Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC Hijacked & Need Help Removing/Eradicating


  • This topic is locked This topic is locked
53 replies to this topic

#1 CelestialAura

CelestialAura

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Walnut, CA
  • Local time:10:02 PM

Posted 11 December 2011 - 02:56 PM

Basically have had issue trying to resolve on own. As description states, I believe to have very evasive rootkit/trojan/hijack problem. I had gotten to point after many clean scans & running MWB, Kaspersky, OTL, unable to run Avira, Online Armour ok... denied admin privileges, registry & files locking/denying access, etc... I have now unistalled a crap load programs, (my antivirus, firewall, abobe products, etc....) run CCleaner, then ran RKill, then just ran ComboFix, then Hijack This & have logs... I can see where some things are needing attention, but am unsure how to proceed & do not want to do so until I have these logs looked at. I am lucky to have gotten this far, as it had been getting to point where things were disappearing & had to do Recovery, & now do not want to mess around... I had trouble getting these scans, have them & need some attention please! Thank you in advance for any/all help....

Attached File  cflog113p.txt   16.89KB   7 downloads
Attached File  hijackthis114p.log   1.94KB   3 downloads

Have latest MS Windows updates, am enabling Windows Firewall as I speak...

Merged posts. ~ OB

Edited by Orange Blossom, 11 December 2011 - 04:52 PM.


BC AdBot (Login to Remove)

 


#2 CelestialAura

CelestialAura
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Walnut, CA
  • Local time:10:02 PM

Posted 13 December 2011 - 09:40 PM

So basically where I'm at is I had already used ComboFix (haven't uninstalled yet) to get my pc to some kind of working order after restore. I had run some scans. Came up with Antimal stated 9 entries similar to this: 0 Value: hkey_local_machine\software\classes\clsid\{42c9ccda-4485-47b8-a9e5-e8006de9e100}\inprocserver32 --> threadingmodel Trace.Registry.net spy pro 4.6!E1 . Those are quarantined via Antimal. I'll attach this txt log. I also have my DDS & GMER logs.

Permissions changed. Files unobtainable. Various settings changed. Strange behavior/files. Very evasive. Think I did something to help weed it out as I finally got a hit w/Antimal. Here is my road map so far: CPR w/: CCleaner, RKill, ComboFix (this all got my pc to usable order...was dying fast!) aswMBR came up clean, TDSS Killer=clean, ESET got to 68% & stalled w/no threats up til then. Superantispy wouldn't update defs., closed it out, re-ran, got to update, & scan came clean. When trying to download updated defs for Emsi Antimal got error message "something (?) unexpected, process error status 31, request incomplete". Was able to do the same here. Closed & restarted, & started w/quick scan, picked up the "Trace.Registry.net spy pro 4.6!E1" @ 9 instances. I have them quarantined. Settings I used were everything checked to scan using direct disk w/out using file extension filter. I remember seeing a ton of csrss.exe in Virtual Memory files? (This is some note I made during scan). Also bunch of 359******* ZZZZ....ZZZ.....ZZZZZZZZZZZZZZZZZZZ. type folders in C:. I also remember various files in this manner, the stars representing various lettering ***xxx.sys, where there is always xxx.sys in the name. This was in the DLL Cache. The Antimal Scan I believe got hung up a lot on the following: ati1raxx.sys ; ati1tuxx.sys , from DLL Cache. ComboFix quarantined: 2011-12-11 19:04:54 . 2011-12-11 19:04:54 161 ----a-w- C:\Qoobox\Quarantine\Registry_backups\ShellExecuteHooks-{4F07DA45-8170-4859-9B5F-037EF2970034}.reg.dat; 2011-12-11 18:53:49 . 2011-12-11 18:53:49 4,756 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg; 2011-12-11 18:25:48 . 2011-12-11 18:25:48 51 ----a-w- C:\Qoobox\Quarantine\catchme.log .


I appreciate any & all help! I am a victim of DV & need to get my pc safe/secure again, as abuser's bro is IT Specialist of some sort w/US Govt. & has high security clearance... Oh yes, & 1 more thing. I ran SecurityCheck & it showed Outpost Firewall as being my firewall. Except @ the time I ran scan, I had already been using Avira for a few months. Whatever this exploit is, it really trashed Avira from scanning, obtaining updates, etc... Also, at time of that scan, I didn't have Avira running at all, I had it shut down. Just thought I'd note that... Once everything is back on track I will be using Avira & Online Armour. Not to knock Avira, though, as I was new to using & may still have lingering crap from other security/antivirus/antimal. I had used Outpost Firewall for years.

Happy Holidays!

Attached File  ark.txt   1.51KB   1 downloads
Attached File  attach.txt   19.35KB   1 downloads
Attached File  dds.txt   30.52KB   2 downloads
Attached File  antimalquarantine.txt   3.19KB   3 downloads
Attached File  ComboFix-quarantined-files.txt   394bytes   3 downloads

#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:02 AM

Posted 17 December 2011 - 03:00 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/431900 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 CelestialAura

CelestialAura
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Walnut, CA
  • Local time:10:02 PM

Posted 18 December 2011 - 10:01 AM

So here is the nutshell (please see previous posts for more specific details): Had problems with permissions & policies, mouse freezing & strange behavior, etc.. starting gradually 4 weeks prior to posting here. I started running scans, etc...to see what was going on. Scans coming clean but probs. getting worse. Lost quick launch toolbar, & seemed like the more I tried to access programs & drivers, things were changing & locking up more. Wouldn't let me change perms even though under admin account, & even if I tried to run as admin. There may be user accounts issues. Poss. too many? Not sure what's going on with that. Got to point where PC was literally dying & becoming almost unusable. I did safe boot, sys restore, installed ComboFix as last resort, ComboFix revived PC. I have not uninstalled CF yet. I have Avira AV & Online Armour uninstalled & am only using Windows Firewall. I have uninstalled a host of other unnecessary/troublesome progs., Afraid to uninstall CF until I have someone look at what's going on. Have completed all HelpBot steps, I have current requested log files, also finally got some hits on some of the numerous scans, & have approx. 3 quarrantines going on, can provide logs if you like. Don't want to "remove or fix" until I have educated opinion.

Thanks for your help & time!

Attached Files



#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:02 AM

Posted 26 December 2011 - 10:59 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

You have got yourself in a right pickle and we need to start to clear the debris. Please do not run anything else without my permission and please learn that Combofix is not something you should be playing with either. The first run showed no malware

Uninstall Combofix
  • Disable any realtime antivirus or antispyware programs.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


Now please list the symptoms that you are experiencing on the machine. Nothing else.

Edited by m0le, 27 December 2011 - 10:11 PM.

Posted Image
m0le is a proud member of UNITE

#6 CelestialAura

CelestialAura
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Walnut, CA
  • Local time:10:02 PM

Posted 27 December 2011 - 12:37 PM

Hello, & thank you so much for helping me out. I will follow your instructions to a t. I guess maybe I'm just a bit paranoid? No current antiviral or firewall running except Windows Firewall. Will not install, download, etc... any programs or make any changes other than instructed. I will uninstall combofix & follow the rest of the steps & will repost once complete...

Thank you again for your support, & Happy Holidays~

#7 CelestialAura

CelestialAura
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Walnut, CA
  • Local time:10:02 PM

Posted 27 December 2011 - 12:59 PM

I have uninstalled CF. Basically symptoms were & have been: initially strange mouse behavior, strange files, strange processes noticed every now & then, permissions all changed, wouldn't let me run as admin on admin acct., seemed like the more progs. I would try to run, the more the permissions changed. Issues with programs, I would start one (Firefox) & Adobe Acrobat would load, or I would start something else & Open Office would load. Couldn't run certain AV products, & my current av was Avira, & couldn't get defs to download, couldn't run scans, would hang on certain files. Couldn't get other antivirus or malware related scans to complete without hang. Get various messages from google, & other sites regarding unusual amount of activity from my network, etc... Strange browser behavior at times, I have a Buffalo Wireless Airstation A&G, with this pc hardwired & another PC wireless g. The wireless G was trying to access the ip for the hardwired I am having the issue with. I was running Online Armour & Avira Antivirus on the hardwire. Got to point where I was not getting anything in scans, but pc started to really lock up all at once, & I did it as a last ditch to revive. It worked. I really So now that CF is uninstalled, I will reboot to see what does or doesn't happen. Will update...

#8 CelestialAura

CelestialAura
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Walnut, CA
  • Local time:10:02 PM

Posted 27 December 2011 - 01:22 PM

So I noticed the past couple/few days, every now & again, CommandService.exe loads in TM. I've been killing it. Didn't seem to have any repercussion. Isn't that cmd? Why would that be loading all of a sudden? I always keep processes locked down & keep eye on what's running. It just started up w/reboot, & it's sitting there running @ 412k. Also, I do remember when started having issues with Avira hanging, not scanning, not updating, etc... Microsoft Visual C++ Runtime errors... "program wants to terminate in unusual way" or something to that effect. To best of my knowledge I had all the versions installed & updated, etc... I also just noticed that I've been having unfixable issues with encrypted google search page loading correctly. Couldn't get the nav menu to load, try to search & only get 1 pg results regardless of having instant off & 40 as results to display. Wouldn't load any further pages, or it would redirect to blank page & hang. Now I just tried to reload google & attempt a search, & the nav menu is gone & I'm unable to search. Now I reloaded & get the classic nav menu. That's probably a google related thing. But I did just get a notice within past couple days from 2 sites that I was sending unusual amount of activity.

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:02 AM

Posted 28 December 2011 - 08:18 PM

Please run aswMBR

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#10 CelestialAura

CelestialAura
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Walnut, CA
  • Local time:10:02 PM

Posted 31 December 2011 - 03:13 PM

Sorry took a bit to respond... here you go~

aswMBR version 0.9.9.1124 Copyright© 2011 AVAST Software
Run date: 2011-12-31 10:21:45
-----------------------------
10:21:45.593 OS Version: Windows 5.1.2600 Service Pack 3
10:21:45.593 Number of processors: 1 586 0x209
10:21:45.640 ComputerName: ATYOURSOS UserName: Owner
10:21:49.703 Initialize success
10:27:43.062 AVAST engine defs: 11123100
10:29:49.328 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
10:29:49.328 Disk 0 Vendor: HDS722540VLAT20 V31OA69A Size: 38146MB BusType: 3
10:29:49.359 Disk 0 MBR read successfully
10:29:49.359 Disk 0 MBR scan
10:29:49.796 Disk 0 Windows XP default MBR code
10:29:49.828 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38138 MB offset 63
10:29:50.234 Disk 0 scanning sectors +78108030
10:29:50.796 Disk 0 scanning C:\WINDOWS\system32\drivers
10:31:20.234 Service scanning
10:31:33.187 Modules scanning
10:32:26.625 Module: C:\WINDOWS\system32\dla\tfsndres.sys **SUSPICIOUS**
10:32:32.234 Disk 0 trace - called modules:
10:32:32.281 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys
10:32:32.500 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x81ef3030]
10:32:32.500 3 CLASSPNP.SYS[f92a2fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x81f0e030]
10:32:36.250 AVAST engine scan C:\
13:46:23.203 Scan finished successfully

Edited by CelestialAura, 31 December 2011 - 06:54 PM.


#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:02 AM

Posted 01 January 2012 - 11:58 AM

It says suspicious but the file is legitimate so don't worry about that.


Please run OTL, a different scanner

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Posted Image
m0le is a proud member of UNITE

#12 CelestialAura

CelestialAura
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Walnut, CA
  • Local time:10:02 PM

Posted 01 January 2012 - 11:01 PM

Happy New Year! When trying to run OTL scan, it hangs & I get OTL error pop up box which states, " "/" is not a valid integer value", & when this happened the scanning status stated it was currently scanning "HKEY LOCAL MACHINE Winsock2 settings"... there was an "ok" button on the dialog box, I clicked "ok", & it just sits stalled at scanning that area.... cannot get through scan. Please advise...

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:02 AM

Posted 02 January 2012 - 08:53 AM

Happy New Year to you too! :)

I wasn't expecting an OTL failure.

I think we need to check something else at this stage

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#14 CelestialAura

CelestialAura
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Walnut, CA
  • Local time:10:02 PM

Posted 02 January 2012 - 10:26 AM

Here you go~

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001d

Kernel Drivers (total 136):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EF000 \WINDOWS\system32\hal.dll
0xF9762000 \WINDOWS\system32\KDCOM.DLL
0xF9672000 \WINDOWS\system32\BOOTVID.dll
0xF9213000 ACPI.sys
0xF9764000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF9202000 pci.sys
0xF9262000 isapnp.sys
0xF982A000 pciide.sys
0xF94E2000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF9766000 intelide.sys
0xF9272000 MountMgr.sys
0xF91E3000 ftdisk.sys
0xF94EA000 PartMgr.sys
0xF9282000 VolSnap.sys
0xF91CB000 atapi.sys
0xF9292000 disk.sys
0xF92A2000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF91AB000 fltmgr.sys
0xF9196000 drvmcdb.sys
0xF94F2000 PxHelp20.sys
0xF917F000 KSecDD.sys
0xF916C000 WudfPf.sys
0xF90DF000 Ntfs.sys
0xF90B2000 NDIS.sys
0xF9098000 Mup.sys
0xF96EE000 \SystemRoot\system32\DRIVERS\tunmp.sys
0xF92C2000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF8F79000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF8F65000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF953A000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF8F41000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF956A000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF92D2000 \SystemRoot\system32\DRIVERS\IntelC53.sys
0xF8F1E000 \SystemRoot\system32\DRIVERS\ks.sys
0xF8DD6000 \SystemRoot\system32\DRIVERS\IntelC51.sys
0xF8D3E000 \SystemRoot\system32\DRIVERS\IntelC52.sys
0xF962A000 \SystemRoot\system32\DRIVERS\mohfilt.sys
0xF9642000 \SystemRoot\System32\Drivers\Modem.SYS
0xF92E2000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0xF965A000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF92F2000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF9512000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF9302000 \SystemRoot\system32\DRIVERS\serial.sys
0xF970A000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF8D2A000 \SystemRoot\system32\DRIVERS\parport.sys
0xF976C000 \SystemRoot\system32\drivers\sscdbhk5.sys
0xF9312000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF9322000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF9332000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF8CEA000 \SystemRoot\system32\drivers\smwdm.sys
0xF8CC6000 \SystemRoot\system32\drivers\portcls.sys
0xF9342000 \SystemRoot\system32\drivers\drmk.sys
0xF8C13000 \SystemRoot\system32\drivers\senfilt.sys
0xF9947000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF9352000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF972A000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF8BFC000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF9362000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF9372000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF959A000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF8BEB000 \SystemRoot\system32\DRIVERS\psched.sys
0xF9382000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF95C2000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF95D2000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF9392000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF95EA000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF9772000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF8B8D000 \SystemRoot\system32\DRIVERS\update.sys
0xF9746000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF93A2000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF93C2000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF9778000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF96F2000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF954A000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF977E000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF998C000 \SystemRoot\System32\Drivers\Null.SYS
0xF9782000 \SystemRoot\System32\Drivers\Beep.SYS
0xF9572000 \SystemRoot\system32\drivers\ssrtln.sys
0xF9582000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF9592000 \SystemRoot\System32\drivers\vga.sys
0xF9786000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF978A000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF95AA000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF95BA000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF09A5000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF094C000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF0924000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF0902000 \SystemRoot\System32\drivers\afd.sys
0xF08DC000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF93F2000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF08BA000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xF8AE5000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xF9602000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xF0867000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF07F7000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF9422000 \SystemRoot\System32\Drivers\Fips.SYS
0xF905F000 \??\C:\WINDOWS\system32\BUFADPT.SYS
0xF972E000 \??\C:\Program Files\Emsisoft Anti-Malware\a2ddax86.sys
0xF09F4000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF9472000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF09E0000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF9482000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF0717000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF979C000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF089A000 \SystemRoot\System32\drivers\Dxapi.sys
0xF966A000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF98FD000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF03F000 \SystemRoot\System32\ialmdev5.DLL
0xBF06B000 \SystemRoot\System32\ialmdd5.DLL
0xBF148000 \SystemRoot\System32\ATMFD.DLL
0xF9432000 \SystemRoot\system32\drivers\drvnddm.sys
0xF9899000 \SystemRoot\system32\dla\tfsndres.sys
0xF05E9000 \SystemRoot\system32\dla\tfsnifs.sys
0xF0643000 \SystemRoot\system32\dla\tfsnopio.sys
0xF981E000 \SystemRoot\system32\dla\tfsnpool.sys
0xF95B2000 \SystemRoot\system32\dla\tfsnboio.sys
0xF9462000 \SystemRoot\system32\dla\tfsncofs.sys
0xF98A9000 \SystemRoot\system32\dla\tfsndrct.sys
0xF05D0000 \SystemRoot\system32\dla\tfsnudf.sys
0xF05B7000 \SystemRoot\system32\dla\tfsnudfa.sys
0xF97AE000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xF0497000 \??\C:\WINDOWS\system32\drivers\CDAC15BA.SYS
0xF047F000 \??\C:\WINDOWS\system32\drivers\PfModNT.sys
0xF043B000 \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
0xF025A000 \SystemRoot\system32\drivers\wdmaud.sys
0xF0397000 \SystemRoot\system32\drivers\sysaudio.sys
0xF00F0000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xEFFBF000 \SystemRoot\System32\Drivers\HTTP.sys
0xEDEC8000 \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\aswMBR.sys
0xED668000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 20):
0 System Idle Process
4 System
560 C:\WINDOWS\system32\smss.exe
616 csrss.exe
640 C:\WINDOWS\system32\winlogon.exe
684 C:\WINDOWS\system32\services.exe
696 C:\WINDOWS\system32\lsass.exe
876 C:\WINDOWS\system32\svchost.exe
996 svchost.exe
1104 C:\WINDOWS\system32\svchost.exe
1148 C:\WINDOWS\system32\svchost.exe
1224 svchost.exe
1348 C:\WINDOWS\system32\svchost.exe
1360 C:\Program Files\UPHClean\uphclean.exe
1764 C:\WINDOWS\explorer.exe
404 alg.exe
1056 svchost.exe
136 C:\WINDOWS\system32\spoolsv.exe
536 C:\WINDOWS\system32\taskmgr.exe
900 C:\Documents and Settings\Owner\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: HDS722540VLAT20, Rev: V31OA69A

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:02 AM

Posted 02 January 2012 - 11:14 AM

Let's redownload Combofix and run it

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users