Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Infection


  • Please log in to reply
6 replies to this topic

#1 J.Watson

J.Watson

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 09 May 2011 - 08:33 PM

Everytime I restart my computer, I get the black screen of death and have to press F12 to get to the boot settings to get Windows XP satrted. The Windows XP theme switches to the classic theme constantly and the Windows Audio disables itself. Also, this error pops up occasionally whenever I'm on the computer:

Posted Image

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by ASHLEY at 20:31:07.14 on Mon 05/09/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.865 [GMT -7:00]
.
AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Program Files\Cisco Systems\Cisco Valet Connector\CiscoAdapterSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpCtr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\ASHLEY.ASHLEY-F4EDEA80\My Documents\Downloads\Defogger.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\ASHLEY.ASHLEY-F4EDEA80\My Documents\Downloads\dds(1).scr
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
{cccc7d2d-9a4c-4c9a-9bd4-cc4815b28ccc}
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [ares] "c:\program files\ares\Ares.exe" -h
uRun: [AROReminder]
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10o_Plugin.exe -update plugin
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [lxcgmon.exe] "c:\program files\lexmark 2300 series\lxcgmon.exe"
mRun: [EzPrint] "c:\program files\lexmark 2300 series\ezprint.exe"
mRun: [LXCGCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCGtime.dll,_RunDLLEntry@16
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Free YouTube to MP3 Converter - c:\documents and settings\ashley.ashley-f4edea80\application data\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\ashley.ashley-f4edea80\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\ashley~1.ash\applic~1\mozilla\firefox\profiles\deyn3nra.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.msn.com/
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 RaAutoInstSrv_AM10;Cisco Valet Connector Service;c:\program files\cisco systems\cisco valet connector\CiscoAdapterSvc.exe [2011-4-17 529024]
R3 AM10;Cisco AM10 Driver;c:\windows\system32\drivers\AM10XP.sys [2011-4-16 816672]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2010-3-10 115312]
S0 nielprt;Nielsen Patch Service;c:\windows\system32\drivers\nielprt.sys --> c:\windows\system32\drivers\nielprt.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-12-13 1691480]
S3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys --> c:\windows\system32\drivers\nielgfx.sys [?]
.
=============== Created Last 30 ================
.
2011-05-03 14:47:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-03 14:47:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-03 14:47:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-03 02:07:10 -------- d-----w- c:\docume~1\ashley~1.ash\applic~1\SUPERAntiSpyware.com
2011-05-03 02:07:10 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com
2011-04-28 19:24:09 -------- d-----w- c:\docume~1\ashley~1.ash\applic~1\Cidaca
2011-04-22 16:52:34 -------- d-----w- c:\docume~1\ashley~1.ash\applic~1\Malwarebytes
2011-04-22 16:37:38 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2011-04-21 08:31:10 -------- d-sh--w- c:\documents and settings\ashley.ashley-f4edea80\IECompatCache
2011-04-20 22:17:49 0 ----a-w- c:\windows\Fgogahukoziyeq.bin
2011-04-16 21:22:47 45056 ----a-w- c:\windows\system32\UTSCSI.EXE
2011-04-16 21:22:46 816672 ---ha-w- c:\windows\system32\drivers\AM10XP.sys
2011-04-16 21:22:46 226592 ---ha-w- c:\windows\system32\RaCoInst.dll
2011-04-16 21:22:46 -------- d-----w- c:\program files\Cisco Systems
2011-04-16 21:22:32 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Cisco Systems
.
==================== Find3M ====================
.
2011-02-23 18:18:05 389120 ----a-w- c:\windows\system32\CF28456.exe
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2009-12-13 21:09:39 583733444 ----a-w- c:\program files\wl_setup_5.0.0_20091124.exe
2008-07-03 16:20:50 1611128 -c--a-w- c:\program files\Paint.NET.3.35.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3160815AS rev.4.ADA -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A551730]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a557a10]; MOV EAX, [0x8a557a8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8A5A1AB8]
3 CLASSPNP[0xB80F8FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\0000005f[0x8A5A3F18]
5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8A58ED98]
\Driver\atapi[0x8A5D5A48] -> IRP_MJ_CREATE -> 0x8A551730
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A55157B
user & kernel MBR OK
copy of MBR has been found in sector 312496380
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 20:34:27.67 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 12/13/2009 10:02:47 AM
System Uptime: 5/8/2011 8:49:55 AM (36 hours ago)
.
Motherboard: Dell Inc. | | 0RY206
Processor: AMD Sempron™ Processor LE-1300 | Socket AM2 | 2310/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 149 GiB total, 57.242 GiB free.
D: is CDROM ()
E: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: SM Bus Controller
Device ID: PCI\VEN_10DE&DEV_03EB&SUBSYS_020E1028&REV_A2\3&2411E6FE&0&09
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_10DE&DEV_03EB&SUBSYS_020E1028&REV_A2\3&2411E6FE&0&09
Service:
.
Class GUID:
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&72ACDAA&0&4820
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&72ACDAA&0&4820
Service:
.
Class GUID:
Description: Other PCI Bridge Device
Device ID: PCI\VEN_10DE&DEV_03EF&SUBSYS_020E1028&REV_A2\3&2411E6FE&0&38
Manufacturer:
Name: Other PCI Bridge Device
PNP Device ID: PCI\VEN_10DE&DEV_03EF&SUBSYS_020E1028&REV_A2\3&2411E6FE&0&38
Service:
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Hamachi Network Interface
Device ID: ROOT\NET\0000
Manufacturer: Applied Networking Inc.
Name: Hamachi Network Interface
PNP Device ID: ROOT\NET\0000
Service: hamachi
.
==== System Restore Points ===================
.
RP583: 2/7/2011 2:05:27 AM - System Checkpoint
RP584: 2/7/2011 2:25:51 AM - Software Distribution Service 3.0
RP585: 2/7/2011 8:21:12 AM - Software Distribution Service 3.0
RP586: 2/8/2011 3:00:15 AM - Software Distribution Service 3.0
RP587: 2/8/2011 3:46:01 AM - Software Distribution Service 3.0
RP588: 2/9/2011 1:23:22 AM - Software Distribution Service 3.0
RP589: 2/10/2011 1:47:50 AM - System Checkpoint
RP590: 2/10/2011 3:00:20 AM - Software Distribution Service 3.0
RP591: 2/10/2011 9:43:30 AM - Installed Java™ 6 Update 23
RP592: 2/10/2011 10:23:35 AM - Software Distribution Service 3.0
RP593: 2/11/2011 3:00:18 AM - Software Distribution Service 3.0
RP594: 2/11/2011 4:20:29 AM - Software Distribution Service 3.0
RP595: 2/11/2011 11:30:04 PM - Software Distribution Service 3.0
RP596: 2/13/2011 3:00:24 AM - Software Distribution Service 3.0
RP597: 2/14/2011 1:57:06 AM - Software Distribution Service 3.0
RP598: 2/15/2011 2:28:34 AM - Software Distribution Service 3.0
RP599: 2/16/2011 3:00:16 AM - Software Distribution Service 3.0
RP600: 2/16/2011 3:13:52 AM - Software Distribution Service 3.0
RP601: 2/17/2011 1:41:14 AM - Software Distribution Service 3.0
RP602: 2/18/2011 3:00:16 AM - Software Distribution Service 3.0
RP603: 2/18/2011 3:46:15 AM - Software Distribution Service 3.0
RP604: 2/19/2011 2:10:07 AM - Software Distribution Service 3.0
RP605: 2/20/2011 2:59:04 AM - Software Distribution Service 3.0
RP606: 2/21/2011 3:00:15 AM - Software Distribution Service 3.0
RP607: 2/21/2011 3:32:09 AM - Software Distribution Service 3.0
RP608: 2/22/2011 2:04:24 AM - Software Distribution Service 3.0
RP609: 2/23/2011 1:04:41 AM - Software Distribution Service 3.0
RP610: 2/23/2011 1:12:44 AM - Software Distribution Service 3.0
RP611: 2/23/2011 9:34:08 AM - Software Distribution Service 3.0
RP612: 2/23/2011 9:43:50 AM - Software Distribution Service 3.0
RP613: 2/23/2011 10:22:18 AM - Removed AVG 2011
RP614: 2/23/2011 10:23:25 AM - Removed AVG 2011
RP615: 2/24/2011 2:47:55 AM - Software Distribution Service 3.0
RP616: 2/25/2011 3:00:16 AM - Software Distribution Service 3.0
RP617: 2/25/2011 10:54:55 PM - Installed Safari
RP618: 2/25/2011 10:56:32 PM - Removed Safari
RP619: 2/25/2011 10:57:41 PM - Installed Safari
RP620: 2/25/2011 10:58:25 PM - Removed Safari
RP621: 2/26/2011 3:00:15 AM - Software Distribution Service 3.0
RP622: 2/26/2011 3:34:41 AM - Software Distribution Service 3.0
RP623: 2/27/2011 3:00:16 AM - Software Distribution Service 3.0
RP624: 2/27/2011 3:44:46 AM - Software Distribution Service 3.0
RP625: 2/27/2011 5:08:34 PM - Software Distribution Service 3.0
RP626: 2/28/2011 2:12:08 AM - Software Distribution Service 3.0
RP627: 3/1/2011 1:53:16 AM - Software Distribution Service 3.0
RP628: 3/1/2011 10:36:48 AM - Software Distribution Service 3.0
RP629: 3/2/2011 3:00:17 AM - Software Distribution Service 3.0
RP630: 3/3/2011 3:00:15 AM - Software Distribution Service 3.0
RP631: 3/4/2011 3:00:16 AM - Software Distribution Service 3.0
RP632: 3/4/2011 3:16:25 AM - Software Distribution Service 3.0
RP633: 3/5/2011 1:53:55 AM - Software Distribution Service 3.0
RP634: 3/6/2011 1:15:16 AM - Software Distribution Service 3.0
RP635: 3/7/2011 2:41:35 AM - Software Distribution Service 3.0
RP636: 3/8/2011 1:42:23 AM - Software Distribution Service 3.0
RP637: 3/9/2011 2:19:07 AM - Software Distribution Service 3.0
RP638: 3/10/2011 3:00:16 AM - Software Distribution Service 3.0
RP639: 3/11/2011 3:00:15 AM - Software Distribution Service 3.0
RP640: 3/12/2011 3:00:15 AM - Software Distribution Service 3.0
RP641: 3/13/2011 3:54:42 AM - Software Distribution Service 3.0
RP642: 3/14/2011 3:00:16 AM - Software Distribution Service 3.0
RP643: 3/14/2011 3:17:03 AM - Software Distribution Service 3.0
RP644: 3/14/2011 8:27:26 AM - Software Distribution Service 3.0
RP645: 3/15/2011 2:36:21 AM - Software Distribution Service 3.0
RP646: 3/16/2011 2:53:15 AM - Software Distribution Service 3.0
RP647: 3/17/2011 3:00:16 AM - Software Distribution Service 3.0
RP648: 3/18/2011 3:00:15 AM - Software Distribution Service 3.0
RP649: 3/19/2011 3:00:20 AM - Software Distribution Service 3.0
RP650: 3/19/2011 3:25:12 AM - Software Distribution Service 3.0
RP651: 3/20/2011 2:17:16 AM - Software Distribution Service 3.0
RP652: 3/21/2011 2:19:59 AM - Software Distribution Service 3.0
RP653: 3/22/2011 2:27:07 AM - System Checkpoint
RP654: 3/22/2011 3:00:17 AM - Software Distribution Service 3.0
RP655: 3/23/2011 3:00:18 AM - Software Distribution Service 3.0
RP656: 3/24/2011 3:00:16 AM - Software Distribution Service 3.0
RP657: 3/25/2011 3:00:16 AM - Software Distribution Service 3.0
RP658: 3/26/2011 3:00:19 AM - Software Distribution Service 3.0
RP659: 3/27/2011 3:00:16 AM - Software Distribution Service 3.0
RP660: 3/28/2011 3:00:18 AM - Software Distribution Service 3.0
RP661: 3/29/2011 3:00:15 AM - Software Distribution Service 3.0
RP662: 3/29/2011 3:29:17 AM - Software Distribution Service 3.0
RP663: 3/30/2011 3:00:15 AM - Software Distribution Service 3.0
RP664: 3/30/2011 4:01:18 AM - Software Distribution Service 3.0
RP665: 3/31/2011 3:00:16 AM - Software Distribution Service 3.0
RP666: 4/1/2011 3:00:16 AM - Software Distribution Service 3.0
RP667: 4/2/2011 3:00:15 AM - Software Distribution Service 3.0
RP668: 4/3/2011 1:59:33 AM - Software Distribution Service 3.0
RP669: 4/4/2011 3:40:58 AM - Software Distribution Service 3.0
RP670: 4/5/2011 2:17:11 AM - Software Distribution Service 3.0
RP671: 4/6/2011 3:00:15 AM - Software Distribution Service 3.0
RP672: 4/7/2011 2:56:03 AM - Software Distribution Service 3.0
RP673: 4/8/2011 3:00:15 AM - System Checkpoint
RP674: 4/8/2011 3:00:21 AM - Software Distribution Service 3.0
RP675: 4/9/2011 3:00:20 AM - Software Distribution Service 3.0
RP676: 4/10/2011 3:00:16 AM - Software Distribution Service 3.0
RP677: 4/11/2011 8:54:44 AM - System Checkpoint
RP678: 4/12/2011 10:44:56 AM - System Checkpoint
RP679: 4/13/2011 11:35:22 AM - System Checkpoint
RP680: 4/14/2011 12:03:52 PM - System Checkpoint
RP681: 4/15/2011 12:41:08 PM - System Checkpoint
RP682: 4/16/2011 8:38:02 PM - System Checkpoint
RP683: 4/17/2011 12:23:23 PM - Removed Linksys Wireless-G USB Network Adapter
RP684: 4/18/2011 6:59:35 PM - System Checkpoint
RP685: 4/20/2011 4:52:37 PM - System Checkpoint
RP686: 4/23/2011 10:48:26 AM - ComboFix created restore point
RP687: 4/23/2011 11:06:21 AM - Software Distribution Service 3.0
RP688: 5/4/2011 6:54:00 AM - System Checkpoint
RP689: 5/7/2011 2:17:17 AM - System Checkpoint
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Reader X (10.0.1)
Adobe Shockwave Player 11.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
BitTorrent
Bonjour
Cisco Valet Connector
Compatibility Pack for the 2007 Office system
Dell Resource CD
Free Studio version 5.0.8
Hamachi 1.0.1.3
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB960043)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
iTunes
Java Auto Updater
Java™ 6 Update 23
KeyScrambler
Lexmark 2300 Series
Malwarebytes' Anti-Malware
Media Player Codec Pack 3.9.1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Primary Interoperability Assemblies 2005
Microsoft Silverlight
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
Mozilla Firefox 4.0.1 (x86 en-US)
MSN
MSVCRT
MSXML 6 Service Pack 2 (KB973686)
NetAssistant
NetAssistant for Firefox
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA nView Desktop Manager
Opera 11.10
PacMania 2
PowerDVD
Prism Video File Converter
QuickTime
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
Spybot - Search & Destroy
SUPERAntiSpyware
Uninstall 1.0.0.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WavePad Sound Editor
WebFldrs XP
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Messenger
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows Movie Maker 2.0
Windows XP Service Pack 3
WinRAR archiver
Wonderland Online
.
==== Event Viewer Messages From Past Week ========
.
5/7/2011 10:24:25 AM, error: Dhcp [1002] - The IP address lease 192.168.1.101 for the Network Card with network address 687F747EB3FE has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
5/5/2011 8:40:08 PM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
5/5/2011 10:10:06 PM, error: Service Control Manager [7000] - The ASCTRM service failed to start due to the following error: The system cannot find the file specified.
5/4/2011 7:45:25 AM, error: atapi [9] - The device, \Device\Ide\IdePort2, did not respond within the timeout period.
5/4/2011 2:13:30 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/4/2011 10:41:57 PM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: Access is denied.
5/3/2011 11:41:32 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
5/3/2011 11:28:09 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
5/3/2011 11:28:06 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
5/3/2011 11:28:06 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
5/3/2011 11:28:06 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/3/2011 11:28:06 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/3/2011 11:28:06 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
5/3/2011 11:28:06 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/3/2011 11:28:06 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/3/2011 10:58:37 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
.
==== End Of File ===========================

Attached Files



BC AdBot (Login to Remove)

 


#2 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:49 PM

Posted 10 May 2011 - 06:46 AM

:welcome: to BC!

Step 1.
TDSSKiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Step 2.
ComboFix:

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Step 3.
Things I would like to see in your reply:

  • The content of the log from TDSSKiller in step 1.
  • The content of C:\ComboFix.txt in step 2.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#3 J.Watson

J.Watson
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 10 May 2011 - 06:38 PM

I have the TDSSKiller log but couldn't do the ComboFix one. Its saying that AVG 2011 isn't disabled, but I no longer have that anti-virus program. I don't know to fix this issue and now I'm afraid to run ComboFix:


2011/05/10 19:19:50.0734 3476 TDSS rootkit removing tool 2.5.0.0 May 1 2011 14:20:16
2011/05/10 19:19:51.0359 3476 ================================================================================
2011/05/10 19:19:51.0359 3476 SystemInfo:
2011/05/10 19:19:51.0359 3476
2011/05/10 19:19:51.0359 3476 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/10 19:19:51.0359 3476 Product type: Workstation
2011/05/10 19:19:51.0359 3476 ComputerName: ASHLEY-F4EDEA80
2011/05/10 19:19:51.0359 3476 UserName: ASHLEY
2011/05/10 19:19:51.0359 3476 Windows directory: C:\WINDOWS
2011/05/10 19:19:51.0359 3476 System windows directory: C:\WINDOWS
2011/05/10 19:19:51.0359 3476 Processor architecture: Intel x86
2011/05/10 19:19:51.0359 3476 Number of processors: 1
2011/05/10 19:19:51.0359 3476 Page size: 0x1000
2011/05/10 19:19:51.0359 3476 Boot type: Normal boot
2011/05/10 19:19:51.0359 3476 ================================================================================
2011/05/10 19:19:51.0562 3476 Initialize success
2011/05/10 19:20:01.0718 0912 ================================================================================
2011/05/10 19:20:01.0718 0912 Scan started
2011/05/10 19:20:01.0718 0912 Mode: Manual;
2011/05/10 19:20:01.0718 0912 ================================================================================
2011/05/10 19:20:02.0390 0912 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/10 19:20:02.0437 0912 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/10 19:20:02.0500 0912 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/05/10 19:20:02.0562 0912 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/05/10 19:20:02.0781 0912 AM10 (678c8fdb9d6094d41f322b7159853c54) C:\WINDOWS\system32\DRIVERS\AM10XP.sys
2011/05/10 19:20:02.0906 0912 Ambfilt (267fc636801edc5ab28e14036349e3be) C:\WINDOWS\system32\drivers\Ambfilt.sys
2011/05/10 19:20:03.0187 0912 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/10 19:20:03.0218 0912 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/10 19:20:03.0281 0912 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/10 19:20:03.0328 0912 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/10 19:20:03.0343 0912 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/10 19:20:03.0500 0912 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/10 19:20:03.0578 0912 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/10 19:20:03.0640 0912 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/10 19:20:03.0671 0912 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/10 19:20:03.0953 0912 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/10 19:20:04.0015 0912 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/10 19:20:04.0062 0912 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/10 19:20:04.0125 0912 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/10 19:20:04.0187 0912 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/10 19:20:04.0296 0912 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/10 19:20:04.0343 0912 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/10 19:20:04.0375 0912 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/05/10 19:20:04.0421 0912 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/10 19:20:04.0468 0912 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/05/10 19:20:04.0500 0912 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/05/10 19:20:04.0546 0912 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/10 19:20:04.0593 0912 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/10 19:20:04.0625 0912 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/05/10 19:20:04.0671 0912 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/10 19:20:04.0734 0912 hamachi (85f4e4617dbd603c2202354cedfdf249) C:\WINDOWS\system32\DRIVERS\hamachi.sys
2011/05/10 19:20:04.0781 0912 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/05/10 19:20:04.0859 0912 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/10 19:20:05.0000 0912 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/10 19:20:05.0093 0912 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
2011/05/10 19:20:05.0125 0912 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/10 19:20:05.0343 0912 IntcAzAudAddService (d934b46d095285d8e3ee21f739bb4ad0) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/05/10 19:20:05.0562 0912 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/05/10 19:20:05.0593 0912 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/10 19:20:05.0640 0912 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/10 19:20:05.0687 0912 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/10 19:20:05.0734 0912 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/10 19:20:05.0765 0912 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/10 19:20:05.0812 0912 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/10 19:20:05.0843 0912 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/10 19:20:05.0890 0912 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/05/10 19:20:05.0921 0912 KeyScrambler (83a174ac30d12186e5c2e56d362d3604) C:\WINDOWS\system32\drivers\keyscrambler.sys
2011/05/10 19:20:05.0968 0912 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/10 19:20:06.0015 0912 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/10 19:20:06.0140 0912 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/10 19:20:06.0203 0912 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/10 19:20:06.0265 0912 Monfilt (c7d9f9717916b34c1b00dd4834af485c) C:\WINDOWS\system32\drivers\Monfilt.sys
2011/05/10 19:20:06.0328 0912 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/10 19:20:06.0359 0912 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/05/10 19:20:06.0390 0912 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/10 19:20:06.0421 0912 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/10 19:20:06.0468 0912 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/10 19:20:06.0531 0912 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/10 19:20:06.0578 0912 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/10 19:20:06.0640 0912 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/10 19:20:06.0703 0912 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/10 19:20:06.0750 0912 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/10 19:20:06.0796 0912 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/10 19:20:06.0812 0912 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/10 19:20:06.0859 0912 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/10 19:20:06.0906 0912 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/10 19:20:06.0921 0912 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/10 19:20:06.0968 0912 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/10 19:20:07.0015 0912 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/10 19:20:07.0046 0912 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/10 19:20:07.0187 0912 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/10 19:20:07.0234 0912 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/10 19:20:07.0281 0912 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/10 19:20:07.0531 0912 nv (a05d99cbf55eb493c9e82b4bca848ef5) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/05/10 19:20:07.0828 0912 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/10 19:20:07.0875 0912 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/10 19:20:07.0921 0912 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/05/10 19:20:07.0953 0912 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/10 19:20:08.0000 0912 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/10 19:20:08.0031 0912 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/10 19:20:08.0125 0912 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/10 19:20:08.0171 0912 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/05/10 19:20:08.0453 0912 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/10 19:20:08.0500 0912 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/05/10 19:20:08.0578 0912 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/10 19:20:08.0609 0912 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/10 19:20:08.0859 0912 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/10 19:20:08.0937 0912 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/10 19:20:08.0984 0912 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/10 19:20:09.0015 0912 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/10 19:20:09.0062 0912 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/10 19:20:09.0125 0912 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/10 19:20:09.0187 0912 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/10 19:20:09.0234 0912 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/10 19:20:09.0328 0912 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/05/10 19:20:09.0359 0912 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/05/10 19:20:09.0468 0912 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/10 19:20:09.0531 0912 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/05/10 19:20:09.0593 0912 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/05/10 19:20:09.0734 0912 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/10 19:20:09.0812 0912 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/10 19:20:09.0875 0912 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/10 19:20:09.0921 0912 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/10 19:20:09.0953 0912 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/10 19:20:10.0125 0912 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/10 19:20:10.0187 0912 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/10 19:20:10.0250 0912 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/10 19:20:10.0296 0912 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/10 19:20:10.0328 0912 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/10 19:20:10.0421 0912 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/10 19:20:10.0515 0912 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/10 19:20:10.0593 0912 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/05/10 19:20:10.0640 0912 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/10 19:20:10.0687 0912 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/10 19:20:10.0718 0912 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/10 19:20:10.0750 0912 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/05/10 19:20:10.0781 0912 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/05/10 19:20:10.0843 0912 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/10 19:20:10.0890 0912 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/10 19:20:10.0921 0912 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/05/10 19:20:11.0000 0912 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/10 19:20:11.0046 0912 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/10 19:20:11.0109 0912 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/05/10 19:20:11.0203 0912 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/10 19:20:11.0312 0912 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/05/10 19:20:11.0359 0912 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/05/10 19:20:11.0421 0912 WUSB54GPV4SRV (18eeb910627ddaf40f822966f887bad8) C:\WINDOWS\system32\DRIVERS\rt2500usb.sys
2011/05/10 19:20:11.0484 0912 \HardDisk1 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/05/10 19:20:11.0515 0912 ================================================================================
2011/05/10 19:20:11.0515 0912 Scan finished
2011/05/10 19:20:11.0515 0912 ================================================================================
2011/05/10 19:20:11.0515 4056 Detected object count: 1
2011/05/10 19:20:27.0890 4056 \HardDisk1 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/05/10 19:20:27.0890 4056 \HardDisk1 - ok
2011/05/10 19:20:27.0890 4056 Rootkit.Win32.TDSS.tdl4(\HardDisk1) - User select action: Cure
2011/05/10 19:21:02.0562 2752 Deinitialize success

#4 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:49 PM

Posted 11 May 2011 - 01:05 AM

I have the TDSSKiller log but couldn't do the ComboFix one. Its saying that AVG 2011 isn't disabled, but I no longer have that anti-virus program. I don't know to fix this issue and now I'm afraid to run ComboFix:

The AVG hasn't been removed properly.


Step 1.
TDSSKiller:

Reboot your computer.

We'll run TDSSKiller again to verify the removal.

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Step 2.
ComboFix:

It's known that AVG interfere with ComboFix and has to be completely removed.
Sometime the uninstallation are incomplete.
Please use AVGremover to remove leftovers from AVG.
Should that fail use AppRemover

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Step 3.
Things I would like to see in your reply:

  • The content of the log from TDSSKiller in step 1.
  • The content of C:\ComboFix.txt from step 2.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#5 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:49 PM

Posted 16 May 2011 - 07:55 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#6 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:49 PM

Posted 21 May 2011 - 11:09 AM

This topic has been re-opened at the request of the person who originally posted.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#7 J.Watson

J.Watson
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 21 May 2011 - 07:47 PM

Thank you. :D

Should I re-run TDSKiller and ComboFix or was there something else I should do? AVG is no longer on my computer.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users