Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit infection, redirects, MS update does not work


  • This topic is locked This topic is locked
10 replies to this topic

#1 Russklo

Russklo

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 04 May 2011 - 10:30 AM

(The ARK Log from GMER is too big to upload; even after I have compressed it in a zip file.)

I am trying to help a friend with her computer. It seems to have a rootkit infection. GMER reports that there is rootkit activity that has changed some of the files. The internet browser suffers from constantly being redirected. Microsoft update does not work. TDSSKiller intializes to 80% and then instead of starting, I get an error message that says it has to close down. Malwarebytes and Spybot clean some of the problems out, but they are not fixing the rootkit problem. Also I made the mistake of leaving the computer on one night and it seemed to get more Malware downloaded on to it.

Currently I took off the antivirus program to see if that was somehow interfering with TDSSKiller (it wasn't). I have disbaled the network connection so that it isn't on the internet. The only firewall being used is Windows. I can download and install McAffe to this machine. It is provided by the initernet provider.

Anyways...Help!

Thanks

Russ


DDS Log


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Sandy at 8:48:27.33 on Wed 05/04/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.990.725 [GMT -4:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
E:\malware protection programs\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uWindow Title = Windows Internet Explorer provided by Yahoo!
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
mDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
mSearch Page =
mStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {5cbe2611-c31b-401f-89bc-4cbb25e853d7} - Zango Toolbar
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Zango Toolbar: {5cbe2611-c31b-401f-89bc-4cbb25e853d7} -
TB: {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Notify: igfxcui - igfxsrvc.dll
Notify: itlntfy - itlnfw32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-8-13 583640]
S2 itlperf;Intel CPU;c:\windows\system32\svchost.exe -k itlsvc [2004-8-4 14336]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 Normandy;Normandy SR2; [x]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2011-5-2 44672]
S3 XCWBE;XCWBE;c:\docume~1\admini~1\locals~1\temp\xcwbe.exe --> c:\docume~1\admini~1\locals~1\temp\XCWBE.exe [?]
.
=============== Created Last 30 ================
.
2011-05-03 23:25:03 -------- d-sh--w- c:\documents and settings\sandy\IECompatCache
2011-05-02 16:00:00 44672 ----a-w- c:\windows\system32\drivers\SDTHOOK.SYS
2011-05-02 15:59:32 8576 ----a-w- c:\windows\system32\drivers\nwjhqfqrhivu.sys
2011-05-01 22:10:09 -------- d-----w- c:\docume~1\sandy\applic~1\WinPatrol
2011-05-01 22:10:01 -------- d-----w- c:\program files\BillP Studios
2011-04-30 04:05:31 8576 ----a-w- c:\windows\system32\drivers\bidlbadqduex.sys
2011-04-30 03:21:33 8576 ----a-w- c:\windows\system32\drivers\tbygrwnhvsck.sys
2011-04-30 00:54:11 8576 ----a-w- c:\windows\system32\drivers\wsnclireksan.sys
2011-04-30 00:51:56 -------- d-----w- c:\documents and settings\sandy\Pavark
2011-04-30 00:07:38 1377112 ----a-w- C:\TDSSKiller.exe
2011-04-29 20:07:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-29 20:07:02 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-29 20:03:44 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-04-29 20:03:44 -------- d-----w- c:\documents and settings\sandy\log
2011-04-29 14:13:19 -------- d-----w- c:\program files\Trend Micro
2011-04-27 22:16:26 -------- d-----w- C:\0fbe6599bb9e83ab2e98b896d974ac79
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-28 15:45:55 0 -c--a-w- c:\windows\Ojogu.bin
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK6025GAS rev.KA201A -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86B614F0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86b677d0]; MOV EAX, [0x86b6784c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x86BD8AB8]
3 CLASSPNP[0xF78C2FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000072[0x86B7F3B8]
5 ACPI[0xF7839620] -> nt!IofCallDriver[0x804E37D5] -> [0x86B7F030]
\Driver\atapi[0x86B4B300] -> IRP_MJ_CREATE -> 0x86B614F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV SI, 0x7be; MOV CL, 0x4; CMP [SI], CH; JL 0x2d; JNZ 0x3b; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x86B6133B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 8:50:35.98 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:32 AM

Posted 04 May 2011 - 04:04 PM

Good evening. :)

Kaspersky have just released a new version of their tool, so give it a whirl:

Delete any old copies and then download TDSSKiller.zip from Kaspersky from here and save it to your Desktop.

  • You will then need to extract the file(s) from the zipped folder.
  • To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
    In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
    In the final window, click on Finish

  • Please close all open programs as this may result in a reboot being necessary.
  • Double click TDSSKiller.exe to begin.
  • Click Start scan and allow the tool to do just that.
  • One the scan has completed, if the tool has identified anything allow it to carry out it's default action(s) - you'll need to click Continue where appropriate.
  • Finally, if it prompts you to reboot your machine, please click Reboot Now and ensure that your machine does so.
  • If the scan finds nothing, please click the Report button and let me have a copy of the text file that opens.
  • If you reboot your machine, the log, which i'd like to see, will be located at the root of you hard drive as C:\TDSSKiller.Version_Date_Time_log.txt.
    Please check that you get the one with the right date and time. :)

So long, and thanks for all the fish.

 

 


#3 Russklo

Russklo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 07 May 2011 - 04:32 PM

Noviciate,

Thanks for the reply. You were right. The new version of TDSSKiller.exe opened and ran without a problem. It found and defeated one infection. Following is the log file.

Russ

2011/05/07 17:09:38.0690 0380 TDSS rootkit removing tool 2.5.0.0 May 1 2011 14:20:16
2011/05/07 17:09:38.0790 0380 ================================================================================
2011/05/07 17:09:38.0790 0380 SystemInfo:
2011/05/07 17:09:38.0790 0380
2011/05/07 17:09:38.0790 0380 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/07 17:09:38.0790 0380 Product type: Workstation
2011/05/07 17:09:38.0790 0380 ComputerName: HPPAVILION
2011/05/07 17:09:38.0790 0380 UserName: Sandy
2011/05/07 17:09:38.0790 0380 Windows directory: C:\WINDOWS
2011/05/07 17:09:38.0790 0380 System windows directory: C:\WINDOWS
2011/05/07 17:09:38.0790 0380 Processor architecture: Intel x86
2011/05/07 17:09:38.0790 0380 Number of processors: 1
2011/05/07 17:09:38.0790 0380 Page size: 0x1000
2011/05/07 17:09:38.0790 0380 Boot type: Normal boot
2011/05/07 17:09:38.0790 0380 ================================================================================
2011/05/07 17:09:39.0051 0380 Initialize success
2011/05/07 17:09:43.0858 0396 ================================================================================
2011/05/07 17:09:43.0858 0396 Scan started
2011/05/07 17:09:43.0858 0396 Mode: Manual;
2011/05/07 17:09:43.0858 0396 ================================================================================
2011/05/07 17:09:46.0171 0396 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/07 17:09:46.0281 0396 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/05/07 17:09:46.0632 0396 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/05/07 17:09:46.0792 0396 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/05/07 17:09:47.0032 0396 AFS2K (c685cc27a2e637f0dcb5a45e67cc6f74) C:\WINDOWS\system32\drivers\AFS2K.sys
2011/05/07 17:09:47.0223 0396 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/05/07 17:09:47.0723 0396 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/05/07 17:09:48.0074 0396 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/05/07 17:09:48.0825 0396 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/07 17:09:49.0005 0396 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/07 17:09:49.0356 0396 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/07 17:09:49.0536 0396 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/07 17:09:49.0957 0396 BCM43XX (37f385a93c620cbe0f89c17e45f697a1) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2011/05/07 17:09:50.0147 0396 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/07 17:09:50.0367 0396 bidlbadqduex (d7dbfbc453b645111e6d21142305e80b) C:\WINDOWS\system32\drivers\bidlbadqduex.sys
2011/05/07 17:09:50.0567 0396 CAMCAUD (2f78085eb29a20b7d030374e8a388e7f) C:\WINDOWS\system32\drivers\camcaud.sys
2011/05/07 17:09:50.0708 0396 CAMCHALA (407cd35839a1fffd7e28e0467f1cf4b8) C:\WINDOWS\system32\drivers\camchal.sys
2011/05/07 17:09:50.0998 0396 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/07 17:09:51.0238 0396 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/07 17:09:51.0499 0396 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/07 17:09:51.0609 0396 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/07 17:09:52.0009 0396 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/05/07 17:09:52.0210 0396 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/05/07 17:09:52.0680 0396 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/07 17:09:52.0921 0396 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/07 17:09:53.0191 0396 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/07 17:09:53.0341 0396 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/07 17:09:53.0512 0396 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/07 17:09:53.0842 0396 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/07 17:09:54.0012 0396 eabfiltr (81b7808d3b5892388f33273119c2dc31) C:\WINDOWS\system32\drivers\EABFiltr.sys
2011/05/07 17:09:54.0233 0396 eabusb (1ba14da377b66278335d4b9e8824cd42) C:\WINDOWS\system32\drivers\eabusb.sys
2011/05/07 17:09:54.0443 0396 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/07 17:09:54.0573 0396 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/05/07 17:09:54.0844 0396 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/07 17:09:55.0024 0396 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/05/07 17:09:55.0214 0396 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/05/07 17:09:55.0444 0396 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/07 17:09:55.0555 0396 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/07 17:09:55.0645 0396 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/05/07 17:09:55.0795 0396 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/07 17:09:56.0045 0396 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/07 17:09:56.0386 0396 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/05/07 17:09:56.0576 0396 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/05/07 17:09:56.0756 0396 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/05/07 17:09:56.0927 0396 HSFHWICH (a4877a17e87d6e6ab959b36b9ef3de8a) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
2011/05/07 17:09:57.0257 0396 HSF_DP (dfa8f86c0dbca7db948043aa3be6793b) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2011/05/07 17:09:57.0447 0396 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/07 17:09:57.0868 0396 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/07 17:09:58.0038 0396 ialm (20d7e1e0a3c3ce12769428d4236b1ba1) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/05/07 17:09:58.0299 0396 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/07 17:09:58.0479 0396 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/05/07 17:09:58.0619 0396 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/07 17:09:58.0839 0396 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/05/07 17:09:59.0020 0396 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/07 17:09:59.0190 0396 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/07 17:09:59.0410 0396 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/07 17:09:59.0530 0396 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/07 17:09:59.0670 0396 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/07 17:09:59.0911 0396 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/07 17:10:00.0061 0396 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/07 17:10:00.0211 0396 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/07 17:10:00.0472 0396 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/07 17:10:00.0812 0396 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/05/07 17:10:01.0052 0396 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/07 17:10:01.0223 0396 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/07 17:10:01.0383 0396 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/07 17:10:01.0623 0396 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/05/07 17:10:01.0773 0396 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/07 17:10:02.0194 0396 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/07 17:10:02.0384 0396 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/07 17:10:02.0535 0396 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/07 17:10:02.0745 0396 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/07 17:10:02.0915 0396 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/07 17:10:03.0216 0396 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/07 17:10:03.0456 0396 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/07 17:10:03.0586 0396 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/07 17:10:03.0746 0396 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/07 17:10:03.0987 0396 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/07 17:10:04.0107 0396 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/07 17:10:04.0257 0396 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/07 17:10:04.0487 0396 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/07 17:10:04.0618 0396 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/07 17:10:04.0768 0396 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/07 17:10:05.0068 0396 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/05/07 17:10:05.0449 0396 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/07 17:10:05.0649 0396 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/07 17:10:05.0839 0396 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/07 17:10:06.0050 0396 nwjhqfqrhivu (d7dbfbc453b645111e6d21142305e80b) C:\WINDOWS\system32\drivers\nwjhqfqrhivu.sys
2011/05/07 17:10:06.0200 0396 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/07 17:10:06.0340 0396 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/07 17:10:06.0590 0396 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/05/07 17:10:06.0741 0396 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/05/07 17:10:06.0851 0396 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/07 17:10:07.0111 0396 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/07 17:10:07.0301 0396 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/07 17:10:07.0612 0396 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/07 17:10:07.0782 0396 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/05/07 17:10:08.0583 0396 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/07 17:10:08.0794 0396 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/07 17:10:09.0014 0396 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/07 17:10:09.0164 0396 PxHelp20 (7e1eacdecba39e0b2a35306426f0decc) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
2011/05/07 17:10:09.0695 0396 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/07 17:10:09.0975 0396 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
2011/05/07 17:10:10.0246 0396 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/07 17:10:10.0346 0396 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/07 17:10:10.0436 0396 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/07 17:10:10.0546 0396 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/07 17:10:10.0786 0396 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/07 17:10:11.0007 0396 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/07 17:10:11.0157 0396 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/07 17:10:11.0487 0396 RTL8023 (31c3ebb3a71fe56b8109bfb4ed20ae69) C:\WINDOWS\system32\DRIVERS\Rtlnic51.sys
2011/05/07 17:10:11.0658 0396 RTL8023xp (3529828ec571fb2f64f6b142f9109993) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
2011/05/07 17:10:11.0828 0396 SDTHOOK (eb1dc6fdbd540665e644b92819c53454) C:\WINDOWS\system32\DRIVERS\SDTHOOK.sys
2011/05/07 17:10:12.0088 0396 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/07 17:10:12.0289 0396 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/05/07 17:10:12.0409 0396 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/05/07 17:10:12.0639 0396 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2011/05/07 17:10:12.0859 0396 SMCIRDA (707647a1aa0edb6cbef61b0c75c28ed3) C:\WINDOWS\system32\DRIVERS\smcirda.sys
2011/05/07 17:10:13.0220 0396 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/07 17:10:13.0330 0396 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/07 17:10:13.0510 0396 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/07 17:10:13.0781 0396 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/07 17:10:13.0931 0396 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/07 17:10:14.0532 0396 SynTP (0f332c0ba9b968ebc8cbb906416f8597) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/05/07 17:10:14.0682 0396 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/07 17:10:15.0023 0396 tbygrwnhvsck (d7dbfbc453b645111e6d21142305e80b) C:\WINDOWS\system32\drivers\tbygrwnhvsck.sys
2011/05/07 17:10:15.0223 0396 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/07 17:10:15.0503 0396 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/07 17:10:15.0643 0396 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/07 17:10:15.0764 0396 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/07 17:10:16.0174 0396 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/07 17:10:16.0575 0396 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/07 17:10:16.0745 0396 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/07 17:10:17.0065 0396 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/07 17:10:17.0226 0396 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/07 17:10:17.0366 0396 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/05/07 17:10:17.0586 0396 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/07 17:10:17.0736 0396 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/07 17:10:17.0897 0396 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/05/07 17:10:18.0127 0396 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/05/07 17:10:18.0277 0396 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/05/07 17:10:18.0397 0396 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/07 17:10:18.0768 0396 w22n51 (b6cb2cce557ce57c72c3d31e701e6e39) C:\WINDOWS\system32\DRIVERS\w22n51.sys
2011/05/07 17:10:19.0028 0396 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/07 17:10:19.0409 0396 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/07 17:10:19.0619 0396 winachsf (473ee64c368ce2eed110376c11960259) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/05/07 17:10:19.0970 0396 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/05/07 17:10:20.0170 0396 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/05/07 17:10:20.0350 0396 wsnclireksan (d7dbfbc453b645111e6d21142305e80b) C:\WINDOWS\system32\drivers\wsnclireksan.sys
2011/05/07 17:10:20.0661 0396 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/05/07 17:10:20.0861 0396 {6080A529-897E-4629-A488-ABA0C29B635E} (887d6363d9d8de694e4b66f0186952d4) C:\WINDOWS\system32\drivers\ialmsbw.sys
2011/05/07 17:10:21.0011 0396 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (9acbcba2a6d11fb9ada56996b9586752) C:\WINDOWS\system32\drivers\ialmkchw.sys
2011/05/07 17:10:21.0362 0396 {E2B953A6-195A-44F9-9BA3-3D5F4E32BB55} (dfedb24618117e72d5b5c8f95d877b0b) C:\WINDOWS\system32\drivers\wA301a.sys
2011/05/07 17:10:21.0412 0396 \HardDisk1 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/05/07 17:10:21.0452 0396 ================================================================================
2011/05/07 17:10:21.0452 0396 Scan finished
2011/05/07 17:10:21.0452 0396 ================================================================================
2011/05/07 17:10:21.0482 0388 Detected object count: 1
2011/05/07 17:10:35.0141 0388 \HardDisk1 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/05/07 17:10:35.0151 0388 \HardDisk1 - ok
2011/05/07 17:10:35.0151 0388 Rootkit.Win32.TDSS.tdl4(\HardDisk1) - User select action: Cure
2011/05/07 17:10:40.0069 0236 Deinitialize success

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:32 AM

Posted 07 May 2011 - 04:38 PM

Good evening. :)

You were right.

It does occasionally happen - treat it as a novelty.

If you haven't already, reboot the PC and then take it for a test-drive and let me know how it's behaving.

So long, and thanks for all the fish.

 

 


#5 Russklo

Russklo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 09 May 2011 - 10:23 AM

The computer seems to be running well. I am not experiencing any redirects of web links. I have the windows update running well. It seems to be functioning at a good speed and without any delay. So, are we clear?

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:32 AM

Posted 09 May 2011 - 01:22 PM

Good evening. :)

So, are we clear?

Probably. I like to have an online scan run, just to look for leftovers, and assuming that it comes back without major nasties, a little housekeeping and you're good to go.

Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button and a new window will open - you may need to maximise it.
  • Click the Run ESET Online Scanner button in the new window.
  • If you are using any other browser than IE, you will be prompted to download and run esetsmartinstaller_enu.exe and the scan will run from within the window that the executable opens.
  • Regardless of which browser you are using, you will be shown some terms and conditions and you will need to accept these to continue.
  • If you are running IE for this scan you will then be prompted to allow an ActiveX component to be downloaded, unless you already have it installed, and the scan will run inside IE.
  • When you see the Computer Scan Settings window, you will need to make the following changes:

    • UNCHECK Remove found threats - this is important.
    • Check Scan archives
    • Click on Advanced settings
    • Check Scan for potentially unsafe applications
  • Once ready, click Start to begin - not a surprise really!
  • The anti-virus definitions will now be downloaded, so don't forget to allow them through your firewall if prompted.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

Will you also throw in a fresh DDS log and let me know how the PC is behaving.

So long, and thanks for all the fish.

 

 


#7 Russklo

Russklo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 09 May 2011 - 07:10 PM

Eset reported no problems. The computer seems to be running fine. Attached are the log files from DDS.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Sandy at 20:01:01.80 on Mon 05/09/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.990.722 [GMT -4:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
E:\malware protection programs\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://att.my.yahoo.com/
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
mDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
mSearch Page =
mStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {5cbe2611-c31b-401f-89bc-4cbb25e853d7} - Zango Toolbar
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Zango Toolbar: {5cbe2611-c31b-401f-89bc-4cbb25e853d7} -
TB: {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Notify: igfxcui - igfxsrvc.dll
Notify: itlntfy - itlnfw32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-8-13 583640]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 itlperf;Intel CPU;c:\windows\system32\svchost.exe -k itlsvc [2004-8-4 14336]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 Normandy;Normandy SR2; [x]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2011-5-2 44672]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 XCWBE;XCWBE;c:\docume~1\admini~1\locals~1\temp\xcwbe.exe --> c:\docume~1\admini~1\locals~1\temp\XCWBE.exe [?]
.
=============== Created Last 30 ================
.
2011-05-08 00:34:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\IObit
2011-05-03 23:25:03 -------- d-sh--w- c:\documents and settings\sandy\IECompatCache
2011-05-02 16:00:00 44672 ----a-w- c:\windows\system32\drivers\SDTHOOK.SYS
2011-05-02 15:59:32 8576 ----a-w- c:\windows\system32\drivers\nwjhqfqrhivu.sys
2011-05-01 22:10:09 -------- d-----w- c:\docume~1\sandy\applic~1\WinPatrol
2011-05-01 22:10:01 -------- d-----w- c:\program files\BillP Studios
2011-04-30 04:05:31 8576 ----a-w- c:\windows\system32\drivers\bidlbadqduex.sys
2011-04-30 03:21:33 8576 ----a-w- c:\windows\system32\drivers\tbygrwnhvsck.sys
2011-04-30 00:54:11 8576 ----a-w- c:\windows\system32\drivers\wsnclireksan.sys
2011-04-30 00:51:56 -------- d-----w- c:\documents and settings\sandy\Pavark
2011-04-30 00:07:38 1377112 ----a-w- C:\TDSSKiller.exe
2011-04-29 20:07:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-29 20:07:02 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-29 20:03:44 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-04-29 20:03:44 -------- d-----w- c:\documents and settings\sandy\log
2011-04-29 14:13:19 -------- d-----w- c:\program files\Trend Micro
2011-04-27 22:16:26 -------- d-----w- C:\0fbe6599bb9e83ab2e98b896d974ac79
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-28 15:45:55 0 -c--a-w- c:\windows\Ojogu.bin
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
.
============= FINISH: 20:02:10.87 ===============

Attached Files


Edited by Noviciate, 10 May 2011 - 02:00 PM.
Log added from attachment.


#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:32 AM

Posted 10 May 2011 - 02:16 PM

Good evening. :)

I can see some oddly named drivers that I don't recognize, so i'd like some more information about them. They are seem to be identical, so you only need to find one of the four files, if any are still present, and work through the instructions for it.

Please go to Jotti's and click on the Browse... button at the top and navigate to ONE of the following file and then click on Submit:

c:\windows\system32\drivers\bidlbadqduex.sys
c:\windows\system32\drivers\tbygrwnhvsck.sys
c:\windows\system32\drivers\wsnclireksan.sys
c:\windows\system32\drivers\nwjhqfqrhivu.sys


When all the scans have been completed, please copy and paste the "Permalink" that you'll find in the "Jotti's malware scan" box in the upper left hand part of the page into your next reply.

If this site is busy, try VirusTotal: Click the Browse ... button, navigate to the file and double click it and then click the Send button.

You may need to set Windows to show All Hidden Files and Folders - Instructions can be found here.
* These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after you have done.
*

So long, and thanks for all the fish.

 

 


#9 Russklo

Russklo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 11 May 2011 - 10:35 AM

Hi,

I think this is what you are wanting:

http://virusscan.jotti.org/en/scanresult/f60bb8aec6c170419ded52b804920a01a5055e20/49a08757211bb001fae0f9cc6fbec43f1d6ba744

http://virusscan.jotti.org/en/scanresult/f60bb8aec6c170419ded52b804920a01a5055e20/e29699682ff4463926a7d1dafe00e867de7bc23c

http://virusscan.jotti.org/en/scanresult/f60bb8aec6c170419ded52b804920a01a5055e20/e4ec9788c7396b35afd925b32a6cd584faf59a31

http://virusscan.jotti.org/en/scanresult/f60bb8aec6c170419ded52b804920a01a5055e20/7b89fe6fc055d1a1e4ca270e70d2bb53f633a731

I scan each of the files, clicked on the permalink button (not sure what it does; saves the information, I guess)copied the link and pasted it here. On the computer each of the these files is described as "Anti-Malware Driver Support" and credited to "Panda Software International." I did install an anti-malware program like this and then removed it. The Jotti scans indicate 1 out of 19 that they are Malware. I am not sure why these files would still be on the computer since I uninstalled the program I would associate them with?

Russ

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:32 AM

Posted 11 May 2011 - 02:02 PM

Good evening. :)

I scan each of the files, clicked on the permalink button (not sure what it does; saves the information, I guess)copied the link and pasted it here.

Yup, you link to a page with the information about the file on it rather than copy and pasting the information itself.
If somebody else submits the same file the site doesn't have to rescan it, just offer the link to the original scan results.

On the computer each of the these files is described as "Anti-Malware Driver Support" and credited to "Panda Software International." I did install an anti-malware program like this and then removed it.

Randomly naming files is something that both malicious and legitimate software writers do, so it's difficult to know what files are just by names - hence my interest. If they claim to be Panda and you installed Panda software, then i'd say they were indeed Panda and all is well.

The Jotti scans indicate 1 out of 19 that they are Malware.

False positives are not unknown, which is why a multi-scanner option like Jottis makes sense.

I am not sure why these files would still be on the computer since I uninstalled the program I would associate them with?

The app you ran, Panda Anti-Rootkit I would guess, obviously wasn't coded to remove the drivers that it created once they were done with - leftovers like this aren't that uncommon sadly.

Feel free to manually delete the files, if you haven't already.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your log doesn't appear to show a third-party software firewall installed - if you have one, and i've missed it, please ignore this.
If you are relying the firewall that comes with Service Pack 2, then you need to install one. While the SP2 firewall is better than nothing, it doesn't monitor outgoing traffic, so anything malicious on your computer can 'phone home' at will.
If you are using a wireless router that comes with a NAT hardware firewall, this also doesn't monitor outgoing connections.

There are a few free firewalls available, of which the following are just three (all of which i've used at one time or another) :

Comodo Firewall Pro, available here.
PC Tools Firewall Plus, available here.
Online Armor Free, available here.

It is important to note that you should only have one firewall installed at a time, but you can download them all to your Desktop and install each in turn to see which one you prefer.

Understanding and Using Firewalls: http://www.bleepingcomputer.com/tutorials/understanding-and-using-firewalls/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your copy of Adobe Reader is out of date. You can get the latest version here, feel free to uncheck the McAfee download first, or you can update from within the program itself: Help > Check for Updates...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your version of Sun Java needs updating:

1) Go here and click on the Windows XP/Vista/2000/2003/2008 Offline link in the Windows section near the top and save it to your Desktop.

2) Download JavaRa from here and save it to your Desktop.
You will need to extract the file(s):

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


***Please close any instances of Internet Explorer before continuing!***

  • Double-click JavaRa.exe to begin.
  • Pick your preferred language from the drop-down menu and click Select.
  • Click on Remove Older Versions to remove older version of Java - obvious really, isn't it!
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location, just in case you have any problems with Java afterwards.
3) Run the installer that you downloaded earlier.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I want you to run your PC as normal for a few days and when you are happy that everything is fine, do the following:

Create a new Restore Point with a memorable name - this will give a clean one should you need it in the future. If you use a Restore Point from before this point you may reinstall any infection that was present at the time, so only do so if using this latest one doesn't solve any issues.
A tutorial for System Restore is available here.

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet. It's a little old, but still contains some good ideas.

So long, and thanks for all the fish.

 

 


#11 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:32 AM

Posted 15 May 2011 - 01:33 PM

As this issue appears to have been resolved, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users