Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Complete Removal help forRootkit.TDSS


  • This topic is locked This topic is locked
16 replies to this topic

#1 I Put My Faith In U

I Put My Faith In U

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Faith is located around in the Baltimore area.
  • Local time:02:48 AM

Posted 30 May 2011 - 12:34 AM

Hi

I'm new here, and I really need your help. I've had this Rootkit for so long now. It's been like since August 2010.I read some threads here, and followed through, but it will not go away. It keep creating Shortcuts, and everytime I run Spybot or Anti-virus, it shuts down my computer. I can't stand this. I'm so desperate right now. Have been spending DAYS trying to get rid of this and read one thread saying it's Almost impossible to get rid of and even reformatting doesn't always work and my PC can't be trusted again.
I've had this computer since April 9, 08-9. I downloaded a Game called DarkEden, and from a site Game Zone. Now I'm really paying for it. The files sometimes are not accessable. I just realized it made a Network for the internet called HEADLESS HORSE, AND I cannot get rid of it, it won't let me delete it. I get this thing in the usernames that was Account.username and it was in with my Accounts for the computer. I deleted it(Probably shouldn't have, but did)
Malwarebytes picked up ROOTKIT.TDSS. Yontoo Spybot picked up but everytime I scanned it I removed it but it ended up back on the PC again. It dosnloads DIVx, Smilies........ I even go into Safemode. Do system restore. Malwarebytes detected lots of Adware, a Trojan.

Anybody?

Edited by Blade Zephon, 30 May 2011 - 10:21 AM.
Moved to AII as no logs provided and Prep Guide not followed. ~BZ


BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:02:48 AM

Posted 30 May 2011 - 10:23 AM

Hello.

Let's try this.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

~Blade


In your next reply, please include the following:
TDSSKiller Log

Edited by Blade Zephon, 30 May 2011 - 10:23 AM.

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#3 I Put My Faith In U

I Put My Faith In U
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Faith is located around in the Baltimore area.
  • Local time:02:48 AM

Posted 30 May 2011 - 07:57 PM

Hi, thanks for replying. I ran that and got nothing.
I run Spybot, or Kaspersky and my computer shuts off....
When I ran Spybot, I seen a bunch of Keyloggers and all kinds of things, too many to ever remember.


System scan completed
Duration: 00:00:54
Processed: 260 objects,
Infection: not found

#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:02:48 AM

Posted 30 May 2011 - 08:11 PM

Hello.

Let's cross check those results with another scan.

Download TFC by OldTimer to your desktop.
(TFC only cleans temp folders. It will not clean URL history, prefetch, or cookies).
Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job.
Once its finished it should automatically reboot your machine, if it doesn't, manually reboot to ensure a complete clean

NOTE:
It's normal after running TFC that the PC will be slower to boot the first time.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.


***************************************************

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (uncheck all others):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". When logging in, log in under the account that you normally use; do NOT log in under the account titled "Admin" or "Administrator" unless this account is the one used normally.

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

***************************************************

Please download Rootkit Unhooker and save it to your Desktop
Alternate Link 1 (.exe file)
Alternate Link 2 (zipped file)
Alternate Link 3 (.rar file)[*]Double-click on RKUnhookerLE to run it
[*]Click the Report tab, then click Scan
[*]Check Drivers, Stealth and uncheck the rest
[*]Click OK
[*]Wait until it's finished and then go to File > Save Report
[*]Save the report to your Desktop
[/list]Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning.
"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


If you do, please proceed normally.

~Blade


In your next reply, please include the following:
SUPERAntiSpyware Log
RKU Log
How is the computer running now?

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#5 I Put My Faith In U

I Put My Faith In U
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Faith is located around in the Baltimore area.
  • Local time:02:48 AM

Posted 30 May 2011 - 08:22 PM

I'm on it right now. Mywot.com says that that site has malware on it.
http://www.mywot.com/en/scorecard/oldtimer.geekstogo.com
and http://malc0de.com/database/index.php?search=oldtimer.geekstogo.com

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,537 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:48 AM

Posted 30 May 2011 - 08:30 PM

Hello, believe me the tool is safe as WOT said.. the 2 commenter's are nuts.

We use that here all day it is SAFE

here's 40 pages or 1000 successful uses here at BC
http://www.bleepingcomputer.com/forums/index.php?app=core&module=search&section=search&do=search&fromsearch=1
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 I Put My Faith In U

I Put My Faith In U
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Faith is located around in the Baltimore area.
  • Local time:02:48 AM

Posted 30 May 2011 - 08:40 PM

Oh, thank you very much! Just very nervous and frustrated as to what to do. I ran the Old Timer. Rebooted, now on to the next.

#8 I Put My Faith In U

I Put My Faith In U
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Faith is located around in the Baltimore area.
  • Local time:02:48 AM

Posted 31 May 2011 - 12:28 AM

Hello, believe me the tool is safe as WOT said.. the 2 commenter's are nuts.

We use that here all day it is SAFE

here's 40 pages or 1000 successful uses here at BC
http://www.bleepingcomputer.com/forums/index.php?app=core&module=search&section=search&do=search&fromsearch=1



If not that one, what about this one. It's low. :/
http://www.mywot.com/en/scorecard/rootkit.com

#9 I Put My Faith In U

I Put My Faith In U
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Faith is located around in the Baltimore area.
  • Local time:02:48 AM

Posted 31 May 2011 - 12:30 AM

Blade Zephon
Which link for Unhooker?

I just did the first one, EXE.

SUPER ANTI-SPYWARE

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/31/2011 at 00:10 AM

Application Version : 4.53.1000

Core Rules Database Version : 6494
Trace Rules Database Version: 4306

Scan type : Complete Scan
Total Scan Time : 02:11:48

Memory items scanned : 458
Memory threats detected : 0
Registry items scanned : 8442
Registry threats detected : 0
File items scanned : 243751
File threats detected : 13

Adware.Tracking Cookie
C:\Users\Vamred\AppData\Roaming\Microsoft\Windows\Cookies\vamred@megaporn[5].txt
C:\Users\Vamred\AppData\Roaming\Microsoft\Windows\Cookies\Low\vamred@megaporn[1].txt
C:\Users\Vamred\AppData\Roaming\Microsoft\Windows\Cookies\vamred@ad.yieldmanager[2].txt
C:\Users\Vamred\AppData\Roaming\Microsoft\Windows\Cookies\vamred@atdmt[2].txt
C:\Users\Vamred\AppData\Roaming\Microsoft\Windows\Cookies\vamred@casalemedia[1].txt
C:\Users\Vamred\AppData\Roaming\Microsoft\Windows\Cookies\vamred@content.yieldmanager[2].txt
C:\Users\Vamred\AppData\Roaming\Microsoft\Windows\Cookies\vamred@content.yieldmanager[3].txt
C:\Users\Vamred\AppData\Roaming\Microsoft\Windows\Cookies\vamred@doubleclick[1].txt
C:\Users\Vamred\AppData\Roaming\Microsoft\Windows\Cookies\vamred@imrworldwide[2].txt
C:\Users\Vamred\AppData\Roaming\Microsoft\Windows\Cookies\vamred@megaporn[1].txt
C:\Users\Vamred\AppData\Roaming\Microsoft\Windows\Cookies\vamred@megaporn[2].txt
C:\Users\Vamred\AppData\Roaming\Microsoft\Windows\Cookies\vamred@megaporn[4].txt
C:\Users\Vamred\AppData\Roaming\Microsoft\Windows\Cookies\vamred@tribalfusion[1].txt


RKU

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows Vista
Version 6.0.6002 (Service Pack 2)
Number of processors #1
==============================================
>Drivers
==============================================
0x92205000 C:\Windows\system32\DRIVERS\nvlddmkm.sys 10080256 bytes (NVIDIA Corporation, NVIDIA Windows Kernel Mode Driver, Version 260.99 )
0x88A00000 C:\Windows\system32\DRIVERS\kl1.sys 5382144 bytes (Kaspersky Lab ZAO, Kaspersky Unified Driver)
0x8784F000 C:\Windows\system32\ntkrnlpa.exe 3907584 bytes (Microsoft Corporation, NT Kernel & System)
0x8784F000 PnpManager 3907584 bytes
0x8784F000 RAW 3907584 bytes
0x8784F000 WMIxWDM 3907584 bytes
0x95803000 C:\Windows\system32\drivers\RTKVHDA.sys 3223552 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0xA5080000 Win32k 2113536 bytes
0xA5080000 C:\Windows\System32\win32k.sys 2113536 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x8E006000 C:\Windows\System32\Drivers\Ntfs.sys 1114112 bytes (Microsoft Corporation, NT File System Driver)
0x8DC0C000 C:\Windows\system32\drivers\ndis.sys 1093632 bytes (Microsoft Corporation, NDIS 6.0 wrapper driver)
0x91E02000 C:\Windows\system32\DRIVERS\HSX_DP.sys 1056768 bytes (Conexant Systems, Inc., HSF_DP driver)
0x8DE06000 C:\Windows\System32\drivers\tcpip.sys 958464 bytes (Microsoft Corporation, TCP/IP Driver)
0x8066E000 C:\Windows\system32\CI.dll 917504 bytes (Microsoft Corporation, Code Integrity Module)
0x852D5000 C:\Windows\system32\drivers\peauth.sys 909312 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x91F04000 C:\Windows\system32\DRIVERS\HSX_CNXT.sys 741376 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0x85209000 C:\Windows\system32\drivers\spsys.sys 720896 bytes (Microsoft Corporation, security processor)
0x8DA0C000 C:\Windows\system32\drivers\pctEFA.sys 675840 bytes (PC Tools, PC Tools Extended File Attributes)
0x92C06000 C:\Windows\System32\drivers\dxgkrnl.sys 655360 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x8DB22000 C:\Windows\system32\DRIVERS\HDAudBus.sys 577536 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0x95B68000 C:\Windows\system32\DRIVERS\klif.sys 536576 bytes (Kaspersky Lab, Klif Mini-Filter [fre_wlh_x86])
0x88F22000 C:\Windows\system32\drivers\Wdf01000.sys 507904 bytes (Microsoft Corporation, WDF Dynamic)
0x8DAB1000 C:\Windows\System32\Drivers\ksecdd.sys 462848 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x84E07000 C:\Windows\system32\drivers\HTTP.sys 446464 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x87F8F000 C:\Windows\system32\drivers\pctDS.sys 356352 bytes (PC Tools, PC Tools Data Store)
0x84F78000 C:\Windows\System32\DRIVERS\srv.sys 323584 bytes (Microsoft Corporation, Server driver)
0x8DF9B000 C:\Windows\system32\DRIVERS\HSXHWBS2.sys 311296 bytes (Conexant Systems, Inc., HSF_HWB2 WDM driver)
0x87E06000 C:\Windows\System32\drivers\volmgrx.sys 303104 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x97C05000 C:\Windows\system32\drivers\afd.sys 294912 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x8074E000 C:\Windows\system32\drivers\acpi.sys 286720 bytes (Microsoft Corporation, ACPI Driver for NT)
0x87F4C000 C:\Windows\system32\drivers\PCTCore.sys 274432 bytes (PC Tools, PC Tools KDS Core Driver)
0x8062D000 C:\Windows\system32\CLFS.SYS 266240 bytes (Microsoft Corporation, Common Log File System Driver)
0x87EFB000 C:\Windows\system32\DRIVERS\storport.sys 266240 bytes (Microsoft Corporation, Microsoft Storage Port Driver)
0x8DF4E000 C:\Windows\system32\DRIVERS\USBPORT.SYS 253952 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x8DDA7000 C:\Windows\System32\drivers\pctgntdi.sys 245760 bytes (PC Tools, PC Tools Generic TDI Driver)
0x97CEF000 C:\Windows\system32\DRIVERS\rdbss.sys 245760 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x8DD42000 C:\Windows\system32\drivers\NETIO.SYS 241664 bytes (Microsoft Corporation, Network I/O Subsystem)
0x97D2B000 C:\Windows\System32\Drivers\PCTSD.sys 241664 bytes (PC Tools, PC Tools SD Driver)
0x84EFF000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 233472 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x8E116000 C:\Windows\system32\drivers\volsnap.sys 233472 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x92D92000 C:\Windows\system32\DRIVERS\usbhub.sys 217088 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x8781C000 ACPI_HAL 208896 bytes
0x8781C000 C:\Windows\system32\hal.dll 208896 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x88FAB000 C:\Windows\system32\drivers\fltmgr.sys 204800 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x97C4D000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x92CB2000 C:\Windows\system32\DRIVERS\msiscsi.sys 192512 bytes (Microsoft Corporation, Microsoft iSCSI Initiator Driver)
0x95B16000 C:\Windows\system32\drivers\portcls.sys 184320 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x8DD17000 C:\Windows\system32\drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x8DD7D000 C:\Windows\system32\DRIVERS\ks.sys 172032 bytes (Microsoft Corporation, Kernel CSA Library)
0x8DBCD000 C:\Windows\system32\DRIVERS\nwifi.sys 172032 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
0x84F50000 C:\Windows\System32\DRIVERS\srv2.sys 163840 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x8E166000 C:\Windows\System32\drivers\ecache.sys 159744 bytes (Microsoft Corporation, Special Memory Device Cache)
0x80794000 C:\Windows\system32\drivers\pci.sys 159744 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0x95B43000 C:\Windows\system32\drivers\drmk.sys 151552 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0x97DB6000 C:\Windows\System32\Drivers\dump_nvstor32.sys 147456 bytes
0x87ED7000 C:\Windows\system32\DRIVERS\nvstor32.sys 147456 bytes (NVIDIA Corporation, NVIDIAŽ nForce™ Sata Performance Driver)
0x92D0E000 C:\Windows\system32\DRIVERS\ndiswan.sys 143360 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x97CC7000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0x87E90000 C:\Windows\system32\drivers\CLASSPNP.SYS 135168 bytes (Microsoft Corporation, SCSI Class System Dll)
0x84EBF000 C:\Windows\system32\drivers\mrxdav.sys 135168 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0x92BB0000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0x84EE0000 C:\Windows\system32\DRIVERS\mrxsmb.sys 126976 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x87EB9000 C:\Windows\system32\drivers\ataport.SYS 122880 bytes (Microsoft Corporation, ATAPI Driver Extension)
0x8DBAF000 \ArcName\multi(0)disk(0)rdisk(0)partition(1)\Windows\system32\drivers\PctWfpFilter.sys 122880 bytes
0x84E74000 C:\Windows\System32\DRIVERS\srvnet.sys 118784 bytes (Microsoft Corporation, Server Network driver)
0x8DEF0000 C:\Windows\System32\drivers\fwpkclnt.sys 110592 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x8E1A7000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0x87E75000 C:\Windows\system32\drivers\nvraid.sys 110592 bytes (NVIDIA Corporation, NVIDIAŽ nForce™ RAID Driver)
0x84E91000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x91FC6000 C:\Windows\system32\DRIVERS\cdrom.sys 98304 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0x84F38000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 98304 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x97D70000 C:\Windows\System32\Drivers\dfsc.sys 94208 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0x92CEC000 C:\Windows\system32\DRIVERS\rasl2tp.sys 94208 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0x853D6000 C:\Windows\system32\DRIVERS\cdfs.sys 90112 bytes (Microsoft Corporation, CD-ROM File System Driver)
0x97C88000 C:\Windows\system32\DRIVERS\pacer.sys 90112 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x91FE4000 C:\Windows\system32\DRIVERS\tdx.sys 90112 bytes (Microsoft Corporation, TDI Translation Driver)
0x84EAA000 C:\Windows\System32\drivers\mpsdrv.sys 86016 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x92D54000 C:\Windows\system32\DRIVERS\rassstp.sys 86016 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
0x92D40000 C:\Windows\system32\DRIVERS\raspptp.sys 81920 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x8DFE7000 C:\Windows\system32\DRIVERS\smb.sys 81920 bytes (Microsoft Corporation, SMB Transport driver)
0x8DF1B000 C:\Windows\system32\DRIVERS\i8042prt.sys 77824 bytes (Microsoft Corporation, i8042 Port Driver)
0x8DDE3000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x97CB4000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x8E18D000 C:\Windows\system32\drivers\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x92DC7000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
0x80614000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x8DF0B000 C:\Windows\system32\DRIVERS\amdk8.sys 65536 bytes (Microsoft Corporation, Processor Device Driver)
0x87F3C000 C:\Windows\system32\drivers\fileinfo.sys 65536 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x8E1C2000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x87E65000 C:\Windows\System32\drivers\mountmgr.sys 65536 bytes (Microsoft Corporation, Mount Point Manager)
0x92D69000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Terminal Server Driver)
0x97DE4000 C:\Windows\system32\DRIVERS\monitor.sys 61440 bytes (Microsoft Corporation, Monitor Driver)
0x8E157000 C:\Windows\System32\Drivers\mup.sys 61440 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0x88FEE000 C:\Windows\System32\drivers\partmgr.sys 61440 bytes (Microsoft Corporation, Partition Management Driver)
0x92D31000 C:\Windows\system32\DRIVERS\raspppoe.sys 61440 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x8DF8C000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x807BB000 C:\Windows\system32\drivers\volmgr.sys 61440 bytes (Microsoft Corporation, Volume Manager Driver)
0xA52C0000 C:\Windows\System32\cdd.dll 57344 bytes (Microsoft Corporation, Canonical Display Driver)
0x97CA6000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x92BDC000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x87E57000 C:\Windows\system32\drivers\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x97D9F000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x91FB9000 C:\Windows\system32\drivers\modem.sys 53248 bytes (Microsoft Corporation, Modem Device Driver)
0x97D92000 C:\Windows\system32\DRIVERS\RNDISMP.SYS 53248 bytes (Microsoft Corporation, Remote NDIS Miniport)
0x92D85000 C:\Windows\system32\DRIVERS\umbus.sys 53248 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x88F9E000 C:\Windows\system32\drivers\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0x853BD000 C:\Windows\System32\drivers\tcpipreg.sys 49152 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0x92BA4000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x92CA6000 C:\Windows\System32\drivers\watchdog.sys 49152 bytes (Microsoft Corporation, Watchdog Driver)
0x8DF39000 C:\Windows\system32\DRIVERS\kbdclass.sys 45056 bytes (Microsoft Corporation, Keyboard Class Driver)
0x8DF2E000 C:\Windows\system32\DRIVERS\mouclass.sys 45056 bytes (Microsoft Corporation, Mouse Class Driver)
0x92BD1000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x92D03000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x92CE1000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0x8E1E2000 C:\Windows\system32\DRIVERS\tunnel.sys 45056 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x97DAC000 C:\Windows\System32\Drivers\dump_diskdump.sys 40960 bytes
0x97DDA000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x92D7B000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0x97DF3000 C:\Windows\system32\DRIVERS\ndisuio.sys 40960 bytes (Microsoft Corporation, NDIS User mode I/O driver)
0x97D66000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0x853B3000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x8DF44000 C:\Windows\system32\DRIVERS\usbohci.sys 40960 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0x853EC000 C:\Windows\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0x8E19E000 C:\Windows\system32\drivers\crcdisk.sys 36864 bytes (Microsoft Corporation, Disk Block Verification Filter Driver)
0x95BEB000 C:\Windows\System32\Drivers\Fs_Rec.SYS 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0x8E1F6000 C:\Windows\system32\DRIVERS\klmouflt.sys 36864 bytes (Kaspersky Lab, KLMOUFLT Mouse Device Filter [fre_wlh_x86])
0x92BEA000 C:\Windows\System32\DRIVERS\rasacd.sys 36864 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xA52A0000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x8E1ED000 C:\Windows\system32\DRIVERS\tunmp.sys 36864 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x97D87000 C:\Windows\system32\DRIVERS\usb8023.sys 36864 bytes (Microsoft Corporation, Remote NDIS USB Driver)
0x88FDD000 C:\Windows\system32\drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x97C7F000 C:\Windows\system32\drivers\ws2ifsl.sys 36864 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0x87EB1000 C:\Windows\system32\drivers\atapi.sys 32768 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0x80625000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x97C9E000 C:\Windows\system32\DRIVERS\klim6.sys 32768 bytes (Kaspersky Lab ZAO, Kaspersky Lab Intermediate Network Driver)
0x88FE6000 C:\Windows\system32\drivers\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x92DD8000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x92DEA000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x8E14F000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0x853C9000 C:\Windows\system32\DRIVERS\xaudio.sys 32768 bytes (Conexant Systems, Inc., Modem Audio Device Driver)
0x92DE3000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x92DF3000 C:\Windows\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0x8060D000 C:\Windows\system32\kdcom.dll 28672 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0x95BF4000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x87E50000 C:\Windows\system32\drivers\pciide.sys 28672 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0x91FDE000 C:\Windows\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0x92DFA000 C:\Windows\system32\DRIVERS\kl2.sys 24576 bytes (Kaspersky Lab ZAO, Kaspersky Unified Driver)
0x97CE9000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0x853D1000 C:\Windows\system32\DRIVERS\LVPr2Mon.sys 20480 bytes (-, -)
0x852D1000 C:\Windows\system32\DRIVERS\mdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface x86 Driver)
0x92BA2000 C:\Windows\system32\DRIVERS\nvBridge.kmd 8192 bytes (NVIDIA Corporation, NVIDIA Compatible Windows Vista Kernel Mode Driver, Version 260.99 )
0x92D79000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x97D90000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
==============================================
>Stealth
==============================================


Nothing detected :(

About my computer. I mean I don't understand. I ran Spybot it said all these suspicious things. (Keyloggers, Trojans, etc) And nothing picks anything up and when it did, it just scanned through them and that was that. I could never scan thoroughly because it kept shutting down my PC. *Sighs*

Edited by I Put My Faith In U, 31 May 2011 - 12:47 AM.


#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:02:48 AM

Posted 31 May 2011 - 02:58 PM

It appears that the issues on your system will require a more in-depth examination than can be performed in this forum. Please read the information in this guide, and follow all the steps beginning with step 6. After you have followed the steps in that guide, I would like you to start a new thread HERE and include a link to this thread.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. The MRT is very busy, so it could be several days (3-5 days is the average wait right now) before you receive a reply. But rest assured, help is on the way!

~Blade

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#11 I Put My Faith In U

I Put My Faith In U
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Faith is located around in the Baltimore area.
  • Local time:02:48 AM

Posted 01 June 2011 - 02:26 AM

Thank you. What are logs and how do I get them? (Sorry, I'm new to this stuff)

#12 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:02:48 AM

Posted 01 June 2011 - 02:30 AM

All the information is in the first link of my previous post. Here it is again.

http://www.bleepingcomputer.com/forums/topic34773.html

Start at step six.

Once you're done, create a NEW TOPIC here -> http://www.bleepingcomputer.com/forums/forum22.html

re-read my previous post for the rest.

~Blade

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!


#13 I Put My Faith In U

I Put My Faith In U
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Faith is located around in the Baltimore area.
  • Local time:02:48 AM

Posted 01 June 2011 - 02:34 AM

It appears that the issues on your system will require a more in-depth examination than can be performed in this forum.



I ran Rootkit Unhooker with all the selected options, along with the two you mentioned. It picked up something... It said possibly and my Kaspersky said it was a windows.32.trojan...... I'm wondering should I unhook all?

#14 I Put My Faith In U

I Put My Faith In U
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Faith is located around in the Baltimore area.
  • Local time:02:48 AM

Posted 01 June 2011 - 02:37 AM

All the information is in the first link of my previous post. Here it is again.

http://www.bleepingcomputer.com/forums/topic34773.html

Start at step six.

Once you're done, create a NEW TOPIC here -> http://www.bleepingcomputer.com/forums/forum22.html

re-read my previous post for the rest.

~Blade



Gotcha, thanks!

#15 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:02:48 AM

Posted 01 June 2011 - 02:37 AM

No. . . you shouldn't use RKU to unhook anything.

The scan didn't show anything useful.

If kaspersky picked something up, you can try to use it to remove the problem.

Otherwise, please follow the steps outlined above.

~Blade

animinionsmalltext.gif
If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users