Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer slow. MBAM showed Rootkit


  • Please log in to reply
26 replies to this topic

#1 Nawtheasta

Nawtheasta

  • Members
  • 403 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:02:01 PM

Posted 07 June 2011 - 10:29 AM

Hello My BC Friends 06/07/2011
This post is about my teenage sons Gateway laptop.
OS= Win. XP, SP2, Celeron M 1.40Ghz 1.39 Ghz, 504 MB Ram.
Hard Drive properties show 31.5 GB Free Space
( As I post this Task manager shows an svchost process using between zero and 99% CPU usage)
It has been slowing down for a while know and having some operational issues. Most seem to have come about since he discovered Facebook.
My goal is to disinfect , remove unwanted programs and install some good defensive software. I did impress on him early on the importance of killing any unknown pop-ups with Task manager. He did this a few times several months ago and that may have save us from worse symptoms
Problems possibly Malware related:
Slow and inconsistent start up. Goes from initial screen to black Win loading screen, to start option screen ( safe mode, last good config. etc.)
Safemode or safe mode with networking will not load.Just get a longer screen with lines of code. Didn't write it down, (partition ( 0 ) maybe?
I did try a Windows repair using a XP SP2 disk and the Infoweek, Langa Letter instructions. I get to the repair point where I am told to remove the CD and the system reboots. Everything stops there as we only get back to the start option screen ( safe mode, last good config. etc.) Repair set-up screens never come up so I do not know if anything has actually been repaired
I checked the BIOS setting and they always seem to be set to boot from disc, not hard drive.I change it to boot from HD but I do not know if this effects anything.
After several attempts to start using regular and last good config. I can get the regular desk top to load. Still not sure of what I did different for this to happen.
If it decides it's going to start up we get a blue screen with an XP logo that says something about checking for consistency.
Not sure if this is a legit process because I have read of others in the Am I Infected forum with the same thing.
We have been canceling this before completing. After canceling the regular windows desktop will load.
I have not seen any redirects from searches although when I searched BP through Yahoo and clicked the results to come here it sure looked like it was going to send me elsewhere.I stoped this and typed BP directly into address bar and came here OK
Somewhere along the way my son has downloaded something that brought along other programs. Uniblue, speditup, Fliptoast, EZchat. These are unwanted programs and have not been used.
I have scanned with MBAM & SAS. ( Not sure where to find the SAS Log) Both were updated before running.
Last two MBAM Scans shown below.
Last SAS scan, ( Last night) showed 43 tracking cookies.It wanted me to do a restart to complete the removal process. I was not going to do this as I feared I could not get back to the desktop but the computer locked up and I had no choice.

Scan of 6/4/2011
Mawarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6772

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

6/4/2011 12:51:45 PM
mbam-log-2011-06-04 (12-51-45).txt

Scan type: Full scan (C:\|)
Objects scanned: 197005
Time elapsed: 46 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\oem preinstall\local settings\Temp\setup1111757376.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\oem preinstall\local settings\Temp\0.8070987265060244.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

_____________________________________________________
______________________________________________________
______________________________________________________
Scan of 6/6/11

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6792

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

6/6/2011 7:18:42 PM
mbam-log-2011-06-06 (19-18-42).txt

Scan type: Full scan (C:\|)
Objects scanned: 197524
Time elapsed: 45 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I thank you in advance for help and advice
Best Regards
Nawtheasta

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:01 PM

Posted 07 June 2011 - 08:31 PM

Hello Nawtheasta
To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please run TDDS Killer

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.5.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these[/color] instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.


Follow with an Online scan and tell me how it is after.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


[color="#8B0000"]NOTE: In some instances if no malware is found there will be no log produced.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Nawtheasta

Nawtheasta
  • Topic Starter

  • Members
  • 403 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:02:01 PM

Posted 08 June 2011 - 09:21 AM

Hi Boopme June 8, 2011
Thanks for picking up this thread. Sorry it was double posted. My son’s computer locked up when I was preparing the post and I had to restart. I did not realize that it went through.
I will follow your instructions as you have shown them here. I need to check with my son when he gets home from school to be sure he has backed up some files before I start with TDSSKiller.
I did do some general housekeeping. I realized that the Blue XP screen was CHKDSK wanting to run. Let this happen then did disk clean up and defragmenter. These helped a lot. Will continue as you are showing in the hopes I can get it all cleaned out and protected. Summer Vacation is almost here and he will be using it more.
Best Regards
Nawtheasta

Here is the SAS log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/06/2011 at 09:08 PM

Application Version : 4.0.1154

Core Rules Database Version : 7219
Trace Rules Database Version: 5032

Scan type : Complete Scan
Total Scan Time : 01:02:28

Memory items scanned : 418
Memory threats detected : 0
Registry items scanned : 4186
Registry threats detected : 0
File items scanned : 23591
File threats detected : 43

Adware.Tracking Cookie
C:\Documents and Settings\NetworkService\Cookies\system@247realmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@yieldmanager[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.lycos[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@lucidmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@search.clicksclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@pixel.invitemedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ru4[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@perf.overture[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@viewablemedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@adxpose[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@adserver.adtechus[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@insightexpressai[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@r1-ads.ace.advertising[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pubmatic[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediadakine[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@realmedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@mm.chitika[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@search.findsmy[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@search.321findit[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@fastclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.undertone[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@pro-market[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@findology[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@track.clickpayz[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.burstnet[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@citi.bridgetrack[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@revsci[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@network.realmedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@pointroll[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@collective-media[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@d.mediadakine[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertising[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[2].txt

Edited by Nawtheasta, 08 June 2011 - 09:23 AM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:01 PM

Posted 08 June 2011 - 07:12 PM

I see the ESET did come up right.

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Nawtheasta

Nawtheasta
  • Topic Starter

  • Members
  • 403 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:02:01 PM

Posted 08 June 2011 - 10:23 PM

Hi Boopme June 8, 2011
My son did the backups I mentioned so I plan to start tomorrow with TDSS Killer then ESAT
I have a few questions( Thanks again for your help and patience!)
Your instruction say that after running the TDSS scan a log will be created and saved to the root directory (usually Local Disk C:)
Will the location of this be C:\Program Files??( I probably should already know this)


I assume I need to turn off the screen saver so it does not interfere with either the TDSS or ESAT sans (?)


I read the BP instructions about turning off the Anti virus / Anti-Malware programs.
I believe that his computer only has an expired trial version of McAfee. I will check it though and be sure it is turned off before I run ESAT. No mention was made of turning this off before TDSS is run so I assume that this only applies to the ESAT scan.
I assume I will also need to turn off the built in Windows firewall from control panel.

Your second set of instructions for ESAT advise that the REMOVE FOUND THREATS box is NOT(in red) to be checked.
I assume that you intend the ESAT scan to be a reporting tool and not a removal tool? Please advise if I have misunderstood.


Thank you for your on going help
Best Regards
Nawtheasta
P.S. Loading his computer with good anti virus/ antimalware programs is a top priority after getting it cleaned up.

#6 Nawtheasta

Nawtheasta
  • Topic Starter

  • Members
  • 403 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:02:01 PM

Posted 09 June 2011 - 11:09 AM

Hi Boopme
Here's the TDSS Log. I will work on ESAT now.
2011/06/09 08:26:23.0851 4016 TDSS rootkit removing tool 2.5.4.0 Jun 7 2011 17:31:48
2011/06/09 08:26:24.0391 4016 ================================================================================
2011/06/09 08:26:24.0391 4016 SystemInfo:
2011/06/09 08:26:24.0391 4016
2011/06/09 08:26:24.0391 4016 OS Version: 5.1.2600 ServicePack: 2.0
2011/06/09 08:26:24.0391 4016 Product type: Workstation
2011/06/09 08:26:24.0391 4016 ComputerName: OWNER-19E61FF13
2011/06/09 08:26:24.0391 4016 UserName: OEM PreInstall
2011/06/09 08:26:24.0391 4016 Windows directory: C:\WINDOWS
2011/06/09 08:26:24.0391 4016 System windows directory: C:\WINDOWS
2011/06/09 08:26:24.0391 4016 Processor architecture: Intel x86
2011/06/09 08:26:24.0391 4016 Number of processors: 1
2011/06/09 08:26:24.0391 4016 Page size: 0x1000
2011/06/09 08:26:24.0391 4016 Boot type: Normal boot
2011/06/09 08:26:24.0391 4016 ================================================================================
2011/06/09 08:26:27.0306 4016 Initialize success
2011/06/09 08:27:56.0414 3988 ================================================================================
2011/06/09 08:27:56.0414 3988 Scan started
2011/06/09 08:27:56.0414 3988 Mode: Manual;
2011/06/09 08:27:56.0414 3988 ================================================================================
2011/06/09 08:27:58.0206 3988 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/06/09 08:27:58.0316 3988 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/06/09 08:27:58.0477 3988 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
2011/06/09 08:27:58.0567 3988 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
2011/06/09 08:27:58.0897 3988 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/06/09 08:27:59.0108 3988 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/06/09 08:27:59.0158 3988 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/06/09 08:27:59.0298 3988 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/06/09 08:27:59.0358 3988 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/06/09 08:27:59.0458 3988 BCM43XX (b89bcf0a25aeb3b47030ac83287f894a) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2011/06/09 08:27:59.0518 3988 bcm4sbxp (cd4646067cc7dcba1907fa0acf7e3966) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
2011/06/09 08:27:59.0618 3988 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/06/09 08:27:59.0728 3988 CA561 (50ded7c73e0fb40693edab8cad7c46e7) C:\WINDOWS\system32\Drivers\SPCA561.SYS
2011/06/09 08:27:59.0809 3988 CAMCAUD (23913c28ac89875bbfa03bccdc3a41e5) C:\WINDOWS\system32\drivers\camc6aud.sys
2011/06/09 08:28:00.0029 3988 CAMCHALA (e6edb12a44dafcef05dbddf3ed652388) C:\WINDOWS\system32\drivers\camc6hal.sys
2011/06/09 08:28:00.0079 3988 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/06/09 08:28:00.0159 3988 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/06/09 08:28:00.0329 3988 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/06/09 08:28:00.0399 3988 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/06/09 08:28:00.0449 3988 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/06/09 08:28:00.0570 3988 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/06/09 08:28:00.0680 3988 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/06/09 08:28:00.0930 3988 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/06/09 08:28:01.0000 3988 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2011/06/09 08:28:01.0201 3988 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2011/06/09 08:28:01.0251 3988 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/06/09 08:28:01.0321 3988 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2011/06/09 08:28:01.0471 3988 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/06/09 08:28:01.0581 3988 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/06/09 08:28:01.0641 3988 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
2011/06/09 08:28:01.0741 3988 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2011/06/09 08:28:01.0771 3988 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/06/09 08:28:01.0831 3988 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/06/09 08:28:01.0871 3988 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/06/09 08:28:01.0902 3988 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/06/09 08:28:01.0972 3988 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/06/09 08:28:02.0012 3988 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/06/09 08:28:02.0102 3988 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/06/09 08:28:02.0202 3988 HSFHWICH (2d90203b44a6e16904e8910b380b8d96) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
2011/06/09 08:28:02.0302 3988 HSF_DP (73d70d6b8516075fb4de65726f74a121) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2011/06/09 08:28:02.0442 3988 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/06/09 08:28:02.0653 3988 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/06/09 08:28:02.0753 3988 ialm (81efe1c5542afb2570758f39ae3b1151) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/06/09 08:28:02.0863 3988 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/06/09 08:28:03.0013 3988 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/06/09 08:28:03.0063 3988 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/06/09 08:28:03.0123 3988 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/06/09 08:28:03.0253 3988 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/06/09 08:28:03.0324 3988 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/06/09 08:28:03.0424 3988 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/06/09 08:28:03.0504 3988 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/06/09 08:28:03.0564 3988 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/06/09 08:28:03.0624 3988 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/06/09 08:28:03.0684 3988 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/06/09 08:28:03.0744 3988 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
2011/06/09 08:28:03.0844 3988 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/06/09 08:28:04.0015 3988 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/06/09 08:28:04.0075 3988 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/06/09 08:28:04.0125 3988 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2011/06/09 08:28:04.0225 3988 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/06/09 08:28:04.0275 3988 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/06/09 08:28:04.0315 3988 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/06/09 08:28:04.0445 3988 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/06/09 08:28:04.0505 3988 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/06/09 08:28:04.0565 3988 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2011/06/09 08:28:04.0625 3988 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/06/09 08:28:04.0696 3988 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/06/09 08:28:04.0756 3988 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/06/09 08:28:04.0826 3988 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/06/09 08:28:04.0896 3988 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/06/09 08:28:04.0976 3988 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2011/06/09 08:28:05.0036 3988 MXOPSWD (216ac775320f64de28cfeb7c179c4ff9) C:\WINDOWS\system32\DRIVERS\mxopswd.sys
2011/06/09 08:28:05.0096 3988 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/06/09 08:28:05.0236 3988 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2011/06/09 08:28:05.0286 3988 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/06/09 08:28:05.0326 3988 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/06/09 08:28:05.0407 3988 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/06/09 08:28:05.0467 3988 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/06/09 08:28:05.0517 3988 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/06/09 08:28:05.0567 3988 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/06/09 08:28:05.0657 3988 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/06/09 08:28:05.0767 3988 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/06/09 08:28:05.0837 3988 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2011/06/09 08:28:05.0917 3988 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/06/09 08:28:06.0048 3988 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/06/09 08:28:06.0138 3988 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/06/09 08:28:06.0168 3988 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/06/09 08:28:06.0258 3988 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/06/09 08:28:06.0308 3988 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
2011/06/09 08:28:06.0348 3988 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/06/09 08:28:06.0508 3988 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/06/09 08:28:06.0588 3988 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/06/09 08:28:06.0668 3988 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/06/09 08:28:06.0738 3988 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/06/09 08:28:07.0139 3988 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/06/09 08:28:07.0249 3988 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/06/09 08:28:07.0309 3988 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/06/09 08:28:07.0590 3988 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/06/09 08:28:07.0660 3988 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/06/09 08:28:07.0730 3988 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/06/09 08:28:07.0810 3988 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/06/09 08:28:07.0890 3988 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/06/09 08:28:07.0950 3988 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/06/09 08:28:08.0030 3988 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/06/09 08:28:08.0100 3988 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/06/09 08:28:08.0221 3988 SASDIFSV (c5d996556c9df4716a09e7f8c3ddd2cf) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/06/09 08:28:08.0261 3988 SASENUM (7f1085895e499907f68df7731924122b) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
2011/06/09 08:28:08.0291 3988 SASKUTIL (1380ab4ac393b5d3e21521fced3cd834) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
2011/06/09 08:28:08.0401 3988 sdbus (02fc71b020ec8700ee8a46c58bc6f276) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/06/09 08:28:08.0471 3988 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/06/09 08:28:08.0541 3988 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
2011/06/09 08:28:08.0601 3988 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/06/09 08:28:08.0701 3988 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/06/09 08:28:08.0801 3988 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
2011/06/09 08:28:08.0902 3988 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/06/09 08:28:08.0992 3988 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/06/09 08:28:09.0112 3988 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/06/09 08:28:09.0182 3988 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/06/09 08:28:09.0282 3988 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2011/06/09 08:28:09.0543 3988 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/06/09 08:28:10.0093 3988 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/06/09 08:28:10.0684 3988 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/06/09 08:28:10.0784 3988 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/06/09 08:28:10.0914 3988 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/06/09 08:28:11.0025 3988 tifm21 (a900f20ac0ed38223fbb87d2884cafb9) C:\WINDOWS\system32\drivers\tifm21.sys
2011/06/09 08:28:11.0185 3988 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2011/06/09 08:28:11.0305 3988 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
2011/06/09 08:28:11.0385 3988 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/06/09 08:28:11.0495 3988 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/06/09 08:28:11.0545 3988 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/06/09 08:28:11.0595 3988 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/06/09 08:28:11.0656 3988 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2011/06/09 08:28:11.0796 3988 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/06/09 08:28:11.0906 3988 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/06/09 08:28:12.0036 3988 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/06/09 08:28:12.0196 3988 winachsf (9c26534a3d2aa00352ffcd23bfef1399) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/06/09 08:28:12.0357 3988 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/06/09 08:28:12.0467 3988 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/06/09 08:28:12.0527 3988 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/06/09 08:28:12.0617 3988 X4HSEx (13cf1854fecc1b4d7490983b03cdbcd2) C:\Program Files\Free Ride Games\X4HSEx.Sys
2011/06/09 08:28:12.0697 3988 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0
2011/06/09 08:28:12.0707 3988 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/06/09 08:28:12.0727 3988 ================================================================================
2011/06/09 08:28:12.0727 3988 Scan finished
2011/06/09 08:28:12.0727 3988 ================================================================================
2011/06/09 08:28:12.0737 2680 Detected object count: 1
2011/06/09 08:28:12.0737 2680 Actual detected object count: 1
2011/06/09 08:29:04.0191 2680 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/06/09 08:29:04.0191 2680 \Device\Harddisk0\DR0 - ok
2011/06/09 08:29:04.0191 2680 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure
2011/06/09 08:29:27.0885 3744 Deinitialize success

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:01 PM

Posted 09 June 2011 - 11:33 AM

This was most likely the biggest problem,Rootkit.Win32.TDSS.tdl4)
After ESET change the passwords on here.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Nawtheasta

Nawtheasta
  • Topic Starter

  • Members
  • 403 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:02:01 PM

Posted 09 June 2011 - 12:03 PM

Hi Boopme
I am typing this on my desktop. My sons laptop is currently Downloading the ESAT database
You say in your last reply:

"After ESET change the passwords on here."


I am not sure what you are referring to. For Bleeping Computer???


Best Regards
Nawtheasta

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:01 PM

Posted 09 June 2011 - 12:32 PM

Sorry, change all passwords on the Infected PC after running ESET as the TDl4 infection HAS taken them.

Edited by boopme, 09 June 2011 - 12:32 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 Nawtheasta

Nawtheasta
  • Topic Starter

  • Members
  • 403 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:02:01 PM

Posted 09 June 2011 - 01:07 PM

Hi Boopme
I will tell him to change his passwords but to be honest there is noting that this computer is used for that is critical.
Here is the Esat scan. Note, as instructed ESAT was not directed to remove threats. I did choose to not uninstall ESAT.

C:\Documents and Settings\OEM PreInstall\Application Data\Mozilla\Firefox\Profiles\dy0tl9hx.default\extensions\{db01ac73-c01d-4871-9fbc-92477db0105f}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\Documents and Settings\OEM PreInstall\Application Data\Mozilla\Firefox\Profiles\dy0tl9hx.default\extensions\{db01ac73-c01d-4871-9fbc-92477db0105f}\chrome\xulcache.jar JS/Agent.NDB trojan
C:\Documents and Settings\OEM PreInstall\Application Data\Mozilla\Firefox\Profiles\dy0tl9hx.default\extensions\{e90e4778-4e0d-4eb3-bc94-80ee8b6a4d6a}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\Documents and Settings\OEM PreInstall\Application Data\Mozilla\Firefox\Profiles\dy0tl9hx.default\extensions\{e90e4778-4e0d-4eb3-bc94-80ee8b6a4d6a}\chrome\xulcache.jar JS/Agent.NDB trojan
C:\Documents and Settings\OEM PreInstall\Application Data\Sun\Java\Deployment\cache\6.0\12\21b718cc-12e39e33 a variant of Java/TrojanDownloader.OpenStream.NCE trojan
C:\Documents and Settings\OEM PreInstall\Application Data\Sun\Java\Deployment\cache\6.0\12\21b718cc-1581623c a variant of Java/TrojanDownloader.OpenStream.NCE trojan
C:\Documents and Settings\OEM PreInstall\Application Data\Sun\Java\Deployment\cache\6.0\12\21b718cc-1c627b22 a variant of Java/TrojanDownloader.OpenStream.NCE trojan
C:\Documents and Settings\OEM PreInstall\Application Data\Sun\Java\Deployment\cache\6.0\12\21b718cc-5d5051a1 a variant of Java/TrojanDownloader.OpenStream.NCE trojan
C:\Documents and Settings\OEM PreInstall\Application Data\Sun\Java\Deployment\cache\6.0\12\21b718cc-64c977ac a variant of Java/TrojanDownloader.OpenStream.NCE trojan
C:\Documents and Settings\OEM PreInstall\Application Data\Sun\Java\Deployment\cache\6.0\12\21b718cc-7c20e32b a variant of Java/TrojanDownloader.OpenStream.NCE trojan
C:\Documents and Settings\OEM PreInstall\Application Data\Sun\Java\Deployment\cache\6.0\16\14d1d290-55159c7d a variant of Java/TrojanDownloader.OpenStream.NCE trojan
C:\Documents and Settings\OEM PreInstall\Application Data\Sun\Java\Deployment\cache\6.0\33\2cc07e61-11eb42f5 a variant of Java/TrojanDownloader.OpenStream.NCE trojan
C:\Documents and Settings\OEM PreInstall\Application Data\Sun\Java\Deployment\cache\6.0\33\2cc07e61-12742263 a variant of Java/TrojanDownloader.OpenStream.NCE trojan
C:\Documents and Settings\OEM PreInstall\Application Data\Sun\Java\Deployment\cache\6.0\33\2cc07e61-30dccf76 a variant of Java/TrojanDownloader.OpenStream.NCE trojan
C:\Documents and Settings\OEM PreInstall\Application Data\Sun\Java\Deployment\cache\6.0\33\2cc07e61-36d0de6c a variant of Java/TrojanDownloader.OpenStream.NCE trojan
C:\Documents and Settings\OEM PreInstall\Application Data\Sun\Java\Deployment\cache\6.0\33\2cc07e61-3c4f3b30 a variant of Java/TrojanDownloader.OpenStream.NCE trojan
C:\Documents and Settings\OEM PreInstall\Application Data\Sun\Java\Deployment\cache\6.0\33\2cc07e61-44810d81 a variant of Java/TrojanDownloader.OpenStream.NCE trojan
C:\Documents and Settings\OEM PreInstall\Application Data\Sun\Java\Deployment\cache\6.0\33\2cc07e61-44ae211f a variant of Java/TrojanDownloader.OpenStream.NCE trojan
C:\Documents and Settings\OEM PreInstall\Application Data\Sun\Java\Deployment\cache\6.0\33\2cc07e61-4b5359dd a variant of Java/TrojanDownloader.OpenStream.NCE trojan
C:\Documents and Settings\OEM PreInstall\Application Data\Sun\Java\Deployment\cache\6.0\33\2cc07e61-690a70bc a variant of Java/TrojanDownloader.OpenStream.NCE trojan
C:\Documents and Settings\OEM PreInstall\Application Data\Sun\Java\Deployment\cache\6.0\33\2cc07e61-6ad38b4b a variant of Java/TrojanDownloader.OpenStream.NCE trojan
C:\Documents and Settings\OEM PreInstall\Application Data\Sun\Java\Deployment\cache\6.0\33\2cc07e61-6f47ebe6 a variant of Java/TrojanDownloader.OpenStream.NCE trojan
C:\Documents and Settings\OEM PreInstall\Application Data\Sun\Java\Deployment\cache\6.0\33\2cc07e61-71a291f5 a variant of Java/TrojanDownloader.OpenStream.NCE trojan
C:\Documents and Settings\OEM PreInstall\Application Data\Sun\Java\Deployment\cache\6.0\47\102e93af-6c85a3d0 probably a variant of Win32/Agent.CDGQEWH trojan
C:\Documents and Settings\OEM PreInstall\Application Data\Sun\Java\Deployment\cache\6.0\48\13673cb0-496b9f58 a variant of Java/TrojanDownloader.OpenStream.NCE trojan
C:\Documents and Settings\OEM PreInstall\Application Data\Sun\Java\Deployment\cache\6.0\49\6dfdeab1-31151525 Java/Agent.BV trojan
C:\Documents and Settings\OEM PreInstall\Application Data\Sun\Java\Deployment\cache\6.0\53\397bd8b5-276f8fa6 probably a variant of Win32/Agent.ZVRMM trojan
C:\Documents and Settings\OEM PreInstall\Application Data\Sun\Java\Deployment\cache\6.0\55\51d1c3f7-376c5d27 a variant of Java/TrojanDownloader.OpenStream.NCE trojan
C:\Documents and Settings\OEM PreInstall\Application Data\Sun\Java\Deployment\cache\6.0\8\fad2d88-1e3dec68 Java/Agent.BV trojan
C:\Documents and Settings\OEM PreInstall\Local Settings\Temp\OCSetupHlp.dll Win32/OpenCandy application
C:\Documents and Settings\OEM PreInstall\Local Settings\Temporary Internet Files\Content.IE5\ZVHSZVDD\index-functions[1].js Win32/RegistryBooster application
C:\Program Files\Uniblue\RegistryBooster\Launcher.exe Win32/RegistryBooster application
C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe Win32/RegistryBooster application
C:\Program Files\Uniblue\RegistryBooster\rbnotifier.exe Win32/RegistryBooster application
C:\Program Files\Uniblue\RegistryBooster\rb_move_serial.exe Win32/RegistryBooster application
C:\Program Files\Uniblue\RegistryBooster\registrybooster.exe Win32/RegistryBooster application
C:\Program Files\Winferno\PC Confidential\PCCBHO.dll Win32/Adware.PCConfidential application
C:\Program Files\Winferno\PC Confidential\PCConfidential.exe Win32/Adware.PCConfidential application
C:\Program Files\Winferno\PC Confidential\PCCST.exe Win32/Adware.PCConfidential application
C:\WINDOWS\system32\ddraw32.exe a variant of Win32/Kryptik.OKQ trojan
Operating memory Win32/RegistryBooster application

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:01 PM

Posted 09 June 2011 - 03:05 PM

That's good because everthing we found wants to steal infi ,LOL..
This looks good now. How is it running?

Do one more quick scan and I think we're done.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 Nawtheasta

Nawtheasta
  • Topic Starter

  • Members
  • 403 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:02:01 PM

Posted 09 June 2011 - 05:39 PM

Hi Boopme
Ran MBAM in normal mode. Nothing was found so I did not reboot.

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6822

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

6/9/2011 3:04:35 PM
mbam-log-2011-06-09 (15-04-35).txt

Scan type: Quick scan
Objects scanned: 142557
Time elapsed: 4 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





I am confused though. As instructed the line in ESET , Remove Found Threats was not checked. The last screen told me it did not remove anything. So aren’t the Trojans that ESET found still in there????

Edited by Nawtheasta, 09 June 2011 - 05:40 PM.


#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:01 PM

Posted 09 June 2011 - 06:22 PM

Thaks for noticing I had posted the Non removing instuctions. I suspected a Bamital infection and we did not want ESET to kill that as it would have been bad. Yes run it again •Make sure that the option Remove found threats IS checked
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 Nawtheasta

Nawtheasta
  • Topic Starter

  • Members
  • 403 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:02:01 PM

Posted 09 June 2011 - 06:41 PM

Hi Boopme
No problem. I respect and appreciate all your help.

I did not remove ESET after the scan. I do not see it on the desk top or in all programs. Any idea where it may be?

Best Regards
Nawtheasta

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:01 PM

Posted 09 June 2011 - 06:48 PM

"C:\Program Files\ESET\ESET Online Scanner ?????
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users