Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Nailing Search System Virus Continued

  • This topic is locked This topic is locked
6 replies to this topic

#1 syn_


  • Members
  • 8 posts
  • Local time:08:45 AM

Posted 18 November 2011 - 01:08 AM

First of all, here's the initial post: http://www.bleepingcomputer.com/forums/topic427737.html

Second, I ran ComboFix, Rootkit.ZeroAccess found, ComboFix appears to have fixed the issue with redirecting (it took three reboots in total I believe).

Third, here's the DDS log and Attach.txt (ZIPPED and attached as per requested).

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19154 BrowserJavaVersion: 1.6.0_29
Run by rachel at 1:04:31 on 2011-11-18
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.2.1033.18.2967.1597 [GMT -5:00]
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\ThinkVantage\PrdCtr\LPMLCHK.EXE
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\RotateImage\RCIMGDIR.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\ThinkPad\Bluetooth Software\BtStackServer.exe
c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://lenovo.live.com/
uSearchURL,(Default) = hxxp://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
uWinlogon: Shell=c:\users\rachel\appdata\local\9ae9057b\X
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: IePasswordManagerHelper Class: {bf468356-bb7e-42d7-9f15-4f3b9bcfced2} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [SmartAudio] c:\program files\conexant\saii\SAIICpl.exe /t
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil11c_Plugin.exe -update plugin
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [TPFNF7] c:\progra~1\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [FingerPrintSoftware] "c:\program files\lenovo fingerprint software\fpapp.exe" \s
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [LPMailChecker] c:\progra~1\thinkv~1\prdctr\LPMLCHK.exe
mRun: [CameraApplicationLauncher] c:\program files\lenovo\camera center\bin\CameraApplicationLaunchpadLauncher.exe
mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BTVLogEx.DLL,StartBattLog
mRun: [CreateLMBCShortCut] "c:\program files\lenovo\mobile broadband connect\UserShortcutCreator.exe"
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWlIcon] c:\program files\thinkpad\connectutilities\ACWlIcon.exe
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [IaNvSrv] c:\program files\intel\intel matrix storage manager\orom\ianvsrv\IaNvSrv.exe
mRun: [MCStart] "c:\program files\bell mobility\mobile connect basic\tscui.exe" /s
mRun: [LENOVO.TPFNF6R] c:\program files\lenovo\hotkey\TPFNF6R.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [SmartAudio] c:\program files\conexant\saii\SAIICpl.exe /t
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\rcimgd~1.lnk - c:\program files\rotateimage\RCIMGDIR.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
dPolicies-system: WallpaperStyle = 2
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
IE: {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
LSP: mswsock.dll
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer =
TCP: Interfaces\{B0FBF757-5087-4DF3-8873-3CCC0CEE7911} : DhcpNameServer =
TCP: Interfaces\{E00028C0-8E24-4D70-BB98-F3AE64C23702} : DhcpNameServer =
Notify: igfxcui - igfxdev.dll
================= FIREFOX ===================
FF - ProfilePath - c:\users\rachel\appdata\roaming\mozilla\firefox\profiles\4t0b92bg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?=en
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\rachel\appdata\local\google\update\\npGoogleUpdate3.dll
============= SERVICES / DRIVERS ===============
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [2010-1-29 24304]
R0 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\drivers\iaNvStor.sys [2010-1-29 232472]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2009-6-29 20520]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2008-5-19 13480]
R2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [2009-3-19 1680632]
R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\thinkpad\utilities\DOZESVC.EXE [2010-1-29 132456]
R2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [2009-3-19 98304]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2009-4-20 75112]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2008-12-17 62320]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2008-5-24 524288]
R3 5U875UVC;Integrated Camera;c:\windows\system32\drivers\RCUVCMNP.sys [2009-9-10 186624]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2009-3-19 482176]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2009-4-20 29736]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6032.sys [2009-3-27 221824]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-13 22216]
R3 NETwNv32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETwNv32.sys [2011-8-3 7341568]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2008-2-22 37312]
S1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [2009-4-20 48192]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2009-11-17 45424]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-13 366152]
S2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\lenovo\rescue and recovery\UpdateMonitor.exe [2008-5-24 360448]
S3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [2009-3-19 106496]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2007-11-2 166144]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2011-10-28 27192]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-4-25 1120752]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
=============== Created Last 30 ================
2011-11-18 05:54:17 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{11d2addc-71cd-4cce-a028-3596aaa9a0e3}\offreg.dll
2011-11-18 04:58:56 98816 ----a-w- c:\windows\sed.exe
2011-11-18 04:58:56 518144 ----a-w- c:\windows\SWREG.exe
2011-11-18 04:58:56 256000 ----a-w- c:\windows\PEV.exe
2011-11-18 04:58:56 208896 ----a-w- c:\windows\MBR.exe
2011-11-18 04:58:26 -------- d-s---w- C:\ComboFix
2011-11-13 19:03:31 48016 --sha-w- c:\windows\system32\c_54735.nl_
2011-11-13 17:17:40 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-11-13 17:17:39 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-13 17:17:38 707584 ----a-w- c:\program files\common files\system\wab32.dll
2011-11-13 06:16:58 -------- d-----w- c:\users\rachel\appdata\roaming\Malwarebytes
2011-11-13 06:16:51 -------- d-----w- c:\programdata\Malwarebytes
2011-11-13 06:16:48 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-13 06:16:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-13 06:03:15 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-11-13 05:59:00 -------- d-sh--w- c:\users\rachel\appdata\local\9ae9057b
2011-11-11 07:12:16 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{11d2addc-71cd-4cce-a028-3596aaa9a0e3}\mpengine.dll
2011-11-09 02:58:14 -------- d-----w- c:\users\rachel\appdata\local\Google
2011-11-09 02:18:37 -------- d-----w- c:\program files\DivX
2011-11-09 02:18:37 -------- d-----w- c:\program files\common files\DivX Shared
2011-10-31 02:47:56 -------- d-----w- c:\program files\VideoLAN
2011-10-31 02:43:41 -------- d-----w- c:\program files\uTorrent
2011-10-31 02:43:05 -------- d-----w- c:\users\rachel\appdata\roaming\uTorrent
2011-10-31 02:43:05 -------- d-----w- c:\users\rachel\appdata\local\uTorrent
2011-10-29 16:49:28 414368 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-29 15:21:47 472808 ------w- c:\windows\system32\deployJava1.dll
2011-10-29 15:19:46 -------- d-----w- c:\program files\PeerBlock
2011-10-29 05:54:36 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-10-29 02:54:19 -------- d-----w- c:\users\rachel\appdata\local\VS Revo Group
2011-10-29 02:54:17 27192 ------w- c:\windows\system32\drivers\revoflt.sys
2011-10-29 02:54:16 -------- d-----w- c:\program files\VS Revo Group
2011-10-29 02:45:02 -------- d-----w- c:\program files\CCleaner
2011-10-28 03:33:17 467072 ------w- c:\windows\system32\drivers\CHDRT32.sys
2011-10-28 03:33:17 301696 ------w- c:\windows\system32\UCI32A59.dll
2011-10-25 22:20:24 6144 ------w- c:\program files\internet explorer\iecompat.dll
2011-10-25 02:59:23 73216 ------w- c:\windows\system32\drivers\usbccgp.sys
2011-10-25 02:59:23 5888 ------w- c:\windows\system32\drivers\usbd.sys
2011-10-25 02:59:23 39936 ------w- c:\windows\system32\drivers\usbehci.sys
2011-10-25 02:59:23 23552 ------w- c:\windows\system32\drivers\usbuhci.sys
2011-10-25 02:59:23 228352 ------w- c:\windows\system32\drivers\usbport.sys
2011-10-25 02:59:23 197632 ------w- c:\windows\system32\drivers\usbhub.sys
2011-10-25 02:54:32 33280 ------w- c:\windows\system32\drivers\watchdog.sys
2011-10-25 01:25:57 -------- d-----w- c:\program files\Cisco
2011-10-25 01:25:55 -------- d-----w- c:\program files\common files\Intel
2011-10-21 00:46:09 -------- d-----w- c:\windows\pss
2011-10-20 00:54:03 -------- d-----w- c:\program files\SopCast
2011-10-19 22:14:56 563712 ------w- c:\windows\system32\oleaut32.dll
2011-10-19 22:14:56 555520 ------w- c:\windows\system32\UIAutomationCore.dll
2011-10-19 22:14:56 4096 ------w- c:\windows\system32\oleaccrc.dll
2011-10-19 22:14:56 238080 ------w- c:\windows\system32\oleacc.dll
==================== Find3M ====================
2011-11-18 08:28:44 35328 ----a-w- c:\windows\system32\drivers\npfs.sys
2011-09-30 23:06:24 916480 ------w- c:\windows\system32\wininet.dll
2011-09-30 23:02:06 43520 ------w- c:\windows\system32\licmgr10.dll
2011-09-30 23:01:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-09-30 23:01:34 71680 ------w- c:\windows\system32\iesetup.dll
2011-09-30 23:01:34 109056 ------w- c:\windows\system32\iesysprep.dll
2011-09-30 22:07:25 385024 ------w- c:\windows\system32\html.iec
2011-09-30 21:29:54 133632 ------w- c:\windows\system32\ieUnatt.exe
2011-09-30 21:28:36 1638912 ------w- c:\windows\system32\mshtml.tlb
2011-09-06 13:30:12 2043392 ------w- c:\windows\system32\win32k.sys
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x90A344A0]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }
1 ntkrnlpa!IofCallDriver[0x82A5AAC2] -> \Device\Harddisk0\DR0[0x885278A0]
3 CLASSPNP[0x8ADD18B3] -> ntkrnlpa!IofCallDriver[0x82A5AAC2] -> [0x907F7908]
\Driver\00001217[0x8A5FE1A8] -> IRP_MJ_CREATE -> 0x90A344A0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { JMP 0x10; }
user != kernel MBR !!!
copy of MBR has been found in sector 1 !
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
============= FINISH: 1:05:18.82 ===============

Attached Files

BC AdBot (Login to Remove)


#2 nasdaq


  • Malware Response Team
  • 38,762 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:45 AM

Posted 22 November 2011 - 11:28 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Your logs indicate that a ZeroAccess infection is present on your computer:

Please download DummyCreator.zip and unzip it.
  • Run the tool.
  • Copy and paste the following into the edit box:

  • Press Create button and post the content of the Result.txt.

    Important: Restart the computer.

BackupYour Registry with ERUNT
  • Please go here, scroll down to ERUNT, and download.
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your Registry to the folder of your choice.

Note: To restore your Registry, go to the folder and start ERDNT.exe

On a Vista or Windows 7 operating system, right click the Erunt.exe and run as Administrator.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt

This may take a while. Please let it finish.

Please post the logs and wait for further instructions.

#3 syn_

  • Topic Starter

  • Members
  • 8 posts
  • Local time:08:45 AM

Posted 22 November 2011 - 06:18 PM

DummyCreator by Farbar
Ran by rachel (administrator) on 22-11-2011 at 18:21:15

C:\WINDOWS\2063985050 [22-11-2011 18:06:27]

== End of log ==


SystemLook 30.07.11 by jpshortstuff
Log created at 18:29 on 22/11/2011 by rachel
Administrator - Elevation successful

========== filefind ==========

Searching for "consrv.dll"
No files found.

Searching for "winsrv.dll"
C:\Windows\System32\winsrv.dll ------- 375808 bytes [17:32 01/10/2011] [16:03 17/06/2011] 9A7A3BC8DC7E7ECABA2478CED4C38CBD
C:\Windows\winsxs\x86_microsoft-windows-winsrv_31bf3856ad364e35_6.0.6001.18000_none_b67e96a29c5535ab\winsrv.dll ------- 375296 bytes [02:24 21/01/2008] [02:24 21/01/2008] 8B05FAF8603E6FDE90C5B103761CC3F6
C:\Windows\winsxs\x86_microsoft-windows-winsrv_31bf3856ad364e35_6.0.6001.18638_none_b66634929c664320\winsrv.dll ------- 375808 bytes [17:30 01/10/2011] [14:47 20/04/2011] F42F8855CB5C22E203C6672B124F17FD
C:\Windows\winsxs\x86_microsoft-windows-winsrv_31bf3856ad364e35_6.0.6001.22904_none_b70c43c5b56f2409\winsrv.dll ------- 375808 bytes [17:30 01/10/2011] [14:37 20/04/2011] D1DE6323ADB727E9E9BFC0C4315A93E1
C:\Windows\winsxs\x86_microsoft-windows-winsrv_31bf3856ad364e35_6.0.6002.18005_none_b86a0fae997700f7\winsrv.dll ------- 375808 bytes [20:45 02/06/2009] [06:28 11/04/2009] 40864DA48A14EBC68A0D6BFD08BA21EB
C:\Windows\winsxs\x86_microsoft-windows-winsrv_31bf3856ad364e35_6.0.6002.18456_none_b83507f4999e9a9f\winsrv.dll ------- 375808 bytes [17:30 01/10/2011] [15:55 20/04/2011] 5DF01708D214FDC0075AD197F1889557
C:\Windows\winsxs\x86_microsoft-windows-winsrv_31bf3856ad364e35_6.0.6002.18484_none_b812979c99b8bbc4\winsrv.dll ------- 375808 bytes [17:32 01/10/2011] [16:03 17/06/2011] 9A7A3BC8DC7E7ECABA2478CED4C38CBD
C:\Windows\winsxs\x86_microsoft-windows-winsrv_31bf3856ad364e35_6.0.6002.22628_none_b8e116fdb2a2166b\winsrv.dll ------- 375808 bytes [17:30 01/10/2011] [15:13 20/04/2011] 60B351541547DE0A483926AA825D1D1D
C:\Windows\winsxs\x86_microsoft-windows-winsrv_31bf3856ad364e35_6.0.6002.22662_none_b8afd591b2c7ee25\winsrv.dll ------- 375808 bytes [17:32 01/10/2011] [15:19 17/06/2011] 54D17B3CF96B72929A61391E765D7D4C

========== regfind ==========

Searching for "consrv.dll"
No data found.

-= EOF =-

Edited by syn_, 22 November 2011 - 06:29 PM.

#4 nasdaq


  • Malware Response Team
  • 38,762 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:45 AM

Posted 23 November 2011 - 11:20 AM

Please Download

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.

How to : Disable Anti-virus and Firewall...

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Post the logs and let me know if the problem persists.

#5 syn_

  • Topic Starter

  • Members
  • 8 posts
  • Local time:08:45 AM

Posted 23 November 2011 - 09:43 PM

Alright now I've ran into a problem.

After running TDSSKiller, I was required to reboot.

Upon doing so, the computer rebooted, which it then ran CHKDSK. After this it tried to boot, but instead gave me this message:

"A problem has been detected and Windows has been shut down to prevent damage to your computer.


If this is the first time you've seen this Stop error screen, restart your computer. If this screen appears again, follow these steps:

Check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any Windows update you might need.

If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advantaged Startup Options, and then select Safe Made.

Technical information:

*** STOP: 0x0000000A (0x00000000, 0x00000002, x00000001, 0x82A6B87C)

Collecting data for crash dump ...
Initializing disk for crash dump ...
Beginning dump of physical memory.
Dumping physical memory to disk: 100
Physical memory dump complete.
Contact your system admin or technical support group for further assistance."

At first I thought maybe this was just a part of the process, so I rebooted, however now it will not allow me to fully logon to windows.

#6 nasdaq


  • Malware Response Team
  • 38,762 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:45 AM

Posted 24 November 2011 - 08:54 AM

*** STOP: 0x0000000A

Typically due to a bad driver, or faulty or incompatible hardware or software.


Let try this tool.

PLEASE NOTE: Most authorities say that a PC with a polymorphic file infector can never again be trusted and should be reformatted. You should seriously consider reformatting and reinstalling Windows.

That said, if you wish we can attempt disinfection but you are cautioned that theoretically you can never be sure cleaning is 100% complete.

Read all these directions before proceeding.

When you have the .ISO file downloaded, you need to create a bootable disk or flash drive with it, using a clean PC to do that. The .ISO file is a disk image. It should NOT be burned as a regular file. You need a program like BurnAware Free or ImgBurn that can burn an .ISO image. I think a CD is best as there is no way anything can write on it after it is made, but the USB may be more convenient and easier.

Be sure to read these:
Download Kaspersky Rescue Disk 10
How to record Kaspersky Rescue Disk 10 to an USB device and boot my computer from it?
How to record Kaspersky Rescue Disk 10 to a CD/DVD and boot my computer from the disk?

  • Go to a clean PC.
  • Download the .iso image file.
  • Create a CD (or flash drive if you prefer).
  • At the infected PC: put the disk in the drive and reboot.

Follow the directions here, but you will find some differences.

Familiarize yourself with How to create a report file in Kaspersky Rescue Disk 10?

Print the following directions:

Boot from Kaspersky Rescue Disk 10:
Restart your computer and put the disk in the drive while booting.
Press any key. A loading wizard will start (you will see the menu to select the required language). If you do not press any key in 10 seconds, the computer boots from hard drive automatically.
Select the required interface language using the arrow-keys on your keyboard.
Press the Enter key on the keyboard.
In the start up wizard window that opens, select the Kaspersky Rescue Disk. Graphic Mode
Click Enter.
Click 'A' to accept the agreement.
Select operating system from dropdown menu (select Windows whatever)
Select Objects to scan: check Disk boot sectors, Hidden startup objects, C:
Click My Update Center and update if any available
Back to other tab and click Start Object Scan.
(It took 3 hours to scan my 47G)
When scan has completed save a report:

On the upper part of the Kaspersky Rescue Disk window, click on the Report link.
On the bottom right hand corner of the Protection status - Kaspersky Rescue Disk window, click on the Detailed Report button.
On the upper right hand corner of the Detailed report window, click on the Save button.
After clicking Detailed Report and 'SAVE', a browse window opens.
Double-click on the \
Click 'disks'.
All your drives will be shown and you can easily double-click C and save the report to C:\KasperskyRescueDisk10.txt.
Click on the Save button.
The report has been saved to the file.

Remove the disk from the drive (or disconnect USB) and reboot normally.

If successful try this.

In post No 2 I asked that your run ERDNT.exe and save a copy of the registry in a temporary folder.

Navigate to that folder and run ERDNT.exe to restore the save registry.

Keep me posted.

#7 nasdaq


  • Malware Response Team
  • 38,762 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:45 AM

Posted 29 November 2011 - 09:35 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users