Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Protection, MY turn in the barrel


  • Please log in to reply
8 replies to this topic

#1 ltdave

ltdave

  • Members
  • 268 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 22 August 2011 - 07:02 PM

like others here, my computer came down with the Security Protection virus a couple of days go...

i ran the following (in safe mode) with NO positive results:

MBAM
SUPERAntiSpyware
Spybot Search and Destroy

none of them detected any infections but i kept getting the pop up window where Security Protection would 'scan' my computer and of course it was showing all of the 'viruses' and malware i had on my system...

it wouldnt let teatimer, motoconnect or several other (all .exe files) programs run...

i could not do a system restore except in safe mode which allowed me to have a couple of hours on sunday in which everything ran fine. until i tried to do a system restore to a later date (one that i thought was post-infection) but alas, it wasnt to be...

of course Bleeping Computer and all of its helpful members got me pointed in the right direction...

i downloaded and ran Kaspersky's TddsKiller (accidentaly BEFORE FixNCR.reg (i printed the directions and even downloaded everything i needed but i somehow skipped over FixNCR...

here is my TddsKiller log:

2011/08/22 19:05:05.0484 0728 TDSS rootkit removing tool 2.5.16.0 Aug 19 2011 17:48:17
2011/08/22 19:05:05.0968 0728 ================================================================================
2011/08/22 19:05:05.0968 0728 SystemInfo:
2011/08/22 19:05:05.0968 0728
2011/08/22 19:05:05.0968 0728 OS Version: 5.1.2600 ServicePack: 3.0
2011/08/22 19:05:05.0968 0728 Product type: Workstation
2011/08/22 19:05:05.0968 0728 ComputerName: VOSTRO-1500
2011/08/22 19:05:05.0968 0728 UserName: Dave Dell
2011/08/22 19:05:05.0968 0728 Windows directory: C:\WINDOWS
2011/08/22 19:05:05.0968 0728 System windows directory: C:\WINDOWS
2011/08/22 19:05:05.0968 0728 Processor architecture: Intel x86
2011/08/22 19:05:05.0968 0728 Number of processors: 2
2011/08/22 19:05:05.0968 0728 Page size: 0x1000
2011/08/22 19:05:05.0968 0728 Boot type: Normal boot
2011/08/22 19:05:05.0968 0728 ================================================================================
2011/08/22 19:05:07.0609 0728 Initialize success
2011/08/22 19:05:11.0609 3100 ================================================================================
2011/08/22 19:05:11.0609 3100 Scan started
2011/08/22 19:05:11.0609 3100 Mode: Manual;
2011/08/22 19:05:11.0609 3100 ================================================================================
2011/08/22 19:05:14.0765 3100 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/08/22 19:05:14.0843 3100 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/08/22 19:05:14.0921 3100 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/08/22 19:05:14.0984 3100 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/08/22 19:05:15.0265 3100 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/08/22 19:05:15.0375 3100 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/08/22 19:05:15.0437 3100 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/08/22 19:05:15.0484 3100 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/08/22 19:05:15.0515 3100 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/08/22 19:05:15.0593 3100 BCM43XX (b89bcf0a25aeb3b47030ac83287f894a) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2011/08/22 19:05:15.0734 3100 bcm4sbxp (cd4646067cc7dcba1907fa0acf7e3966) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
2011/08/22 19:05:15.0765 3100 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/08/22 19:05:15.0812 3100 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/08/22 19:05:15.0890 3100 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/08/22 19:05:15.0937 3100 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/08/22 19:05:16.0000 3100 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/08/22 19:05:16.0078 3100 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/08/22 19:05:16.0140 3100 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/08/22 19:05:16.0234 3100 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/08/22 19:05:16.0281 3100 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/08/22 19:05:16.0343 3100 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/08/22 19:05:16.0375 3100 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/08/22 19:05:16.0437 3100 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/08/22 19:05:16.0515 3100 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/08/22 19:05:16.0656 3100 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/08/22 19:05:16.0703 3100 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/08/22 19:05:16.0734 3100 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/08/22 19:05:16.0750 3100 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/08/22 19:05:16.0828 3100 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/08/22 19:05:16.0843 3100 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/08/22 19:05:16.0875 3100 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/08/22 19:05:16.0906 3100 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/08/22 19:05:16.0984 3100 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/08/22 19:05:17.0093 3100 HSFHWAZL (b1526810210980bed9d22315946c919d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
2011/08/22 19:05:17.0234 3100 HSF_DPV (ddbd528e60f5961c142a490dc4ea7780) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2011/08/22 19:05:17.0375 3100 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/08/22 19:05:17.0468 3100 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/08/22 19:05:17.0734 3100 ialm (200cca76cd0e0f7eec78fa56c29b4d67) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/08/22 19:05:18.0046 3100 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/08/22 19:05:18.0187 3100 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/08/22 19:05:18.0234 3100 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/08/22 19:05:18.0281 3100 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/08/22 19:05:18.0296 3100 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/08/22 19:05:18.0343 3100 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/08/22 19:05:18.0390 3100 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/08/22 19:05:18.0421 3100 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/08/22 19:05:18.0484 3100 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/08/22 19:05:18.0578 3100 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/08/22 19:05:18.0625 3100 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/08/22 19:05:18.0687 3100 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/08/22 19:05:18.0812 3100 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/08/22 19:05:18.0859 3100 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/08/22 19:05:18.0906 3100 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/08/22 19:05:19.0015 3100 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/08/22 19:05:19.0031 3100 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/08/22 19:05:19.0093 3100 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2011/08/22 19:05:19.0234 3100 MpKsl37844886 (5f53edfead46fa7adb78eee9ecce8fdf) C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B30D2F94-AFB0-4994-9E5D-666592481E90}\MpKsl37844886.sys
2011/08/22 19:05:19.0328 3100 MpKsld8839d3f (5f53edfead46fa7adb78eee9ecce8fdf) C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B30D2F94-AFB0-4994-9E5D-666592481E90}\MpKsld8839d3f.sys
2011/08/22 19:05:19.0531 3100 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/08/22 19:05:19.0609 3100 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/08/22 19:05:19.0718 3100 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/08/22 19:05:19.0796 3100 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/08/22 19:05:19.0812 3100 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/08/22 19:05:19.0828 3100 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/08/22 19:05:20.0015 3100 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/08/22 19:05:20.0312 3100 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/08/22 19:05:20.0390 3100 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/08/22 19:05:20.0453 3100 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/08/22 19:05:20.0515 3100 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/08/22 19:05:20.0546 3100 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/08/22 19:05:20.0609 3100 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/08/22 19:05:20.0687 3100 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/08/22 19:05:20.0765 3100 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/08/22 19:05:20.0843 3100 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/08/22 19:05:20.0875 3100 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/08/22 19:05:20.0921 3100 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/08/22 19:05:21.0000 3100 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/08/22 19:05:21.0031 3100 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/08/22 19:05:21.0046 3100 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/08/22 19:05:21.0109 3100 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/08/22 19:05:21.0250 3100 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/08/22 19:05:21.0281 3100 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/08/22 19:05:21.0312 3100 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/08/22 19:05:21.0375 3100 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/08/22 19:05:21.0437 3100 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/08/22 19:05:21.0609 3100 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/08/22 19:05:21.0781 3100 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/08/22 19:05:21.0796 3100 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/08/22 19:05:21.0812 3100 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/08/22 19:05:21.0875 3100 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/08/22 19:05:21.0984 3100 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/08/22 19:05:22.0015 3100 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/08/22 19:05:22.0031 3100 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/08/22 19:05:22.0062 3100 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/08/22 19:05:22.0078 3100 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/08/22 19:05:22.0093 3100 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/08/22 19:05:22.0171 3100 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/08/22 19:05:22.0328 3100 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/08/22 19:05:22.0484 3100 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/08/22 19:05:22.0515 3100 rimmptsk (d85e3fa9f5b1f29bb4ed185c450d1470) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
2011/08/22 19:05:22.0562 3100 rimsptsk (db8eb01c58c9fada00c70b1775278ae0) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
2011/08/22 19:05:22.0578 3100 rismxdp (6c1f93c0760c9f79a1869d07233df39d) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
2011/08/22 19:05:22.0671 3100 SASDIFSV (5bf35c4ea3f00fa8d3f1e5bf03d24584) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/08/22 19:05:22.0765 3100 SASENUM (a22f08c98ac2f44587bf3a1fb52bf8cd) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
2011/08/22 19:05:22.0796 3100 SASKUTIL (c7d81c10d3befeee41f3408714637438) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
2011/08/22 19:05:22.0937 3100 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/08/22 19:05:22.0968 3100 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/08/22 19:05:23.0015 3100 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/08/22 19:05:23.0046 3100 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
2011/08/22 19:05:23.0062 3100 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
2011/08/22 19:05:23.0078 3100 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/08/22 19:05:23.0203 3100 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/08/22 19:05:23.0250 3100 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/08/22 19:05:23.0421 3100 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/08/22 19:05:23.0531 3100 STHDA (58f855684e163466a5c565adf0865536) C:\WINDOWS\system32\drivers\sthda.sys
2011/08/22 19:05:23.0593 3100 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/08/22 19:05:23.0625 3100 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/08/22 19:05:23.0812 3100 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/08/22 19:05:23.0875 3100 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/08/22 19:05:23.0937 3100 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/08/22 19:05:23.0937 3100 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/08/22 19:05:23.0984 3100 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/08/22 19:05:24.0031 3100 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/08/22 19:05:24.0109 3100 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/08/22 19:05:24.0234 3100 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/08/22 19:05:24.0296 3100 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/08/22 19:05:24.0359 3100 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/08/22 19:05:24.0421 3100 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/08/22 19:05:24.0484 3100 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/08/22 19:05:24.0515 3100 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/08/22 19:05:24.0562 3100 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/08/22 19:05:24.0687 3100 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/08/22 19:05:24.0718 3100 winachsf (96aff1738271755a39b52eef7e35f98f) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/08/22 19:05:24.0796 3100 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/08/22 19:05:24.0859 3100 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/08/22 19:05:24.0875 3100 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/08/22 19:05:24.0921 3100 MBR (0x1B8) (cdac57608c39097805c8c958f1f73d97) \Device\Harddisk0\DR0
2011/08/22 19:05:24.0921 3100 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.a (0)
2011/08/22 19:05:24.0937 3100 Boot (0x1200) (4b6a25bb6685e6a797f3a856fc73edd2) \Device\Harddisk0\DR0\Partition0
2011/08/22 19:05:24.0968 3100 Boot (0x1200) (7d0c8662ffb1f583b4020e3f7f81a64e) \Device\Harddisk0\DR0\Partition1
2011/08/22 19:05:24.0968 3100 ================================================================================
2011/08/22 19:05:24.0968 3100 Scan finished
2011/08/22 19:05:24.0968 3100 ================================================================================
2011/08/22 19:05:24.0984 2356 Detected object count: 1
2011/08/22 19:05:24.0984 2356 Actual detected object count: 1
2011/08/22 19:05:46.0484 2356 \Device\Harddisk0\DR0 (Rootkit.Boot.Pihar.a) - will be cured after reboot
2011/08/22 19:05:46.0484 2356 \Device\Harddisk0\DR0 - ok
2011/08/22 19:05:46.0484 2356 Rootkit.Boot.Pihar.a(\Device\Harddisk0\DR0) - User select action: Cure
2011/08/22 19:05:52.0843 3720 Deinitialize success


Rootkit.Boot.Pihar.a as you can see was the only infection found and it was cured and removed

MBAM is running but has so far found nothing, after 49,000 items and 52 minutes of scan...

i didnt screw up by not running FixNCR first did i? should i still run it?

XPpro SP3 and using IE5 or IE6 right now because the newest Firefox 6.0 isnt running...

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,404 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:54 AM

Posted 22 August 2011 - 07:26 PM

No this is OK, see if you are still redirecting after MBAM and let us know.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 ltdave

ltdave
  • Topic Starter

  • Members
  • 268 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 22 August 2011 - 07:51 PM

okay, MBAM has 3 infections found in 96,000 items and 1:40:xx so far, and MS security essentials keeps popping with threats...

Win32/FakeRean and Win32/Pdfjsc.RF or Win32/Pdfjsc.MZ

its popped the FakeRean 3 times in the last 2 minutes...

there are some others as well:

Java/CVE-2010-0840.D
Win32/Rorpian
Win32/Cycbot!cfg
JS/Blacole.A

MS SE cleans these threats with impunity but there must be SOMETHING letting that crap in. ill post the MBAM log when i get up at midnight for work...

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,404 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:54 AM

Posted 22 August 2011 - 08:24 PM

Appears your MBAm may be old. 1.40 now at 1.51.1 Database 7540

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 ltdave

ltdave
  • Topic Starter

  • Members
  • 268 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 22 August 2011 - 11:18 PM

MBAM got rid of 8 processes/problems...

here is the report/log...

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7539

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/23/2011 12:09:00 AM
mbam-log-2011-08-23 (00-09-00).txt

Scan type: Full scan (C:\|)
Objects scanned: 217740
Time elapsed: 1 hour(s), 48 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\Security Protection (Rogue.Spypro) -> Value: Security Protection -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\compmgm (Trojan.Agent) -> Value: compmgm -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{accccc52-c07f-43b5-b808-26e810af9680}\RP532\A0055786.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{accccc52-c07f-43b5-b808-26e810af9680}\RP535\A0057194.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{accccc52-c07f-43b5-b808-26e810af9680}\RP538\A0058795.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\0.3743081692871525.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\0.5195259550238016.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\13.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.


yeah i had an outdated version Malwarbytes...

i think i probably have gotten it taken care of...

i hope this helps someone ELSE get rid of their crap...

thanks!

#6 ltdave

ltdave
  • Topic Starter

  • Members
  • 268 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 23 August 2011 - 03:53 PM

the results of security check...

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Microsoft Security Essentials
Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 18
Out of date Java installed!
Adobe Flash Player 10.3.181.26
Adobe Reader 9.3.1
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
``````````End of Log````````````


i dont usually run IE (any version) but this crap was messing with the newest firefox so i deleted FF for now....

i dont know what this Ccleaner is. i THOUGHT i deleted it with add/remove programs but apparently its imbedded pretty good or its part of one of these other programs. i also dont know what Windows Security Center is. ive got MS Essentials running and surprizingly enough, i LIKE this MS application...

lemmeno what ya'll think!

would have posted all this earlier but had to go to work and just got done fixing the darling daughters bike for her. were going on a ride after dinner :-D

thanks

Edited by ltdave, 23 August 2011 - 03:56 PM.


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,404 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:54 AM

Posted 24 August 2011 - 09:53 PM

Sorry, had to replace my NIC card and could not get back on until now.

OK, here's the story. You have a backdor Bot in infection and other info stealers.
This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS.

Let ,e know if you want to clean or re install/
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 ltdave

ltdave
  • Topic Starter

  • Members
  • 268 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 24 August 2011 - 11:25 PM

ill let you know...

right now i think im okay with either because it was running crappy a few years back and my neighbor (whos really pretty busy with 4 kids) made a C: partition of my OS and other stuff and a D: partition for stuff i want to keep without getting it screwed up if i need to fix C:


does that make sense? id LIKE to not have to worry about losing all of my files and such so if i could do clean or reinstall which ever is better/easier/ more complete..

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,404 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:54 AM

Posted 25 August 2011 - 10:55 AM

That sounds good. You should still svan that before you put it back.
I will copy/paste a reply our quietman7 made that I feel covrs most everything.

From the infected PC Only back up your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.Again, do not back up any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

If you're not sure how to reformat or need help with reformatting, please review:These links include step-by-step instructions with screenshots:Vista users can refer to these instructions:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead..

If you need additional assistance with reformatting or partitioning, you can start a new topic in the Operating Systems Subforums forum.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users