Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Having Trouble Removing Google Redirect Virus


  • This topic is locked This topic is locked
12 replies to this topic

#1 Xoggle

Xoggle

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 05 July 2011 - 08:55 AM

Hi!
So I've had this virus for about 24 hours and have been looking through the forums and tutorials for a way to remove it, however not having much luck. :(
I'm hoping someone more knowledgeable and with more experience can help me with this nasty pest.

From what I can see the virus has done a few things so far:
1. Redirects my browser to other random websites
2. Hidden my files on my computer (I've managed to show hidden files however they still remain in that washed out sort of color)
3. Changed my Firefox connection to a proxy (I've resolved this however)
4. Stopped me from running certain processes (Eg: System restore)

Theres probably more going on but off the top of my head this is what I notice.

Some info
-My OS is Windows XP
-I scanned my computer with Malwarebytes, Hitman Pro and Avira, theyve detected some stuff which I've resolved, however the virus still appears to be on my computer.
-Tried to system restore and also tried to run the tdsskiller.exe however my computer doesn't respond when I click to do either.

I'm a new member and hope I've respected the forum etiquette, sorry if I missed something!

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:30 PM

Posted 05 July 2011 - 04:47 PM

Welcome aboard Posted Image

No more system restore from now on, please.

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 Xoggle

Xoggle
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 06 July 2011 - 02:41 AM

Thanks for the fast response Broni!
I've also noticed that there are 67 Items quarantined by Malwarebytes since I first started using it, should I remove these?
I've done all that you said and here are the following logs.

Security Check
==========================================================
Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Avira AntiVir Personal - Free Antivirus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 23
HP JavaCard for HP ProtectTools
Out of date Java installed!
Adobe Flash Player 10.2.152.32
Mozilla Firefox (x86 en-GB..) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
``````````End of Log````````````
======================================================




MiniToolBox
======================================================
MiniToolBox by Farbar
Ran by Administrator (administrator) on 06-07-2011 at 14:28:03
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= End of IE Proxy Settings ========================
=============== Hosts content: ============================================

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

=============== End of Hosts ==============================================

================= IP Configuration: =======================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection 3"

set address name="Local Area Connection 3" source=dhcp
set dns name="Local Area Connection 3" source=dhcp register=PRIMARY
set wins name="Local Area Connection 3" source=dhcp

# Interface IP Configuration for "Wireless Network Connection"

set address name="Wireless Network Connection" source=dhcp
set dns name="Wireless Network Connection" source=dhcp register=PRIMARY
set wins name="Wireless Network Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : JAMES

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection 3:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Marvell Yukon 88E8072 PCI-E Gigabit Ethernet Controller

Physical Address. . . . . . . . . : 00-26-55-C6-6D-7D



Ethernet adapter Wireless Network Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel® WiFi Link 5100 AGN

Physical Address. . . . . . . . . : 00-1E-65-99-C9-86

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.0.3

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.0.1

DHCP Server . . . . . . . . . . . : 192.168.0.1

DNS Servers . . . . . . . . . . . : 61.9.133.193

61.9.134.49

Lease Obtained. . . . . . . . . . : Wednesday, 6 July 2011 2:27:01 PM

Lease Expires . . . . . . . . . . : Wednesday, 6 July 2011 3:27:01 PM

Server: dns-cust.lon.bigpond.net.au
Address: 61.9.133.193

Name: google.com
Addresses: 74.125.237.20, 74.125.237.17, 74.125.237.16, 74.125.237.18
74.125.237.19



Pinging google.com [74.125.237.19] with 32 bytes of data:



Reply from 74.125.237.19: bytes=32 time=27ms TTL=51

Reply from 74.125.237.19: bytes=32 time=26ms TTL=52



Ping statistics for 74.125.237.19:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 26ms, Maximum = 27ms, Average = 26ms

Server: dns-cust.lon.bigpond.net.au
Address: 61.9.133.193

Name: yahoo.com
Addresses: 209.191.122.70, 67.195.160.76, 69.147.125.65, 72.30.2.43
98.137.149.56



Pinging yahoo.com [67.195.160.76] with 32 bytes of data:



Reply from 67.195.160.76: bytes=32 time=268ms TTL=45

Reply from 67.195.160.76: bytes=32 time=325ms TTL=45



Ping statistics for 67.195.160.76:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 268ms, Maximum = 325ms, Average = 296ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 26 55 c6 6d 7d ...... Marvell Yukon 88E8072 PCI-E Gigabit Ethernet Controller - Packet Scheduler Miniport
0x3 ...00 1e 65 99 c9 86 ...... Intel® WiFi Link 5100 AGN - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.3 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.0.3 192.168.0.3 20
192.168.0.0 255.255.255.0 192.168.0.3 192.168.0.3 25
192.168.0.3 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.0.255 255.255.255.255 192.168.0.3 192.168.0.3 25
224.0.0.0 240.0.0.0 192.168.0.3 192.168.0.3 25
255.255.255.255 255.255.255.255 192.168.0.3 2 1
255.255.255.255 255.255.255.255 192.168.0.3 192.168.0.3 1
Default Gateway: 192.168.0.1
===========================================================================
Persistent Routes:
None

================= End of IP Configuration =================================

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/06/2011 02:00:12 PM) (Source: .NET Runtime 2.0 Error Reporting) (User: )
Description: EventType clr20r3, P1 ccc.exe, P2 2.0.0.0, P3 494a943f, P4 mscorlib, P5 2.0.0.0, P6 4d352e63, P7 f4f, P8 7, P9 clr20r30, P10 clr20r31.

Error: (07/06/2011 01:59:13 PM) (Source: .NET Runtime 2.0 Error Reporting) (User: )
Description: EventType clr20r3, P1 ccc.exe, P2 2.0.0.0, P3 494a943f, P4 mscorlib, P5 2.0.0.0, P6 4d352e63, P7 f4f, P8 7, P9 clr20r30, P10 clr20r31.

Error: (07/06/2011 01:57:10 PM) (Source: MSDTC) (User: )
Description: MS DTC Tracing infrastructure : the initialization of the tracing infrastructure failed. Internal Information : msdtc_trace : File: d:\comxp_sp3\com\com1x\dtc\dtc\trace\src\tracelib.cpp, Line: 1115, StartTrace Failed, hr=0x800700a1

.

Error: (07/06/2011 03:01:17 AM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module itieaddin.dll, version 3.0.0.92, fault address 0x00009ec2.
Processing media-specific event for [iexplore.exe!ws!]

Error: (07/06/2011 01:29:22 AM) (Source: ESENT) (User: )
Description: wlcomm (3356) C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Live Contacts\{bb52ebfb-fea9-4522-8c9a-ff69fdf7a6e7}\: The backup has been stopped because it was halted by the client or the connection with the client failed.

Error: (07/06/2011 01:29:22 AM) (Source: ESENT) (User: )
Description: wlcomm (3356) Error (-1032) during backup of a database (file C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Live Contacts\{bb52ebfb-fea9-4522-8c9a-ff69fdf7a6e7}\DBStore\contacts.edb). The database will be unable to restore.

Error: (07/06/2011 01:29:22 AM) (Source: ESENT) (User: )
Description: wlcomm (3356) An attempt to create the file "C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Live Contacts\{bb52ebfb-fea9-4522-8c9a-ff69fdf7a6e7}\DBStore\contacts.pat" failed with system error 5 (0x00000005): "Access is denied. ". The create file operation will fail with error -1032 (0xfffffbf8).

Error: (07/05/2011 11:10:29 PM) (Source: .NET Runtime 2.0 Error Reporting) (User: )
Description: EventType clr20r3, P1 ccc.exe, P2 2.0.0.0, P3 494a943f, P4 mscorlib, P5 2.0.0.0, P6 4d352e63, P7 f4f, P8 7, P9 clr20r30, P10 clr20r31.

Error: (07/05/2011 11:09:33 PM) (Source: .NET Runtime 2.0 Error Reporting) (User: )
Description: EventType clr20r3, P1 ccc.exe, P2 2.0.0.0, P3 494a943f, P4 mscorlib, P5 2.0.0.0, P6 4d352e63, P7 f4f, P8 7, P9 clr20r30, P10 clr20r31.

Error: (07/05/2011 11:08:33 PM) (Source: MSDTC) (User: )
Description: MS DTC Tracing infrastructure : the initialization of the tracing infrastructure failed. Internal Information : msdtc_trace : File: d:\comxp_sp3\com\com1x\dtc\dtc\trace\src\tracelib.cpp, Line: 1115, StartTrace Failed, hr=0x800700a1

.


System errors:
=============
Error: (07/05/2011 11:06:47 PM) (Source: Service Control Manager) (User: )
Description: The MBAMService service terminated unexpectedly. It has done this 1 time(s).

Error: (07/05/2011 11:06:47 PM) (Source: Service Control Manager) (User: )
Description: The LightScribeService Direct Disc Labeling Service service terminated unexpectedly. It has done this 1 time(s).

Error: (07/05/2011 11:06:47 PM) (Source: Service Control Manager) (User: )
Description: The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).

Error: (07/05/2011 11:06:47 PM) (Source: Service Control Manager) (User: )
Description: The IviRegMgr service terminated unexpectedly. It has done this 1 time(s).

Error: (07/05/2011 11:06:47 PM) (Source: Service Control Manager) (User: )
Description: The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).

Error: (07/05/2011 11:06:47 PM) (Source: Service Control Manager) (User: )
Description: The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (07/05/2011 11:06:47 PM) (Source: Service Control Manager) (User: )
Description: The Agere Modem Call Progress Audio service terminated unexpectedly. It has done this 1 time(s).

Error: (07/05/2011 11:06:47 PM) (Source: Service Control Manager) (User: )
Description: The ActivClient Middleware Service service terminated unexpectedly. It has done this 1 time(s).

Error: (07/05/2011 11:06:46 PM) (Source: Service Control Manager) (User: )
Description: The Drive Encryption Service service terminated unexpectedly. It has done this 1 time(s).

Error: (07/05/2011 11:06:46 PM) (Source: Service Control Manager) (User: )
Description: The AuthenTec Fingerprint Service service terminated unexpectedly. It has done this 1 time(s).


Microsoft Office Sessions:
=========================

========================= End of Event log errors =========================

========================= Memory info: ====================================

Percentage of memory in use: 29%
Total physical RAM: 3036.19 MB
Available physical RAM: 2146.55 MB
Total Pagefile: 4921.16 MB
Available Pagefile: 4031.88 MB
Total Virtual: 2047.88 MB
Available Virtual: 1997.36 MB

======================= Partitions: =======================================

1 Drive c: () (Fixed) (Total:463.74 GB) (Free:406.04 GB) NTFS
2 Drive d: (HP_TOOLS) (Fixed) (Total:2 GB) (Free:1.93 GB) FAT32

================= Users: ==================================================

User accounts for \\JAMES

-------------------------------------------------------------------------------
Administrator ASPNET Guest
HelpAssistant SUPPORT_388945a0
The command completed successfully.

================= End of Users ============================================






Malwarebytes Scan Log
===========================================================================

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7031

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/07/2011 2:48:12 PM
mbam-log-2011-07-06 (14-48-12).txt

Scan type: Quick scan
Objects scanned: 171824
Time elapsed: 11 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)






GMER Log
======================================================================

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-07-06 17:39:32
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950042 rev.0003
Running: 22ofvcub.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kxtdypow.sys


---- System - GMER 1.0.15 ----

SSDT 980A5244 ZwClose
SSDT 980A51FE ZwCreateKey
SSDT 980A524E ZwCreateSection
SSDT 980A51F4 ZwCreateThread
SSDT 980A5203 ZwDeleteKey
SSDT 980A520D ZwDeleteValueKey
SSDT 980A523F ZwDuplicateObject
SSDT 980A5212 ZwLoadKey
SSDT 980A51E0 ZwOpenProcess
SSDT 980A51E5 ZwOpenThread
SSDT 980A521C ZwReplaceKey
SSDT 980A5217 ZwRestoreKey
SSDT 980A5253 ZwSetContextThread
SSDT 980A5208 ZwSetValueKey
SSDT 980A51EF ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text KDCOM.DLL!KdSendPacket BA5A8345 6 Bytes [FA, 8D, 46, 01, 25, FF]
.text KDCOM.DLL!KdSendPacket BA5A834D 5 Bytes [80, 79, 07, 48, 0D]
.text KDCOM.DLL!KdSendPacket BA5A8353 29 Bytes [FF, FF, FF, 40, 0F, B6, F0, ...]
.text KDCOM.DLL!KdSendPacket BA5A8371 28 Bytes [FF, FF, FF, 42, 0F, B6, FA, ...]
.text KDCOM.DLL!KdD0Transition + 8 BA5A838E 17 Bytes [08, 03, 55, F8, 03, D8, 81, ...]
.text KDCOM.DLL!KdD0Transition + 1A BA5A83A0 42 Bytes [FF, FF, FF, 43, 0F, B6, C3, ...]
.text KDCOM.DLL!KdDebuggerInitialize0 + 25 BA5A83CB 6 Bytes [00, C9, C2, 08, 00, 55] {ADD CL, CL; RET 0x8; PUSH EBP}
.text KDCOM.DLL!KdDebuggerInitialize0 + 2C BA5A83D2 23 Bytes [EC, 83, C8, FF, 83, 7D, 08, ...]
.text KDCOM.DLL!KdDebuggerInitialize0 + 44 BA5A83EA 162 Bytes [42, 5E, F6, C1, 01, 74, 0A, ...]
.text KDCOM.DLL!KdRestore + 2D BA5A848D 1 Byte [43]
.text KDCOM.DLL!KdRestore + 2D BA5A848D 77 Bytes [43, 08, 89, 45, FC, 8B, 55, ...]
.text KDCOM.DLL!KdRestore + 7C BA5A84DC 25 Bytes [C9, C2, 08, 00, 55, 8B, EC, ...]
.text KDCOM.DLL!KdRestore + 97 BA5A84F7 21 Bytes [89, 06, 89, 46, 08, 89, 46, ...]
.text KDCOM.DLL!KdRestore + AD BA5A850D 241 Bytes CALL BA5A846D \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
.text ...
PAGEKD KDCOM.DLL!KdReceivePacket + 2 BA5A8F4E 205 Bytes [F0, 8D, 45, FC, 50, 53, 56, ...]
PAGEKD KDCOM.DLL!KdReceivePacket + D0 BA5A901C 2 Bytes [75, 0E] {JNZ 0x10}
PAGEKD KDCOM.DLL!KdReceivePacket + D3 BA5A901F 1 Byte [C0]
PAGEKD KDCOM.DLL!KdReceivePacket + D3 BA5A901F 103 Bytes [C0, 02, 83, C2, 02, 84, DB, ...]
PAGEKD KDCOM.DLL!KdReceivePacket + 13B BA5A9087 131 Bytes [7D, 0C, B8, 4D, 5A, 00, 00, ...]
PAGEKD ...
PAGEKD KDCOM.DLL!KdSendPacket + 6F BA5A9221 181 Bytes [83, C4, 18, 33, C0, 85, FF, ...]
? C:\WINDOWS\system32\drivers\SafeBoot.sys The process cannot access the file because it is being used by another process.
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB8231000, 0x1BDE76, 0xE8000020]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdSendPacket] [BA5A8631] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdD0Transition] [BA5A85DF] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdD3Transition] [BA5A85E9] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdReceivePacket] [BA5A860D] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdDebuggerInitialize0] [BA5A85F3] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdSave] [BA5A8625] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdDebuggerInitialize1] [BA5A85FF] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\ntkrnlpa.exe[KDCOM.dll!KdRestore] [BA5A8619] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\hal.dll[KDCOM.dll!KdRestore] [BA5A8619] \WINDOWS\system32\KDCOM.DLL (Kernel Debugger HW Extension DLL/Microsoft Corporation)
IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!READ_PORT_UCHAR] 736F746E
IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!WRITE_PORT_UCHAR] 6C6E726B
IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!HalQueryRealTimeClock] 6578652E
IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!HalInitSystem] 00000000
IAT \WINDOWS\system32\KDCOM.DLL[HAL.dll!KdComPortInUse] 2E6C6168

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:144] 8A2840B3
Thread System [4:156] 8A2857FB

---- EOF - GMER 1.0.15 ----

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:30 PM

Posted 06 July 2011 - 06:37 PM

I've also noticed that there are 67 Items quarantined by Malwarebytes since I first started using it, should I remove these?

You may as well.

Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can download, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#5 Xoggle

Xoggle
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 06 July 2011 - 10:01 PM

Here it is.

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0x910B6000 C:\WINDOWS\system32\DRIVERS\NETw5x32.sys 4202496 bytes (Intel Corporation, IntelŪ Wireless WiFi Link Driver)
0xBF1CC000 C:\WINDOWS\System32\ati3duag.dll 3887104 bytes (ATI Technologies Inc. , ati3duag.dll)
0xB8230000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 3817472 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xBF9C6000 C:\WINDOWS\System32\ativvaxx.dll 2646016 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2154496 bytes
0x804D7000 RAW 2154496 bytes
0x804D7000 WMIxWDM 2154496 bytes
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x96B4E000 C:\WINDOWS\system32\DRIVERS\snp2uvc.sys 1761280 bytes (-, UVC Camera Streaming Driver)
0xA23C6000 C:\WINDOWS\system32\DRIVERS\AGRSM.sys 1204224 bytes (Agere Systems, SoftModem Device Driver)
0xB7BC4000 C:\WINDOWS\system32\DRIVERS\btkrnl.sys 987136 bytes (Broadcom Corporation., Bluetooth Bus Enumerator)
0x968B2000 C:\WINDOWS\System32\Drivers\dump_iaStor.sys 892928 bytes
0xB9E13000 iaStor.sys 892928 bytes (Intel Corporation, Intel Matrix Storage Manager driver - ia32)
0xBF065000 C:\WINDOWS\System32\ati2cqag.dll 626688 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xB9D3D000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xBF0FE000 C:\WINDOWS\System32\atikvmag.dll 536576 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xB7D09000 C:\WINDOWS\System32\Drivers\wdf01000.sys 507904 bytes (Microsoft Corporation, WDF Dynamic)
0x969D7000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB7AE6000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0x96AE2000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA2508000 C:\WINDOWS\system32\drivers\ADIHdAud.sys 360448 bytes (Analog Devices, Inc., High Definition Audio Function Driver)
0x93208000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 339968 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xBF181000 C:\WINDOWS\System32\atiok3x2.dll 307200 bytes (ATI Technologies Inc., Ring 0 x2 component)
0xB7D85000 C:\WINDOWS\system32\DRIVERS\yk51x86.sys 299008 bytes (Marvell, Miniport Driver for Marvell Yukon Ethernet Controller.)
0xBF581000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0x922C2000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x93057000 C:\WINDOWS\system32\drivers\RMCast.sys 204800 bytes (Microsoft Corporation, Reliable Multicast Transport)
0xB7CD8000 C:\WINDOWS\system32\DRIVERS\SynTP.sys 200704 bytes (Synaptics Incorporated, Synaptics Touchpad Driver)
0xB7B6C000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0x93AA6000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9D10000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0x8E325000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0x96A47000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB81F4000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0x96ABA000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0x9698C000 C:\WINDOWS\system32\DRIVERS\avipbb.sys 159744 bytes (Avira GmbH, Avira Driver for Security Enhancement)
0xB9F05000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0x96A94000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0x969B3000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xA2560000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB81D0000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB7CB5000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0x96A72000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E5000 ACPI_HAL 134400 bytes
0x806E5000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9DF3000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F2B000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9F4A000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xA24EC000 C:\WINDOWS\system32\drivers\AEAudio.sys 114688 bytes (Andrea Electronics Corporation, Andrea Audio Driver (32-bit))
0xA2584000 C:\WINDOWS\system32\drivers\AtiHdmi.sys 110592 bytes (ATI Research Inc., Ati High Definition Audio Function Driver)
0xB9CDD000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0x914B8000 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kxtdypow.sys 102400 bytes
0xB9CF7000 SafeBoot.sys 102400 bytes
0xB9EED000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0x93BF6000 C:\WINDOWS\system32\DRIVERS\avgntflt.sys 94208 bytes (Avira GmbH, Avira Minifilter Driver)
0xB9DCA000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x93101000 C:\WINDOWS\system32\drivers\mqac.sys 94208 bytes (Microsoft Corporation, Windows NT MQ Access Control Device Driver)
0xB7BAD000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x93A41000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB821C000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0x96B3B000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB9DE1000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB7B9C000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0x93338000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA218000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA0B8000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xB277A000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xB8C8A000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0x96F02000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xB276A000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA0C8000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xBA118000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA1E8000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xB8C7A000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0x97CEE000 C:\WINDOWS\system32\DRIVERS\STREAM.SYS 53248 bytes (Microsoft Corporation, WDM CODEC Class Device Driver 2.0)
0xBA0E8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA1F8000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0xB8C5A000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x97CAE000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA208000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0D8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xB8C6A000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA0F8000 SbAlg.sys 45056 bytes (SafeBoot N.V., SafeBoot FIPS AES Algorithm (256 bit))
0xBA128000 sfaudio.sys 45056 bytes (Sonic Focus, Inc, Sonic Focus DSP driver for ADI)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xB27AA000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xB8C3A000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0x916A4000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xBA108000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0x97C7E000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA1D8000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0x93398000 C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 36864 bytes (Microsoft Corporation, IP FILTER DRIVER)
0xB8C4A000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0x97CDE000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0x97CCE000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xB4A9D000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0x97B4C000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0x97B24000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xBA3A0000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x97DC2000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBA328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x97DB2000 C:\WINDOWS\system32\DRIVERS\sncduvc.SYS 28672 bytes (-, USBCAMD for Sonix UVC)
0xBA3C8000 C:\WINDOWS\system32\DRIVERS\Accelerometer.sys 24576 bytes (Hewlett-Packard Corporation, HP Accelerometer - SATA/RAID)
0xBA3B8000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xBA3B0000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA3C0000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0x97B44000 C:\WINDOWS\system32\DRIVERS\ssmdrv.sys 24576 bytes (Avira GmbH, AVIRA SnapShot Driver)
0xBA380000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0x97DBA000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xBA338000 hpdskflt.sys 20480 bytes (Hewlett-Packard Corporation, HP Disk Filter - SATA/RAID)
0xBA3A8000 C:\WINDOWS\system32\DRIVERS\HpqKbFiltr.sys 20480 bytes (Hewlett-Packard Development Company, L.P., HpqKbFiltr Keyboard Filter Driver)
0x97DAA000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA3D8000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA3E0000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xBA3D0000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0x971C4000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xBA4C0000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xB9695000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xB2C5A000 C:\WINDOWS\system32\drivers\mbam.sys 16384 bytes (Malwarebytes Corporation, Malwarebytes' Anti-Malware)
0xBA588000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xAE5E1000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBA4C4000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xBA4BC000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0x97A1B000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0x97C5E000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xB96A5000 C:\WINDOWS\system32\drivers\iviaspi.sys 12288 bytes (InterVideo, Inc., InterVideo ASPI Shell)
0x97C5A000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB968D000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x9815C000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xB9691000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0xBA5A8000 00000029 8192 bytes
0xBA5B0000 aliide.sys 8192 bytes (Acer Laboratories Inc., ALi mini IDE Driver)
0x98DCE000 C:\Program Files\Avira\AntiVir Desktop\avgio.sys 8192 bytes (Avira GmbH, Avira AntiVir Support for Minifilter)
0x99757000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5B2000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0x99759000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5AC000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0x99755000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0x99753000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA60E000 C:\WINDOWS\system32\drivers\regi.sys 8192 bytes (InterVideo, regi driver)
0x98DD6000 C:\WINDOWS\System32\Drivers\RsvLock.SYS 8192 bytes (SafeBoot International, SafeBoot Reserved Files Lock Driver)
0xBA5B4000 SbFsLock.sys 8192 bytes (SafeBoot International, SafeBoot FS Locker)
0xBA620000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA61E000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AE000 viaide.sys 8192 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA7EE000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA6D4000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0x984C5000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA671000 C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0x8A281F16 unknown_irp_handler 234 bytes
!!!!!!!!!!!Hidden driver: 0x8AD1C1C0 00000227 0 bytes
==============================================
>Stealth
==============================================
WARNING: File locked for read access [C:\WINDOWS\system32\drivers\SafeBoot.sys]
0x8A286604 Unknown page with executable code, 2556 bytes
0x8A2844A5 Unknown page with executable code, 2907 bytes
0x8A283DAA Unknown page with executable code, 598 bytes
0x8A2840B3 Unknown thread object [ ETHREAD 0x8A290410 ] TID: 144, 600 bytes
0x8A2857FB Unknown thread object [ ETHREAD 0x8AC60B30 ] TID: 156, 600 bytes
0x8A283CCB Unknown page with executable code, 821 bytes

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:30 PM

Posted 06 July 2011 - 10:10 PM

2. Hidden my files on my computer (I've managed to show hidden files however they still remain in that washed out sort of color)

Let's see, if we can recover your missing features.
Download and run UnHide

Then....

Download TDSSKiller and save it to your desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#7 Xoggle

Xoggle
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 06 July 2011 - 11:13 PM

The unhide.exe worked great and everything that was hidden is now restored to how it was originally :)

I downloaded the tdsskiller.exe and tried to run it, however it doesn't respond at all.

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:30 PM

Posted 06 July 2011 - 11:17 PM

Good news :)

Download the FixTDSS.exe

Save the file to your Windows desktop.
Close all running programs.
If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
Double-click the FixTDSS.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
Restart the computer when prompted by the tool.
After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
If you are running Windows XP, re-enable System Restore.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#9 Xoggle

Xoggle
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 06 July 2011 - 11:27 PM

I just ran the FixTDSS and it said "Backdoor.tidserv has not been found on your computer".

#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:30 PM

Posted 06 July 2011 - 11:32 PM

Your computer is definitely infected, but some other tools, not allowed in this forum must be used.

With the information you have provided I believe you will need help from the malware removal team. I would like you to start a new thread and post a DDS log HERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. Help is on the way!

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#11 Xoggle

Xoggle
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:30 PM

Posted 07 July 2011 - 12:51 AM

Okay I've created a new thread and here it is.

Thanks for the help thus far! :)

#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:30 PM

Posted 07 July 2011 - 07:09 PM

Thank you :)

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:30 AM

Posted 07 July 2011 - 08:30 PM

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users