-w- d:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2010-08-26 16:58 677888 ----a-w- d:\windows\system32\mstsc.exe
2005-11-15 22:03 . 2005-11-15 22:03 434176 ----a-w- d:\program files\SOAPware.Support.EScripts.dll
2005-09-26 15:36 . 2005-09-26 15:36 147456 ----a-w- d:\program files\SOAPware.Support.Helpers.dll
2005-09-19 19:32 . 2005-09-19 19:32 24576 ----a-w- d:\program files\AxInterop.SW_USERSLib.dll
2005-09-19 19:32 . 2005-09-19 19:32 13312 ----a-w- d:\program files\Interop.SW_USERSLib.dll
2005-09-19 19:07 . 2005-09-19 19:07 8192 ----a-w- d:\program files\AxInterop.SW_CHARTRACKLib.dll
2005-09-19 19:07 . 2005-09-19 19:07 10240 ----a-w- d:\program files\Interop.SW_CHARTRACKLib.dll
2005-09-19 19:06 . 2005-09-19 19:06 45056 ----a-w- d:\program files\AxInterop.SW_CHARTDATAACCESSLib.dll
2005-09-19 19:06 . 2005-09-19 19:06 40960 ----a-w- d:\program files\Interop.SW_CHARTDATAACCESSLib.dll
2005-07-29 05:20 . 2005-07-29 05:20 294982 ----a-w- d:\program files\SW_Users.ocx
2005-07-29 05:01 . 2005-07-29 05:01 81998 ----a-w- d:\program files\SW_ChartRack.ocx
2005-07-29 05:00 . 2005-07-29 05:00 512090 ----a-w- d:\program files\SW_ChartDataAccess.ocx
2004-08-12 17:18 . 2004-08-12 17:18 9216 ----a-w- d:\program files\Interop.BUGZSCOUTLib.dll
2004-03-01 20:58 . 2004-03-01 20:58 561424 ----a-w- d:\program files\Common Files\dao360.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-22_14.49.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-02-28 12:00 . 2011-04-22 14:40 90232 d:\windows\system32\perfc009.dat
+ 2006-02-28 12:00 . 2011-04-22 18:05 90232 d:\windows\system32\perfc009.dat
+ 2006-02-28 12:00 . 2011-04-22 18:05 489504 d:\windows\system32\perfh009.dat
- 2006-02-28 12:00 . 2011-04-22 14:40 489504 d:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-10-06 17:31 2475336 ----a-w- f:\program files (x86)\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "f:\program files (x86)\Toolbar\IEToolbar.dll" [2010-10-06 2475336]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "f:\program files (x86)\Toolbar\IEToolbar.dll" [2010-10-06 2475336]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Eraser"="f:\program files (x86)\Eraser\eraser.exe" [2006-11-11 634880]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AESTFltr"="d:\windows\system32\AESTFltr.exe" [2009-02-18 737280]
"Apoint"="d:\program files\DellTPad\Apoint.exe" [2009-01-23 217088]
"Broadcom Wireless Manager UI"="d:\windows\system32\WLTRAY.exe" [2008-11-26 2289664]
"IgfxTray"="d:\windows\system32\igfxtray.exe" [2008-09-16 150040]
"HotKeysCmds"="d:\windows\system32\hkcmd.exe" [2008-09-16 178712]
"Persistence"="d:\windows\system32\igfxpers.exe" [2008-09-16 150040]
"ISUSPM Startup"="d:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="d:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"AVG_TRAY"="f:\program files (x86)\avgtray.exe" [2011-01-07 2747744]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0f:\progra~2\avgchsvx.exe /sync\0f:\progra~2\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\Program Files (x86)\\Zetafax\\ZETAFAX.EXE"=
"f:\\Program Files (x86)\\IDA\\idag.exe"=
"f:\\Program Files (x86)\\IDA\\idag64.exe"=
"f:\\Program Files (x86)\\avgmfapx.exe"=
"d:\\WINDOWS\\system32\\dlbxcoms.exe"=
"f:\\Program Files (x86)\\avgdiagex.exe"=
"f:\\Program Files (x86)\\avgnsx.exe"=
"f:\\Program Files (x86)\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;d:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 4:27 PM 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;d:\windows\system32\drivers\avgrkx86.sys [9/7/2010 3:48 AM 26064]
R0 PCTCore;PCTools KDS;d:\windows\system32\drivers\PCTCore.sys [4/20/2011 1:05 PM 239168]
R0 pctDS;PC Tools Data Store;d:\windows\system32\drivers\pctDS.sys [4/20/2011 1:05 PM 338880]
R0 pctEFA;PC Tools Extended File Attributes;d:\windows\system32\drivers\pctEFA.sys [4/20/2011 1:05 PM 656320]
R1 Avgldx86;AVG AVI Loader Driver;d:\windows\system32\drivers\avgldx86.sys [9/7/2010 3:48 AM 251728]
R1 Avgtdix;AVG TDI Driver;d:\windows\system32\drivers\avgtdix.sys [9/7/2010 3:49 AM 299984]
R2 avgwd;AVG WatchDog;f:\program files (x86)\avgwdsvc.exe [10/22/2010 5:58 AM 265400]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]
R3 AESTAud;AE Audio Service;d:\windows\system32\drivers\AESTAud.sys [8/26/2010 11:43 AM 113024]
R3 AVGIDSDriver;AVGIDSDriver;d:\windows\system32\drivers\AVGIDSDriver.sys [8/19/2010 9:42 PM 123472]
R3 AVGIDSFilter;AVGIDSFilter;d:\windows\system32\drivers\AVGIDSFilter.sys [8/19/2010 9:42 PM 30288]
R3 AVGIDSShim;AVGIDSShim;d:\windows\system32\drivers\AVGIDSShim.sys [8/19/2010 9:42 PM 26192]
R3 OA009Afx;Provides a software interface to control audio effects of OA009 camera.;d:\windows\system32\drivers\OA009Afx.sys [8/26/2010 12:13 PM 148056]
R3 OA009Ufd;Creative Camera OA009 Upper Filter Driver;d:\windows\system32\drivers\OA009Ufd.sys [8/26/2010 12:13 PM 133632]
R3 OA009Vid;Creative Camera OA009 Function Driver;d:\windows\system32\drivers\OA009Vid.sys [8/26/2010 12:13 PM 271552]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;d:\windows\system32\drivers\RTS5121.sys [8/26/2010 12:08 PM 160256]
S2 AVGIDSAgent;AVGIDSAgent;f:\program files (x86)\Identity Protection\Agent\Bin\AVGIDSAgent.exe [1/6/2011 4:23 PM 6128720]
S3 AMBFilt;Creative AMB Service;d:\windows\system32\drivers\AMBFilt.sys [8/26/2010 11:43 AM 1656960]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;f:\program files (x86)\Toolbar\ToolbarBroker.exe [10/28/2010 9:34 AM 517448]
S3 Rts516xIR;Realtek IR Driver;d:\windows\system32\DRIVERS\Rts516xIR.sys --> d:\windows\system32\DRIVERS\Rts516xIR.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;f:\program files (x86)\PC Tools Security\pctsAuxs.exe [4/20/2011 1:05 PM 366840]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
LSP: d:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Trusted Zone: care360.com
Trusted Zone: questdiagnostics.com
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - f:\program files (x86)\Toolbar\IEToolbar.dll
DPF: {69D1E588-02F8-4C00-B311-5C581402C247} - hxxps://cas2.questdiagnostics.com/EREQ_SSLcabs/DGXDPCtr.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-22 12:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@d:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="d:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1064)
d:\windows\system32\BCMLogon.dll
.
- - - - - - - > 'lsass.exe'(1124)
d:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
- - - - - - - > 'explorer.exe'(1868)
d:\windows\system32\WININET.dll
d:\windows\system32\ieframe.dll
d:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
d:\windows\system32\webcheck.dll
.
Completion time: 2011-04-22 12:09:45
ComboFix-quarantined-files.txt 2011-04-22 18:09
ComboFix2.txt 2011-04-22 14:53
.
Pre-Run: 29,464,092,672 bytes free
Post-Run: 29,454,639,104 bytes free
.
- - End Of File - - 388735A7AE8A7BAA97620A90D68BD7E9

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:48 AM

Posted 22 April 2011 - 01:20 PM

That looks better now, how is the computer running?

Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 jsteed

jsteed
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 22 April 2011 - 04:31 PM

Hi CatByte,

You're a hero!

I ran Malware Bytes and it found nothing, (log attached). That was the same result as I had before I contacted you. I then ran ESET and it found one infected file, (log also attached). Was this the source of the infection? I had downloaded this a day or two before I began having problems. Previously, ESET did not find this. I then ran AVG which first identified the virus. It did not find anything at all, even the file that ESET found. I have rebooted the computer and used google whithout any problems. I could even access the bleepingcomputer site.

Also, I can now run TDSSKiller. This variant must watch for it regardless its name.

Many thanks for all your help. Your karma has increased.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6421

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/22/2011 12:30:45 PM
mbam-log-2011-04-22 (12-30-45).txt

Scan type: Quick scan
Objects scanned: 155079
Time elapsed: 3 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ESET Log
F:\Temp\registrybooster[2].exe Win32/RegistryBooster application

Edited by jsteed, 22 April 2011 - 04:41 PM.


#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:48 AM

Posted 22 April 2011 - 05:01 PM

Hi

this is a pesky variant that seems to block all our usual tools. The registry booster program likely isn't the source, i doubt it is infected, ESET is just alerting to the type of file it is, I don't recommend using registry cleaners, boosters or whatever else they are called, they are not necessary, so I would remove it.

give TDSSKiller a run and make sure it is clean, also post a fresh DDS Log and advise if there are any outstanding issues, also Java is not showing up in your list of installed programs, do you have Java or have you chosen not to have it.

If you would like it, you can download it from here:


http://java.com/en/download/index.jsp

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 jsteed

jsteed
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:48 AM

Posted 22 April 2011 - 05:36 PM

Hi CatByte,

I have pasted the logs from TDSSKiller and dds below. I have also attached attach.txt. Yes, I installed java and keep it updated. Where should I look to see if it is really gone and needs to be reinstalled?

2011/04/22 16:29:11.0468 2624 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/22 16:29:12.0031 2624 ================================================================================
2011/04/22 16:29:12.0031 2624 SystemInfo:
2011/04/22 16:29:12.0031 2624
2011/04/22 16:29:12.0031 2624 OS Version: 5.1.2600 ServicePack: 3.0
2011/04/22 16:29:12.0031 2624 Product type: Workstation
2011/04/22 16:29:12.0031 2624 ComputerName: KEVIN
2011/04/22 16:29:12.0031 2624 UserName: Kevin
2011/04/22 16:29:12.0031 2624 Windows directory: D:\WINDOWS
2011/04/22 16:29:12.0031 2624 System windows directory: D:\WINDOWS
2011/04/22 16:29:12.0031 2624 Processor architecture: Intel x86
2011/04/22 16:29:12.0031 2624 Number of processors: 2
2011/04/22 16:29:12.0031 2624 Page size: 0x1000
2011/04/22 16:29:12.0031 2624 Boot type: Normal boot
2011/04/22 16:29:12.0031 2624 ================================================================================
2011/04/22 16:29:12.0437 2624 Initialize success
2011/04/22 16:29:16.0734 3376 ================================================================================
2011/04/22 16:29:16.0734 3376 Scan started
2011/04/22 16:29:16.0734 3376 Mode: Manual;
2011/04/22 16:29:16.0734 3376 ================================================================================
2011/04/22 16:29:18.0859 3376 ACPI (8fd99680a539792a30e97944fdaecf17) D:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/04/22 16:29:18.0921 3376 ACPIEC (9859c0f6936e723e4892d7141b1327d5) D:\WINDOWS\system32\drivers\ACPIEC.sys
2011/04/22 16:29:19.0046 3376 aec (8bed39e3c35d6a489438b8141717a557) D:\WINDOWS\system32\drivers\aec.sys
2011/04/22 16:29:19.0078 3376 AESTAud (5f980524742bbdefee4ac28c228b1b56) D:\WINDOWS\system32\drivers\AESTAud.sys
2011/04/22 16:29:19.0156 3376 AFD (7618d5218f2a614672ec61a80d854a37) D:\WINDOWS\System32\drivers\afd.sys
2011/04/22 16:29:19.0328 3376 AMBFilt (5b285895100d285a61285deefc124132) D:\WINDOWS\system32\drivers\AMBFilt.sys
2011/04/22 16:29:19.0453 3376 ApfiltrService (5bffa4db168d2d0f99c182732535e82f) D:\WINDOWS\system32\DRIVERS\Apfiltr.sys
2011/04/22 16:29:19.0562 3376 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) D:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/04/22 16:29:19.0656 3376 atapi (9f3a2f5aa6875c72bf062c712cfa2674) D:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/22 16:29:19.0718 3376 Atmarpc (9916c1225104ba14794209cfa8012159) D:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/04/22 16:29:19.0828 3376 audstub (d9f724aa26c010a217c97606b160ed68) D:\WINDOWS\system32\DRIVERS\audstub.sys
2011/04/22 16:29:19.0890 3376 AVGIDSDriver (646cccd12886facb8676bdd9b7d54e29) D:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
2011/04/22 16:29:20.0000 3376 AVGIDSEH (1af676db3f3d4cc709cfab2571cf5fc3) D:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
2011/04/22 16:29:20.0031 3376 AVGIDSFilter (4c51e233c87f9ec7598551de554bc99d) D:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
2011/04/22 16:29:20.0140 3376 AVGIDSShim (c3fc426e54f55c1cc3219e415b88e10c) D:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
2011/04/22 16:29:20.0187 3376 Avgldx86 (4e796d3d2c3182b13b3e3b5a2ad4ef0a) D:\WINDOWS\system32\DRIVERS\avgldx86.sys
2011/04/22 16:29:20.0234 3376 Avgmfx86 (5639de66b37d02bd22df4cf3155fba60) D:\WINDOWS\system32\DRIVERS\avgmfx86.sys
2011/04/22 16:29:20.0328 3376 Avgrkx86 (ffbe8adeb1fd8640540bf6e4a137b3ef) D:\WINDOWS\system32\DRIVERS\avgrkx86.sys
2011/04/22 16:29:20.0406 3376 Avgtdix (69e6adf5cbbdeb5f2b727c93937a5823) D:\WINDOWS\system32\DRIVERS\avgtdix.sys
2011/04/22 16:29:20.0562 3376 BCM43XX (37f385a93c620cbe0f89c17e45f697a1) D:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2011/04/22 16:29:20.0687 3376 Beep (da1f27d85e0d1525f6621372e7b685e9) D:\WINDOWS\system32\drivers\Beep.sys
2011/04/22 16:29:20.0906 3376 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) D:\WINDOWS\system32\drivers\cbidf2k.sys
2011/04/22 16:29:20.0953 3376 CCDECODE (0be5aef125be881c4f854c554f2b025c) D:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/04/22 16:29:21.0062 3376 Cdaudio (c1b486a7658353d33a10cc15211a873b) D:\WINDOWS\system32\drivers\Cdaudio.sys
2011/04/22 16:29:21.0109 3376 Cdfs (c885b02847f5d2fd45a24e219ed93b32) D:\WINDOWS\system32\drivers\Cdfs.sys
2011/04/22 16:29:21.0171 3376 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) D:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/04/22 16:29:21.0312 3376 CmBatt (0f6c187d38d98f8df904589a5f94d411) D:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/04/22 16:29:21.0375 3376 Compbatt (6e4c9f21f0fae8940661144f41b13203) D:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/04/22 16:29:21.0531 3376 Disk (044452051f3e02e7963599fc8f4f3e25) D:\WINDOWS\system32\DRIVERS\disk.sys
2011/04/22 16:29:21.0625 3376 dmboot (d992fe1274bde0f84ad826acae022a41) D:\WINDOWS\system32\drivers\dmboot.sys
2011/04/22 16:29:21.0703 3376 dmio (7c824cf7bbde77d95c08005717a95f6f) D:\WINDOWS\system32\drivers\dmio.sys
2011/04/22 16:29:21.0734 3376 dmload (e9317282a63ca4d188c0df5e09c6ac5f) D:\WINDOWS\system32\drivers\dmload.sys
2011/04/22 16:29:21.0796 3376 DMusic (8a208dfcf89792a484e76c40e5f50b45) D:\WINDOWS\system32\drivers\DMusic.sys
2011/04/22 16:29:21.0859 3376 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) D:\WINDOWS\system32\drivers\drmkaud.sys
2011/04/22 16:29:21.0921 3376 Fastfat (38d332a6d56af32635675f132548343e) D:\WINDOWS\system32\drivers\Fastfat.sys
2011/04/22 16:29:21.0984 3376 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) D:\WINDOWS\system32\drivers\Fdc.sys
2011/04/22 16:29:22.0062 3376 Fips (d45926117eb9fa946a6af572fbe1caa3) D:\WINDOWS\system32\drivers\Fips.sys
2011/04/22 16:29:22.0093 3376 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) D:\WINDOWS\system32\drivers\Flpydisk.sys
2011/04/22 16:29:22.0140 3376 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) D:\WINDOWS\system32\drivers\fltmgr.sys
2011/04/22 16:29:22.0218 3376 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) D:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/04/22 16:29:22.0265 3376 Ftdisk (6ac26732762483366c3969c9e4d2259d) D:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/04/22 16:29:22.0312 3376 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) D:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/04/22 16:29:22.0406 3376 HDAudBus (573c7d0a32852b48f3058cfd8026f511) D:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/04/22 16:29:22.0484 3376 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) D:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/04/22 16:29:22.0578 3376 HTTP (f80a415ef82cd06ffaf0d971528ead38) D:\WINDOWS\system32\Drivers\HTTP.sys
2011/04/22 16:29:22.0703 3376 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) D:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/04/22 16:29:22.0953 3376 ialm (d1359e54d9755d28e56b17a352ab8aae) D:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/04/22 16:29:23.0109 3376 Imapi (083a052659f5310dd8b6a6cb05edcf8e) D:\WINDOWS\system32\DRIVERS\imapi.sys
2011/04/22 16:29:23.0203 3376 intelppm (8c953733d8f36eb2133f5bb58808b66b) D:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/04/22 16:29:23.0250 3376 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) D:\WINDOWS\system32\drivers\ip6fw.sys
2011/04/22 16:29:23.0343 3376 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) D:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/04/22 16:29:23.0390 3376 IpInIp (b87ab476dcf76e72010632b5550955f5) D:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/04/22 16:29:23.0453 3376 IpNat (cc748ea12c6effde940ee98098bf96bb) D:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/04/22 16:29:23.0515 3376 IPSec (23c74d75e36e7158768dd63d92789a91) D:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/04/22 16:29:23.0593 3376 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) D:\WINDOWS\system32\DRIVERS\irenum.sys
2011/04/22 16:29:23.0656 3376 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) D:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/22 16:29:23.0750 3376 Kbdclass (463c1ec80cd17420a542b7f36a36f128) D:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/04/22 16:29:23.0812 3376 kmixer (692bcf44383d056aed41b045a323d378) D:\WINDOWS\system32\drivers\kmixer.sys
2011/04/22 16:29:23.0906 3376 KSecDD (b467646c54cc746128904e1654c750c1) D:\WINDOWS\system32\drivers\KSecDD.sys
2011/04/22 16:29:24.0031 3376 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) D:\WINDOWS\system32\drivers\mnmdd.sys
2011/04/22 16:29:24.0125 3376 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) D:\WINDOWS\system32\drivers\Modem.sys
2011/04/22 16:29:24.0203 3376 MonFilt (9fa7207d1b1adead88ae8eed9cdbbaa5) D:\WINDOWS\system32\drivers\MonFilt.sys
2011/04/22 16:29:24.0328 3376 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) D:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/04/22 16:29:24.0375 3376 mouhid (b1c303e17fb9d46e87a98e4ba6769685) D:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/04/22 16:29:24.0421 3376 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) D:\WINDOWS\system32\drivers\MountMgr.sys
2011/04/22 16:29:24.0515 3376 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) D:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/04/22 16:29:24.0546 3376 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) D:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/04/22 16:29:24.0609 3376 Msfs (c941ea2454ba8350021d774daf0f1027) D:\WINDOWS\system32\drivers\Msfs.sys
2011/04/22 16:29:24.0703 3376 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) D:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/04/22 16:29:24.0734 3376 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) D:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/04/22 16:29:24.0796 3376 MSPQM (bad59648ba099da4a17680b39730cb3d) D:\WINDOWS\system32\drivers\MSPQM.sys
2011/04/22 16:29:24.0828 3376 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) D:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/04/22 16:29:24.0875 3376 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) D:\WINDOWS\system32\drivers\MSTEE.sys
2011/04/22 16:29:24.0968 3376 Mup (2f625d11385b1a94360bfc70aaefdee1) D:\WINDOWS\system32\drivers\Mup.sys
2011/04/22 16:29:25.0031 3376 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) D:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/04/22 16:29:25.0109 3376 NDIS (1df7f42665c94b825322fae71721130d) D:\WINDOWS\system32\drivers\NDIS.sys
2011/04/22 16:29:25.0156 3376 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) D:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/04/22 16:29:25.0203 3376 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) D:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/04/22 16:29:25.0281 3376 Ndisuio (f927a4434c5028758a842943ef1a3849) D:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/04/22 16:29:25.0296 3376 NdisWan (edc1531a49c80614b2cfda43ca8659ab) D:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/04/22 16:29:25.0359 3376 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) D:\WINDOWS\system32\drivers\NDProxy.sys
2011/04/22 16:29:25.0421 3376 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) D:\WINDOWS\system32\DRIVERS\netbios.sys
2011/04/22 16:29:25.0500 3376 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) D:\WINDOWS\system32\DRIVERS\netbt.sys
2011/04/22 16:29:25.0578 3376 Npfs (3182d64ae053d6fb034f44b6def8034a) D:\WINDOWS\system32\drivers\Npfs.sys
2011/04/22 16:29:25.0656 3376 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) D:\WINDOWS\system32\drivers\Ntfs.sys
2011/04/22 16:29:25.0734 3376 Null (73c1e1f395918bc2c6dd67af7591a3ad) D:\WINDOWS\system32\drivers\Null.sys
2011/04/22 16:29:25.0781 3376 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) D:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/04/22 16:29:25.0843 3376 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) D:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/04/22 16:29:25.0906 3376 OA009Afx (ec528056b89d15755abb624e55949e44) D:\WINDOWS\system32\Drivers\OA009Afx.sys
2011/04/22 16:29:26.0000 3376 OA009Ufd (2cf21d5f8f1b74bb1922135ac2b12ddb) D:\WINDOWS\system32\DRIVERS\OA009Ufd.sys
2011/04/22 16:29:26.0062 3376 OA009Vid (636c6ee8bb6ec473b8fe221eff77e0cc) D:\WINDOWS\system32\DRIVERS\OA009Vid.sys
2011/04/22 16:29:26.0109 3376 Parport (5575faf8f97ce5e713d108c2a58d7c7c) D:\WINDOWS\system32\drivers\Parport.sys
2011/04/22 16:29:26.0187 3376 PartMgr (beb3ba25197665d82ec7065b724171c6) D:\WINDOWS\system32\drivers\PartMgr.sys
2011/04/22 16:29:26.0234 3376 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) D:\WINDOWS\system32\drivers\ParVdm.sys
2011/04/22 16:29:26.0265 3376 PCI (a219903ccf74233761d92bef471a07b1) D:\WINDOWS\system32\DRIVERS\pci.sys
2011/04/22 16:29:26.0359 3376 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) D:\WINDOWS\system32\DRIVERS\pciide.sys
2011/04/22 16:29:26.0406 3376 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) D:\WINDOWS\system32\drivers\Pcmcia.sys
2011/04/22 16:29:26.0609 3376 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) D:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/04/22 16:29:26.0687 3376 PSched (09298ec810b07e5d582cb3a3f9255424) D:\WINDOWS\system32\DRIVERS\psched.sys
2011/04/22 16:29:26.0734 3376 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) D:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/04/22 16:29:26.0843 3376 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) D:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/22 16:29:26.0937 3376 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) D:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/04/22 16:29:26.0968 3376 RasPppoe (5bc962f2654137c9909c3d4603587dee) D:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/04/22 16:29:27.0015 3376 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) D:\WINDOWS\system32\DRIVERS\raspti.sys
2011/04/22 16:29:27.0109 3376 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) D:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/04/22 16:29:27.0156 3376 RDPCDD (4912d5b403614ce99c28420f75353332) D:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/22 16:29:27.0187 3376 rdpdr (15cabd0f7c00c47c70124907916af3f1) D:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/04/22 16:29:27.0296 3376 RDPWD (6728e45b66f93c08f11de2e316fc70dd) D:\WINDOWS\system32\drivers\RDPWD.sys
2011/04/22 16:29:27.0343 3376 redbook (f828dd7e1419b6653894a8f97a0094c5) D:\WINDOWS\system32\DRIVERS\redbook.sys
2011/04/22 16:29:27.0453 3376 RSUSBSTOR (030442f08aec1a5d7cf035cc514374b9) D:\WINDOWS\system32\Drivers\RTS5121.sys
2011/04/22 16:29:27.0546 3376 Secdrv (90a3935d05b494a5a39d37e71f09a677) D:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/04/22 16:29:27.0625 3376 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) D:\WINDOWS\system32\drivers\Serial.sys
2011/04/22 16:29:27.0687 3376 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) D:\WINDOWS\system32\drivers\Sfloppy.sys
2011/04/22 16:29:27.0796 3376 SLIP (866d538ebe33709a5c9f5c62b73b7d14) D:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/04/22 16:29:27.0890 3376 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) D:\WINDOWS\system32\drivers\splitter.sys
2011/04/22 16:29:28.0000 3376 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) D:\WINDOWS\system32\DRIVERS\sr.sys
2011/04/22 16:29:28.0046 3376 Srv (47ddfc2f003f7f9f0592c6874962a2e7) D:\WINDOWS\system32\DRIVERS\srv.sys
2011/04/22 16:29:28.0375 3376 STHDA (3ba7a1cdd535af51dad742236aea0741) D:\WINDOWS\system32\drivers\sthda.sys
2011/04/22 16:29:28.0453 3376 streamip (77813007ba6265c4b6098187e6ed79d2) D:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/04/22 16:29:28.0484 3376 swenum (3941d127aef12e93addf6fe6ee027e0f) D:\WINDOWS\system32\DRIVERS\swenum.sys
2011/04/22 16:29:28.0531 3376 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) D:\WINDOWS\system32\drivers\swmidi.sys
2011/04/22 16:29:28.0609 3376 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) D:\WINDOWS\system32\drivers\sysaudio.sys
2011/04/22 16:29:28.0703 3376 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) D:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/04/22 16:29:28.0765 3376 TDPIPE (6471a66807f5e104e4885f5b67349397) D:\WINDOWS\system32\drivers\TDPIPE.sys
2011/04/22 16:29:28.0843 3376 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) D:\WINDOWS\system32\drivers\TDTCP.sys
2011/04/22 16:29:28.0906 3376 TermDD (88155247177638048422893737429d9e) D:\WINDOWS\system32\DRIVERS\termdd.sys
2011/04/22 16:29:29.0046 3376 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) D:\WINDOWS\system32\drivers\Udfs.sys
2011/04/22 16:29:29.0171 3376 Update (402ddc88356b1bac0ee3dd1580c76a31) D:\WINDOWS\system32\DRIVERS\update.sys
2011/04/22 16:29:29.0234 3376 usbccgp (c18d6c74953621346df6b0a11f80c1cc) D:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/04/22 16:29:29.0296 3376 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) D:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/04/22 16:29:29.0375 3376 usbhub (1ab3cdde553b6e064d2e754efe20285c) D:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/04/22 16:29:29.0437 3376 usbstor (a32426d9b14a089eaa1d922e0c5801a9) D:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/04/22 16:29:29.0500 3376 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) D:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/04/22 16:29:29.0562 3376 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) D:\WINDOWS\system32\Drivers\usbvideo.sys
2011/04/22 16:29:29.0625 3376 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) D:\WINDOWS\System32\drivers\vga.sys
2011/04/22 16:29:29.0703 3376 VolSnap (4c8fcb5cc53aab716d810740fe59d025) D:\WINDOWS\system32\drivers\VolSnap.sys
2011/04/22 16:29:29.0781 3376 Wanarp (e20b95baedb550f32dd489265c1da1f6) D:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/04/22 16:29:29.0875 3376 Wdf01000 (fd47474bd21794508af449d9d91af6e6) D:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/04/22 16:29:30.0000 3376 wdmaud (6768acf64b18196494413695f0c3a00f) D:\WINDOWS\system32\drivers\wdmaud.sys
2011/04/22 16:29:30.0078 3376 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) D:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/04/22 16:29:30.0140 3376 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) D:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/04/22 16:29:30.0218 3376 WSTCODEC (c98b39829c2bbd34e454150633c62c78) D:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/04/22 16:29:30.0296 3376 yukonwxp (109b497d481490be0a31c390fce9bffe) D:\WINDOWS\system32\DRIVERS\yk51x86.sys
2011/04/22 16:29:30.0578 3376 ================================================================================
2011/04/22 16:29:30.0578 3376 Scan finished
2011/04/22 16:29:30.0578 3376 ================================================================================
2011/04/22 16:30:02.0406 1776 Deinitialize success


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Kevin at 16:30:07.10 on Fri 04/22/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3032.2430 [GMT -6:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
D:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
D:\WINDOWS\System32\WLTRYSVC.EXE
D:\WINDOWS\System32\bcmwltry.exe
D:\WINDOWS\system32\spoolsv.exe
d:\program files\idt\xpm09_6162v012\wdm\STacSV.exe
svchost.exe
D:\WINDOWS\system32\dlbxcoms.exe
D:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\AESTFltr.exe
D:\Program Files\DellTPad\Apoint.exe
D:\WINDOWS\system32\WLTRAY.exe
D:\WINDOWS\system32\igfxsrvc.exe
D:\WINDOWS\system32\igfxpers.exe
D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
D:\Program Files\DellTPad\ApMsgFwd.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\DellTPad\HidFind.exe
D:\Program Files\DellTPad\Apntex.exe
D:\WINDOWS\System32\svchost.exe -k HTTPFilter
F:\Program Files (x86)\AVG\avgchsvx.exe
F:\Program Files (x86)\AVG\avgrsx.exe
F:\Program Files (x86)\AVG\avgcsrvx.exe
F:\Program Files (x86)\AVG\Identity Protection\Agent\Bin\AVGIDSAgent.exe
F:\Program Files (x86)\AVG\avgwdsvc.exe
F:\Program Files (x86)\AVG\avgnsx.exe
F:\Program Files (x86)\AVG\avgemcx.exe
F:\Program Files (x86)\AVG\avgtray.exe
F:\Program Files (x86)\AVG\Identity Protection\agent\bin\avgidsmonitor.exe
D:\Documents and Settings\Kevin\Desktop\dds.scr
.
============== Pseudo HJT Report ===============

Attached File  Attach.txt   18.87KB   1 downloads




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users