Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible rootkit or bios or boot virus?


  • This topic is locked This topic is locked
36 replies to this topic

#1 pacificdenizen

pacificdenizen

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 22 May 2011 - 08:40 AM

System:
XP Professional 2002, SP3
very old Dell Optiplex GX260 (bought refurbished)
Intel Pentium 2.4 GH, 512 MB RAM


Sorry this is so long. I have tried to organize and explain clearly, but I also wanted to include some background.


My Concerns:

I'm requesting help to determine if my computer has a rootkit. I have removed several pieces of malware over the past few days. It is working better now, but several things make me wonder about a possible rootkit or bios/boot infection.

1. I have had many, many, many recurring problems with malware over the years. Often, strange symptoms or red flags raised on scan persist even after a complete reformat and reinstallation from my XP disk.

2. Even though I have always reformatted from the same XP disk, how the computer behaves during the reformatting process has changed over time (see below).

3. Recently, I moved a thumb drive from this XP computer to a newer Vista computer in our house. The other computer immediately began showing signs of infection, some of which have persisted even after resetting that computer to factory, "out of the box" state. That computer gave me a warning that its boot information has changed.

I want to make sure this computer is clean before using it to try to fix the other one. Although it seems to be working better now, I don't trust it yet and would like someone with training and experience to look at the logs.


Recent Symptoms

USER ACCOUNT PROBLEMS: Approximately six weeks ago, I reformatted the computer becuase of problems with user accounts. They would initially fail to accept my password, and then they would simply disappear. I assumed at the time that the problems were related to bad disk sectors or hardware problems. This computer has shown bad disk areas for a long time.

LOCAL CONNECTION ONLY: I reformatted this computer again about two weeks ago, because it would obtain only a local network connection. I followed many online recommendations for fixing the problem (e.g., releasing and renewing the IP address with IPconfig, making sure services were running, reinstalling wireless adapter drivers, rebuilding Winsock). I never was able to fix the problem and ended up reformatting. I was able to get online after reformatting, but other problems occurred almost immediately.

EXCESSIVE NETWORK ACTIVITY: After reformat, the computer seemed "busier," with humming and excessive network activity. There were repeated episodes during which programs froze and the network adapter and icon lit up as for network traffic and stayed that way. Comodo firewall during these episodes showed activity by System, my antivirus, and two instances of svchost.exe. The cursor was navigable but could not be moved onto the taskbar. Ctrl-alt-delete would not work. Unplugging the network adapter solved the problem, but the activity would sometimes recur when connected again.

BLACK SCREENS: Each time upon reboot, there are two (sometimes lengthy) black screens both before and after the Windows logo. This particular computer has always shown black screens with blinking cursors, but now there is no longer a cursor.

SHUTDOWN SCRIPTS: During one of the shutdowns around this time, the computer gave a message, "Running shutdown scripts."

NOT SHUTTING DOWN ENTIRELY ON RESTART???: If I select "restart" to reboot the computer, the computer does not appear to shut down completely before restarting. The humming of activity on the machine never stops. It is not possible to use F12 or F8 for alternate startup during a "restart." The computer simply boots into normal mode, with the black screens. I can get F8 and F12 to function if I shut down the computer entirely using the "turn off computer" button or the power button.

THUMB DRIVE FROM THIS COMPUTER MAY HAVE INFECTED ANOTHER COMPUTER???: Finally, I made the mistake of moving a thumb drive from this XP computer to a newer Vista computer in our house. The other computer immediately started showing signs of infection, including locking me out of the system and making unauthorized changes to Windows. It gave me a warning that its boot information has been changed. I will save further info. about that computer for another thread, unless you have questions about it.

I would like to make sure all the user groups on my computer are legitimate. On the other computer, one came up on a scan as "unknown user" S-1-21-etcetera.


My Actions and Attempts to Fix the Problem (Sorry if some of this was reckless; I am not sure of the sequence, either):

I ran Superantispyware and Malwarebytes. Malwarebytes found nothing. Superantispyware found only some familiar tracking cookies

Before finding your site, I removed several pieces of malware using random scans found at help sites like yours. I am sorry that I don't remember the names--I did not expect to be writing on this board and didn't write them down. Avast found a trojan keylogger. One of the scans I ran also alerted to something like e1000msg.dll or e1000msg.exe.

I remembered using Combofix last year, with a tech's help, to clear an infection, so I ran it again. Sorry, I didn't realize we weren't supposed to do that. It warned immediately that there was rootkit activity on the computer and insisted on rebooting before doing the scan. I am sorry that I don't remember exactly what it found, but it did delete at least one file.

I then rebooted again and ran Combofix again. Again, it warned of rootkit activity immediately.

I decided to reformat the system completely.

I reformatted and did a new installation using my XP disk, and ran Combofix again. It again detected rootkit activity.

I have talked to several computer people informally about these issues. Several have suggested the possibility of a bios or boot sector virus. I have also been told that the motherboard may be failing on this very old computer.

I went into Recovery Console and did commands for fixboot and fixmbr. Fixboot did not appear to do anything. Fixmbr stated it was successful. When I restarted out of Recovery Console, the computer again did not appear to completely shut down before restarting. When I got to the desktop and ran combofix again, it again detected the presence of rootkit activity.

I did fixmbr one more time. Instead of going back to my desktop from Recovery Console, I booted to the XP disk and reformatted again completely. I found your site soon afterward and have not run Combofix again.

In my latest scan, McAfee Stinger detected the Artemis F206C61003B5 trojan. However, the actual files refer to rkill.exe, which I ran prior to running Stinger, so I am guessing it is a false positive. The "CatchMe" rootkit scanner did not find anything. Avast did not find anything. The Kaspersky scan causes little popups that say files called backup.db are password protected. This post includes the scans requested on your website.


Why I have had Longstanding Concerns about Rootkits

This computer has a longstanding history of recurrent malware infections despite good AV and firewalls. In addition, my event logs are always full of warnings and alerts. Bad hard disk sectors always show up on a disk scan. I don't know what is malware-related versus hardware problems. My security and IE logs are blank.

Some of the event log alerts sound ominous to me:

"The 54365291 service was successfully sent a start command."
"The 54365291 Boot Guard Driver service was successfully sent a start control."

After reformat and even before connecting to the internet, this computer always registers rsop planning provider, cmdtriggerconsumer, and others in the WMI namespace. In the past, I have turned off the WMI service, because otherwise the computer would hum and seem to be making connections constantly. It always seemed strange to me that my computer seemed ready to make remote connections right after reformat and before even being exposed to the internet.

This next part is particularly weird: Even though I reformat from the same XP disk each time, the reformatting process has changed over time. Initially, a reformat would result in a desktop that looked big, crude, and pixelly, until the graphics driver and other drivers were installed by me. There was no interruption of the reformat to ask for specific files or other disks. On later reformats, the computer started asking for an XP service pack 2 disk during the reformat, or a missing file. Now, the computer no longer asks for disks or files, but the desktop comes up looking sharp and clear despite the fact that it is set at a very low resolution. Also, there is now an "Intel Inside" logo on the windows logo screen that never used to be there.


Summary:

The computer seems to be working okay now after removing some malware--it is still just mildly sluggish. I remain anxious about keyloggers and rootkits. It is probably time to buy a new computer, but I am very hesitant to do so before I figure out what has made me so vulnerable to problems with this one. I do not want to repeat this process on a new machine.

Thank you very much in advance for any help you can give.
pacificdenizen


.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 17:13:59 on 2011-05-21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.219 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wltray.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dynex G USB Network Adapter\DynexWCUI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Broadcom Wireless Manager] c:\windows\system32\wltray.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\setup_~1.lnk - c:\documents and settings\administrator\desktop\virus removal tool\setup_9.0.0.722_21.05.2011_18-10\startup.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dynexw~1.lnk - c:\program files\dynex g usb network adapter\DynexWCUI.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1305940394875
Notify: igfxcui - igfxsrvc.dll
.
============= SERVICES / DRIVERS ===============
.
R0 54365292;54365292 Boot Guard Driver;c:\windows\system32\drivers\54365292.sys [2011-5-21 37392]
R1 54365291;54365291;c:\windows\system32\drivers\54365291.sys [2011-5-21 128016]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-5-20 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-5-20 307928]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2011-5-21 18816]
R1 setup_9.0.0.722_21.05.2011_18-10drv;setup_9.0.0.722_21.05.2011_18-10drv;c:\windows\system32\drivers\5436529.sys [2011-5-21 315408]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-5-20 19544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-5-20 42184]
R3 NdisWDM;Dynex Wireless G USB Network Adapter Service;c:\windows\system32\drivers\NdisWDM.sys [2011-5-20 198528]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\13.tmp --> c:\windows\system32\13.tmp [?]
.
=============== Created Last 30 ================
.
2011-05-21 19:55:26 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2011-05-21 19:55:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-21 19:55:20 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-05-21 19:55:17 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-21 19:55:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-21 19:52:11 1007108 ----a-w- c:\program files\rkill.exe
2011-05-21 16:32:50 -------- d-----w- c:\program files\tdsskiller
2011-05-21 15:46:22 37392 ----a-w- c:\windows\system32\drivers\54365292.sys
2011-05-21 15:46:22 315408 ----a-w- c:\windows\system32\drivers\5436529.sys
2011-05-21 15:46:22 128016 ----a-w- c:\windows\system32\drivers\54365291.sys
2011-05-21 15:42:04 119084928 ----a-w- c:\program files\setup_9.0.0.722_21.05.2011_18-10.exe
2011-05-21 15:13:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-21 13:47:54 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2011-05-21 13:09:00 -------- d-----w- c:\program files\Sophos
2011-05-21 13:08:04 1376832 ----a-w- c:\program files\sar_15_sfx.exe
2011-05-21 05:00:21 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-05-21 04:59:55 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-05-21 04:59:20 978944 -c----w- c:\windows\system32\dllcache\mfc42.dll
2011-05-21 04:59:20 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2011-05-21 04:58:52 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2011-05-21 04:55:54 4630535 ----a-w- c:\program files\stinger10101609.exe
2011-05-21 04:00:21 -------- d-----w- c:\windows\system32\scripting
2011-05-21 04:00:20 -------- d-----w- c:\windows\l2schemas
2011-05-21 04:00:19 -------- d-----w- c:\windows\system32\en
2011-05-21 04:00:19 -------- d-----w- c:\windows\system32\bits
2011-05-21 03:55:02 -------- d-----w- c:\windows\network diagnostic
2011-05-21 03:32:25 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2011-05-21 03:08:22 -------- d-sh--w- c:\documents and settings\administrator\IECompatCache
2011-05-21 03:07:58 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE
2011-05-21 03:07:29 -------- d-sh--w- c:\documents and settings\administrator\IETldCache
2011-05-21 02:52:21 -------- d-----w- c:\windows\ie8updates
2011-05-21 02:52:03 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-05-21 02:52:02 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-05-21 02:52:02 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-05-21 02:52:01 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-05-21 02:52:01 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-05-21 02:51:59 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-05-21 02:51:59 11080704 -c----w- c:\windows\system32\dllcache\ieframe.dll
2011-05-21 02:49:42 -------- dc-h--w- c:\windows\ie8
2011-05-21 02:44:46 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-21 02:44:02 40112 ----a-w- c:\windows\avastSS.scr
2011-05-21 02:43:56 -------- d-----w- c:\program files\AVAST Software
2011-05-21 02:43:56 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2011-05-21 02:42:33 -------- d-----w- c:\windows\ServicePackFiles
2011-05-21 01:38:37 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2011-05-21 01:36:26 455936 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-05-21 01:36:11 357888 -c----w- c:\windows\system32\dllcache\srv.sys
2011-05-21 01:35:14 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2011-05-21 01:35:14 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2011-05-21 01:35:07 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2011-05-21 01:30:53 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2011-05-21 01:30:14 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2011-05-21 01:30:14 272128 ------w- c:\windows\system32\drivers\bthport.sys
2011-05-21 01:30:11 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2011-05-21 01:20:05 -------- d-----w- c:\windows\system32\PreInstall
2011-05-21 01:20:04 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2011-05-21 01:20:03 -------- d--h--w- c:\windows\$hf_mig$
2011-05-21 01:13:45 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2011-05-21 01:13:44 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2011-05-21 01:13:44 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2011-05-21 01:13:44 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2011-05-21 01:13:44 -------- d-----w- c:\windows\system32\SoftwareDistribution
2011-05-21 01:12:49 -------- d-sh--w- c:\documents and settings\administrator\UserData
2011-05-21 01:06:38 155648 ----a-w- c:\windows\system32\igfxres.dll
2011-05-21 01:02:48 24064 ----a-w- c:\windows\system32\IntelNic.dll
2011-05-21 01:02:48 126976 ----a-w- c:\windows\system32\e1000msg.dll
2011-05-21 01:02:48 121856 ----a-w- c:\windows\system32\drivers\e1000325.sys
2011-05-21 01:02:48 118784 ----a-w- c:\windows\system32\Prounstl.exe
2011-05-21 01:02:48 -------- d-----w- C:\drvrtmp
2011-05-21 01:02:12 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2011-05-21 01:02:10 83072 ----a-w- c:\windows\system32\drivers\wdmaud.sys
2011-05-21 01:02:08 52864 ----a-w- c:\windows\system32\drivers\dmusic.sys
2011-05-21 01:02:04 56576 ----a-w- c:\windows\system32\drivers\swmidi.sys
2011-05-21 01:02:02 142592 ----a-w- c:\windows\system32\drivers\aec.sys
2011-05-21 01:02:01 172416 ----a-w- c:\windows\system32\drivers\kmixer.sys
2011-05-21 01:02:00 2944 ----a-w- c:\windows\system32\drivers\drmkaud.sys
2011-05-21 01:00:49 -------- d-----w- c:\windows\system32\ReinstallBackups
2011-05-21 01:00:40 77824 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ctor.dll
2011-05-21 01:00:40 32768 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
2011-05-21 01:00:40 225280 ----a-w- c:\program files\common files\installshield\iscript\IScript.dll
2011-05-21 01:00:40 176128 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
2011-05-21 01:00:39 610436 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\IKernel.exe
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 17:15:50.85 ===============

Attached Files


Edited by pacificdenizen, 22 May 2011 - 08:44 AM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:05 PM

Posted 30 May 2011 - 06:23 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 pacificdenizen

pacificdenizen
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 30 May 2011 - 08:21 PM

Thanks very much for helping me. I'm here.

The computer seems to be working well now since removing the malware, except that the black screens persist at startup. I appreciate your looking at the logs to rule out a rootkit. I do have WMI disabled and have about 100 error messages related to DCOM. I also still get event log alerts about a bad disk sector.

The other computer I mentioned started having serious problems after I moved a memory stick to it from this computer. It reported changes to the boot information and is currently reporting unauthorized changes to Windows and has locked me out of my account. I mention that only for information....I have a separate thread pending for that computer.

Thanks very much for being here to help.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:05 PM

Posted 31 May 2011 - 05:18 PM

That's quite a story. The Combofix detection after the event can happen if it finds the rootkit in quarantine in an antivirus program so we're finding out. The best thing to do would be to take a look at the rootkit angle - so far there doesn't seem to be anything other than understandable distrust of your machine on your part.


Please run TDSSKiller

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\


Now please run aswMBR

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 pacificdenizen

pacificdenizen
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 31 May 2011 - 06:51 PM

I have run the scans. I will add some paranoid observations at the end. Please excuse them if they are irrelevant to what we are doing here.

TDDS Killer did not appear to find anything. Was it supposed to scan only about 400 or 500 items?


2011/05/31 19:29:03.0576 3980 TDSS rootkit removing tool 2.5.3.0 May 25 2011 07:09:24
2011/05/31 19:29:03.0982 3980 ================================================================================
2011/05/31 19:29:03.0982 3980 SystemInfo:
2011/05/31 19:29:03.0982 3980
2011/05/31 19:29:03.0982 3980 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/31 19:29:03.0982 3980 Product type: Workstation
2011/05/31 19:29:03.0982 3980 ComputerName: OCEAN-409DE6685
2011/05/31 19:29:03.0982 3980 UserName: Administrator
2011/05/31 19:29:03.0982 3980 Windows directory: C:\WINDOWS
2011/05/31 19:29:03.0982 3980 System windows directory: C:\WINDOWS
2011/05/31 19:29:03.0982 3980 Processor architecture: Intel x86
2011/05/31 19:29:03.0982 3980 Number of processors: 1
2011/05/31 19:29:03.0982 3980 Page size: 0x1000
2011/05/31 19:29:03.0982 3980 Boot type: Normal boot
2011/05/31 19:29:03.0982 3980 ================================================================================
2011/05/31 19:29:05.0842 3980 Initialize success
2011/05/31 19:29:10.0498 3672 ================================================================================
2011/05/31 19:29:10.0498 3672 Scan started
2011/05/31 19:29:10.0498 3672 Mode: Manual;
2011/05/31 19:29:10.0498 3672 ================================================================================
2011/05/31 19:29:11.0404 3672 Aavmker4 (3f6884eff406238d39aaa892218f1df7) C:\WINDOWS\system32\drivers\Aavmker4.sys
2011/05/31 19:29:11.0623 3672 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/31 19:29:11.0748 3672 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/31 19:29:11.0904 3672 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
2011/05/31 19:29:11.0998 3672 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/05/31 19:29:12.0107 3672 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/05/31 19:29:12.0654 3672 aswFsBlk (7f08d9c504b015d81a8abd75c80028c5) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2011/05/31 19:29:12.0763 3672 aswMon2 (c2181ef6b54752273a0759a968c59279) C:\WINDOWS\system32\drivers\aswMon2.sys
2011/05/31 19:29:12.0842 3672 aswRdr (ac48bdd4cd5d44af33087c06d6e9511c) C:\WINDOWS\system32\drivers\aswRdr.sys
2011/05/31 19:29:12.0951 3672 aswSnx (b64134316fcd1f20e0f10ef3e65bd522) C:\WINDOWS\system32\drivers\aswSnx.sys
2011/05/31 19:29:13.0076 3672 aswSP (d6788e3211afa9951ed7a4d617f68a4f) C:\WINDOWS\system32\drivers\aswSP.sys
2011/05/31 19:29:13.0154 3672 aswTdi (4d100c45517809439c7b6dd98997fa00) C:\WINDOWS\system32\drivers\aswTdi.sys
2011/05/31 19:29:13.0248 3672 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/31 19:29:13.0326 3672 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/31 19:29:13.0467 3672 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/31 19:29:13.0592 3672 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/31 19:29:13.0717 3672 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/31 19:29:13.0826 3672 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/31 19:29:13.0982 3672 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/31 19:29:14.0076 3672 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/31 19:29:14.0138 3672 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/31 19:29:14.0232 3672 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2011/05/31 19:29:14.0451 3672 cmdGuard (cc56fa45ba18904cb04382ae9f52b1a5) C:\WINDOWS\system32\DRIVERS\cmdguard.sys
2011/05/31 19:29:14.0576 3672 cmdHlp (3a70948ab6e966bdaef2baec1f8ef9d1) C:\WINDOWS\system32\DRIVERS\cmdhlp.sys
2011/05/31 19:29:14.0951 3672 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/31 19:29:15.0092 3672 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/31 19:29:15.0201 3672 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/31 19:29:15.0279 3672 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/31 19:29:15.0404 3672 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/31 19:29:15.0576 3672 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/31 19:29:15.0670 3672 E1000 (a8b3ec8ee13cbe14f067c72110155a1b) C:\WINDOWS\system32\DRIVERS\e1000325.sys
2011/05/31 19:29:15.0810 3672 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/31 19:29:15.0920 3672 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/05/31 19:29:15.0982 3672 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/31 19:29:16.0045 3672 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/05/31 19:29:16.0123 3672 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/05/31 19:29:16.0217 3672 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/31 19:29:16.0295 3672 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/31 19:29:16.0388 3672 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/31 19:29:16.0498 3672 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/31 19:29:16.0701 3672 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/31 19:29:16.0935 3672 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/31 19:29:17.0045 3672 ialm (da58a8be6a445835f603720c4bc8837e) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/05/31 19:29:17.0185 3672 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/31 19:29:17.0373 3672 Inspect (28c95218d0c19db3a86bb4e53d6586e9) C:\WINDOWS\system32\DRIVERS\inspect.sys
2011/05/31 19:29:17.0467 3672 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/05/31 19:29:17.0529 3672 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/31 19:29:17.0623 3672 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/05/31 19:29:17.0701 3672 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/31 19:29:17.0795 3672 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/31 19:29:17.0873 3672 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/31 19:29:17.0951 3672 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/31 19:29:18.0013 3672 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/31 19:29:18.0107 3672 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/31 19:29:18.0185 3672 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/31 19:29:18.0248 3672 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/05/31 19:29:18.0342 3672 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/31 19:29:18.0451 3672 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/31 19:29:18.0717 3672 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/31 19:29:18.0810 3672 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/31 19:29:18.0873 3672 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/31 19:29:18.0967 3672 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/05/31 19:29:19.0076 3672 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/31 19:29:19.0232 3672 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/31 19:29:19.0373 3672 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/31 19:29:19.0498 3672 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/31 19:29:19.0592 3672 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/31 19:29:19.0670 3672 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/31 19:29:19.0748 3672 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/31 19:29:19.0842 3672 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/31 19:29:19.0935 3672 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/31 19:29:20.0060 3672 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/31 19:29:20.0123 3672 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/31 19:29:20.0201 3672 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/31 19:29:20.0295 3672 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/31 19:29:20.0404 3672 NdisWDM (4805067d3ab326931caff6c71550f124) C:\WINDOWS\system32\DRIVERS\ndiswdm.sys
2011/05/31 19:29:20.0513 3672 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/31 19:29:20.0592 3672 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/31 19:29:20.0670 3672 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/31 19:29:20.0842 3672 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/31 19:29:20.0951 3672 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/31 19:29:21.0092 3672 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/31 19:29:21.0185 3672 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/31 19:29:21.0248 3672 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/31 19:29:21.0357 3672 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/05/31 19:29:21.0435 3672 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/31 19:29:21.0529 3672 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/31 19:29:21.0670 3672 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/31 19:29:21.0826 3672 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/31 19:29:21.0935 3672 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/05/31 19:29:22.0388 3672 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/31 19:29:22.0482 3672 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/31 19:29:22.0560 3672 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/31 19:29:22.0904 3672 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/31 19:29:23.0013 3672 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/31 19:29:23.0092 3672 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/31 19:29:23.0170 3672 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/31 19:29:23.0263 3672 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/31 19:29:23.0373 3672 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/31 19:29:23.0482 3672 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/05/31 19:29:23.0592 3672 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/31 19:29:23.0701 3672 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/31 19:29:23.0920 3672 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/05/31 19:29:23.0967 3672 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/05/31 19:29:24.0076 3672 SAVRKBootTasks (0aef47e0a6b0cba8c9833d55298b2791) C:\WINDOWS\system32\SAVRKBootTasks.sys
2011/05/31 19:29:24.0295 3672 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/31 19:29:24.0404 3672 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/05/31 19:29:24.0498 3672 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/05/31 19:29:24.0607 3672 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2011/05/31 19:29:24.0888 3672 smwdm (70b8dd8707dbf6142530c106365df67d) C:\WINDOWS\system32\drivers\smwdm.sys
2011/05/31 19:29:25.0138 3672 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/31 19:29:25.0263 3672 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/31 19:29:25.0404 3672 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/31 19:29:25.0592 3672 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/31 19:29:25.0685 3672 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/31 19:29:26.0045 3672 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/31 19:29:26.0201 3672 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/31 19:29:26.0326 3672 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/31 19:29:26.0404 3672 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/31 19:29:26.0498 3672 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/31 19:29:26.0717 3672 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/31 19:29:26.0888 3672 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/31 19:29:27.0060 3672 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/31 19:29:27.0154 3672 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/31 19:29:27.0248 3672 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/31 19:29:27.0326 3672 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/05/31 19:29:27.0404 3672 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/31 19:29:27.0513 3672 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/05/31 19:29:27.0732 3672 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/05/31 19:29:27.0920 3672 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/31 19:29:28.0060 3672 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/31 19:29:28.0248 3672 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/31 19:29:28.0607 3672 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/05/31 19:29:28.0763 3672 MBR (0x1B8) (65e858a8a0293be11a920b0bc99d695e) \Device\Harddisk2\DR4
2011/05/31 19:29:28.0826 3672 ================================================================================
2011/05/31 19:29:28.0826 3672 Scan finished
2011/05/31 19:29:28.0826 3672 ================================================================================
2011/05/31 19:29:28.0857 3668 Detected object count: 0
2011/05/31 19:29:28.0857 3668 Actual detected object count: 0





I have attached the other scan results.



Here is my paranoia: I disabled my wireless adapter before coming back to do this. When I plugged it back in, I could only get a local connection. I had to reboot in order to get back on the internet.

When shutting down to reboot, I got a message that "DDE Server Window" was closing. I don't know what that is.

When rebooting, I have lately been getting two black screens, then the Windows logo, and then two more black screens. This time, I got first got a shorter black screen with a blinking white cursor, which I have always associated with system changes. Then I got the Windows logo, and two short black screens. I did a quick search of all modified files in that time period and have a screenshot if you are interested. I realize that is probably silly and overkill, but I am crazy paranoid right now with this computer.

It seems to be working very well, and quietly lately. Is it possible that I got rid of everything bad?

Sorry for sounding crazy. Thank you again for looking at the logs.

pacificdenizen

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:05 PM

Posted 31 May 2011 - 07:06 PM

This is something which your error log would be able to pinpoint. Except it doesn't appear to be working.

Please do this:

Click Start, and then click Control Panel. Click Performance and Maintenance, then click Administrative Tools, and then double-click Computer Management.
In the console tree, click Event Viewer.

Please find the latest log and copy and paste the contents in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 pacificdenizen

pacificdenizen
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 31 May 2011 - 07:33 PM

How exactly do I copy the log? I can view one entry at a time, but I don't know how to copy the whole thing.

Thanks.

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:05 PM

Posted 31 May 2011 - 07:57 PM

Sorry, it will be easier to export a log in txt format.

In the Computer Management console, double-click on the Event Viewer entry. You should now see a list of event logs.
Right-click on the event log you want to archive, we want the latest, and select Save Log File As from the shortcut menu.
In the Save As dialog box, select a directory (My Documents is a good target folder) and name it eventviewer.
Using the Save As Type drop-down list box select the Text (.txt) log file format.
Choose Save.

Now attach the log file in your next reply. Click Reply and then click Browse which is below the reply box and browse to the file, click Open and click the Attach This File button.
Posted Image
m0le is a proud member of UNITE

#9 pacificdenizen

pacificdenizen
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 31 May 2011 - 08:17 PM

I have attached both the application and system logs. The others are empty.

Thanks.

Attached Files



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:05 PM

Posted 01 June 2011 - 04:44 PM

The logs show that you likely have a WMI issue.

The good news is that this is not a malware issue. The bad news is that I am not trained to deal with this type of problem.

There is advice and help on repairing the WMI on the following links:

The WMI Diagnosis Utility - Microsoft's website with a downloadable utility
Repairing and re-registering the WMI - a quick fix which may not solve the issues
Posted Image
m0le is a proud member of UNITE

#11 pacificdenizen

pacificdenizen
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 01 June 2011 - 05:15 PM

Thank you for your help and the links. I appreciate it.

#12 pacificdenizen

pacificdenizen
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 01 June 2011 - 05:19 PM

Before we close this....I have one more question.

Would it be possible to run Combofix again? I have not done it since I fixed MBR and reinstalled the last time.

Before then, I kept getting messages about a rootkit even after a reinstall. I would like you to see a Combofix log, if possible....to see if it does it again.

I also want to make sure I was running it properly when I got those messages, because I know you discourage people doing it on their own.

Thank you in advance.

Edited by pacificdenizen, 01 June 2011 - 06:43 PM.


#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:05 PM

Posted 01 June 2011 - 07:26 PM

Apologies, I should have asked for a rerun of Combofix. Uninstall your copy

Remove Combofix now that we're done with it.
  • Disable any realtime antivirus or antispyware programs.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


And now

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#14 pacificdenizen

pacificdenizen
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:08:05 AM

Posted 02 June 2011 - 09:52 AM

Hi again,

I followed your instructions. I did not have to delete Combofix, because I had reformatted and reinstalled XP since the last use.

Combofix began running and then gave me the same message it has been giving: "Combofix has detected the presence of rootkit activity and needs to reboot the machine."

On reboot, it scanned, and I got the log I have attached.

I noticed it deleted the same file it has deleted when I used it previously: (c:\windows\system32\e1000msg.dll). This keeps happening even after reformatting with the XP disk.



I noticed there is a another thread on BleepingComputer where people are talking about something similar...They report Combofix reports the presence of mysterious rootkit activity time after time even after reinstalling the OS and flashing the bios: http://www.bleepingcomputer.com/forums/topic375448.html

I don't know how to flash the bios on this machine, but i did run fixmbr and reinstall XP before this time. They don't report any file deletions in that thread, though... Does the fact that Combofix keeps deleting this particular file for me mean it is a bad one that keeps coming back?

Thanks for staying with me on this.


p.s. Just a side question, too. What was the "DDE Server Window" that said it was closing, that I mentioned in my previous post? Is that anything to be concerned about?

Thanks again.





-

Attached Files


Edited by pacificdenizen, 02 June 2011 - 09:55 AM.


#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:05 PM

Posted 02 June 2011 - 06:02 PM

The DDE Server Window is nothing to worry about.

The Combofix log doesn't show anything obvious either. The file it keeps removing is being regenerated after rebooting the system but that doesn't mean that it is bad it could be attached to a program that reinstalls it after a reboot. Can you run the file through Jotti

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Go to Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\system32\e1000msg.dll

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at VirusTotal


It is possible that the rootkit that Combofix is detecting is in the quarantine folder of Avast or another security program. Please empty the quarantine folders and then we'll wait for the result of the Jotti scan before we rerun Combofix.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users