Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with XP Security 2012


  • This topic is locked This topic is locked
79 replies to this topic

#1 cto

cto

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California, USA
  • Local time:10:28 PM

Posted 24 December 2011 - 11:56 AM

An XP Media Center computer went crazy with the fake XP Security 2012. It's still messed up, so any help is greatly appreciated.

The computer was running MS Security Essentials, which did (and still does) nothing to prevent or cure this.

The computer was also running Comodo Internet Security (but not Comodo AV), which let me block the most obvious bad file, hts.exe, and sandbox ping.exe. So the computer is no longer doing a zillion connections to external sites.

BUT... There are a couple of us working on this computer, and due to confusion (AKA panic), ComboFix was run without waiting for your instructions (it was found via Googling not your site, and we'd used it quite some time ago on a different PC to wonderful result...) ComboFix hung at Stage_4 and after a few hours of nothing happening the computer was rebooted.

AFTER all of the above, we found your site and followed your steps. Below is DDS.txt log. Attached are DDS file Attach.ext and GMER log ark.txt (This is zipped as ark.zip, because it is 620 KB, too large to upload as-is.)

Current status:
Task Manager does not show the virus running, but lots of things aren't working right. For instance, I can't copy+paste files via Explorer, or attach a USB stick (hoping to copy the log files). And the computer boots with Start/Task bar hidden. Plus some programs don't work (can't run IE, but can run Chrome). But at this point, I can't tell if the odd behavior is due to the virus, or ComboFix or DeFogger or GMER or Comodo's actions, or perhaps all of these... Upon reboot, Task Manager shows just a bare minimum of services running, which is also odd; perhaps certain system files are blocked or deleted?

At the end of GMER run, there were a bunch of messages saying various files could not be saved, yet the GMER file seems complete ("EOF" at end of it) and I could save it to the desktop as ark.txt, so I don't know what the "can't save" messages mean.

And, when I run PSPad (text editor) to view the log files, I get this message, in case it means something: "Error: Support for JScript active scripting not found. Install WSH with requested language support." That might be a PSPad-specific error, and maybe it is because of something Comodo blocked. Or it might be the virus/rootkit in action.

I will appreciate suggestions of next steps.

DDS.txt:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Run by johnh at 16:58:39 on 2011-12-23
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService2.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\V0230Mon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Documents and Settings\johnh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\johnh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\johnh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\johnh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\johnh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\johnh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\johnh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\johnh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\johnh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\johnh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\johnh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\johnh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\johnh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\johnh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\johnh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\johnh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\johnh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\johnh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\johnh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\johnh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\johnh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\johnh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\johnh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\johnh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\johnh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\johnh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\johnh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\johnh\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Documents and Settings\johnh\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.advisor.com/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [<NO NAME>]
mRun: [V0230Mon.exe] c:\windows\V0230Mon.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [KernelFaultCheck] watcher_disabled.
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-explorer: NoStrCmpLogical = 01000000
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15026/CTSUEng.cab
DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} - hxxp://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172275233468
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15028/CTPID.cab
TCP: Interfaces\{102151AB-4698-43CA-882D-8D7EC1F90321} : NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{892900FC-9814-4488-99C0-81491C1EE93D} : DhcpNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\johnh\application data\mozilla\firefox\profiles\hc36xvux.default\
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\johnh\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\johnh\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\johnh\local settings\application data\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\nitro pdf\reader\npdf.dll
FF - plugin: c:\program files\nitro pdf\reader\npnitromozilla.dll
.
============= SERVICES / DRIVERS ===============
.
R? cmdAgent;COMODO Internet Security Helper Service
R? gupdate;Google Update Service (gupdate)
R? gupdatem;Google Update Service (gupdatem)
R? McrdSvc;Media Center Extender Service
R? Media Center 15 Service;Media Center 15 Service
R? Media Center 16 Service;Media Center 16 Service
R? PSI;PSI
R? V0230Vfx;V0230Vfx
R? V0230VID;Live! Cam Video IM Pro
R? WDC_SAM;WD SCSI Pass Thru driver
S? cmdGuard;COMODO Internet Security Sandbox Driver
S? cmdHlp;COMODO Internet Security Helper Driver
S? MpFilter;Microsoft Malware Protection Driver
S? NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2
.
=============== File Associations ===============
.
txtfile="c:\program files\pspad editor\PSPad.exe" "%1"
.
=============== Created Last 30 ================
.
2011-12-23 22:28:43 -------- d-sha-r- C:\cmdcons
2011-12-23 22:26:26 98816 ----a-w- c:\windows\sed.exe
2011-12-23 22:26:26 518144 ----a-w- c:\windows\SWREG.exe
2011-12-23 22:26:26 256000 ----a-w- c:\windows\PEV.exe
2011-12-23 22:26:26 208896 ----a-w- c:\windows\MBR.exe
2011-12-23 22:26:10 -------- d-s---w- C:\ComboFix
2011-12-23 17:09:37 356352 ----a-w- c:\documents and settings\johnh\local settings\application data\hst.exe
2011-12-23 16:49:44 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ab5afac1-765e-466c-8a64-9a3df8fe4e18}\mpengine.dll
2011-12-15 17:14:01 -------- d-----w- c:\program files\iPod
2011-12-15 17:13:59 -------- d-----w- c:\program files\iTunes
2011-12-15 17:13:59 -------- d-----w- c:\documents and settings\all users\application data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-12-15 17:12:46 -------- d-----w- c:\program files\Bonjour
.
==================== Find3M ====================
.
2011-12-03 00:13:05 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-15 01:38:00 456192 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 17:48:01 31704 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-10-07 17:48:00 492768 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-10-07 17:47:59 18056 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-10-07 17:47:11 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2011-10-07 17:47:10 300200 ----a-w- c:\windows\system32\guard32.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 18:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 16:59:30.09 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 AM

Posted 30 December 2011 - 12:00 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/434324 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 cto

cto
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California, USA
  • Local time:10:28 PM

Posted 30 December 2011 - 01:08 PM

Posting Reply as requested, everything about the infected computer remains the same as the original posting, except some USB drives will work, and I got the Task Bar to display again, but it doesn't show running programs (Ctrl+Tab does show them). Lots of things broken, but possibly because so many services are not being started, and/or system files might be damaged or deleted by the virus or possibly by ComboFix being only partially run (not-working: Drag+Drop, Copy+Paste, most Start menu and Desktop program links, etc.), per original post.

Presumably I could generate new logs (let me know if necessary), but don't expect they'd show anything different, since the only use of the computer since the logs (in the original post) were generated has been to copy files to a backup drive, to use Chrome to connect to this site, and to turn it off/on a few times.

#4 cto

cto
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California, USA
  • Local time:10:28 PM

Posted 30 December 2011 - 08:33 PM

Update: I tried to generate new log files, got DDS files OK, but GMER again run for 6 hours, then ends with many errors about "unable to save", "insufficient resources", "data lost", etc. And can't get control because the error messages are endless. (On a different computer now...) I'll upload what I have if I can get back in to do it, having to power-off the computer.

#5 cto

cto
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California, USA
  • Local time:10:28 PM

Posted 31 December 2011 - 11:57 AM

Update: Still can't generate new GMER log, runs for about 6 hours, then generates several system and "can't save" messages. Perhaps because C: drive is large (500GB) and has many files (about 2/3 of total space), so GMER temp files get large. BUT, this computer has always handled large projects with ease, lots of empty disk space (177GB), plenty of RAM, etc. SO... please refer to the GMER log provided in the original message.

DDS runs OK, see the log posted in a message yesterday, and here is the attach.txt file.

Lacking any feedback, my hunch is ComboFix being aborted at Stage 4 (a week ago) created new problems. Note that we can't install Malwarebytes because VB6 runtime is missing, and we can't install a new VB6 because that attempt always fails. So to really attack the rootkit probably first we must get the computer back to running more normally. Possibly this means running ComboFix again (and allowing it to run for many hours/days)? Waiting for advice.

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:28 AM

Posted 01 January 2012 - 12:21 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Gmer looks a bit too busy, please run aswMBR

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#7 cto

cto
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California, USA
  • Local time:10:28 PM

Posted 01 January 2012 - 09:12 PM

Thank you for helping.

I ran aswMBR, no problem (unlike GMER), the log is below. It reports on some infected files.

Also note the computer's behavior problems (various things don't work) and that ComboFix was run partially then aborted a week ago.

aswMBR version 0.9.9.1124 Copyright© 2011 AVAST Software
Run date: 2012-01-01 14:46:00
-----------------------------
14:46:00.359 OS Version: Windows 5.1.2600 Service Pack 3
14:46:00.359 Number of processors: 2 586 0x4B02
14:46:00.359 ComputerName: AUDIO UserName: johnh
14:46:02.375 Initialize success
15:01:57.406 AVAST engine defs: 12010101
15:11:33.062 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5
15:11:33.062 Disk 0 Vendor: WDC_WD5000KS-00MNB0 07.02E07 Size: 476940MB BusType: 3
15:11:33.093 Disk 0 MBR read successfully
15:11:33.093 Disk 0 MBR scan
15:11:33.109 Disk 0 unknown MBR code
15:11:33.125 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 467720 MB offset 63
15:11:33.140 Disk 0 Partition 2 00 0C FAT32 LBA RECOVERY 9216 MB offset 957891690
15:11:33.140 Disk 0 scanning sectors +976768065
15:11:33.171 Disk 0 scanning C:\WINDOWS\system32\drivers
15:11:38.734 File: C:\WINDOWS\system32\drivers\netbt.sys **INFECTED** Win32:Aluroot-B [Rtk]
15:11:43.062 Service scanning
15:11:44.375 Modules scanning
15:11:47.203 Module: C:\WINDOWS\System32\drivers\dxgthk.sys **SUSPICIOUS**
15:11:47.796 Disk 0 trace - called modules:
15:11:47.812 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
15:11:47.812 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ac07ab8]
15:11:47.812 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\00000075[0x8aca5f18]
15:11:47.812 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-5[0x8ac89940]
15:11:49.531 AVAST engine scan C:\WINDOWS
15:12:10.484 AVAST engine scan C:\WINDOWS\system32
15:13:58.453 AVAST engine scan C:\WINDOWS\system32\drivers
15:14:05.734 File: C:\WINDOWS\system32\drivers\netbt.sys **INFECTED** Win32:Aluroot-B [Rtk]
15:14:21.109 AVAST engine scan C:\Documents and Settings\johnh
15:20:47.234 File: C:\Documents and Settings\johnh\Local Settings\Application Data\hst.exe **INFECTED** Win32:MalOb-IG [Cryp]
15:54:38.468 AVAST engine scan C:\Documents and Settings\All Users
16:42:58.515 Scan finished successfully
18:06:16.687 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\johnh\Desktop\MBR.dat"
18:06:16.687 The log file has been saved successfully to "C:\Documents and Settings\johnh\Desktop\aswMBR-20120101.txt"

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:28 AM

Posted 02 January 2012 - 08:38 AM

Please run TDSSKiller

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#9 cto

cto
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California, USA
  • Local time:10:28 PM

Posted 02 January 2012 - 11:49 AM

As requested, here is the result of TDSSKiller. Note that it found ZERO problems (so fixed nothing), even though aswMBR reported two or three infected files.

08:44:25.0093 1192 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16
08:44:27.0109 1192 ============================================================
08:44:27.0109 1192 Current date / time: 2012/01/02 08:44:27.0109
08:44:27.0109 1192 SystemInfo:
08:44:27.0109 1192
08:44:27.0109 1192 OS Version: 5.1.2600 ServicePack: 3.0
08:44:27.0109 1192 Product type: Workstation
08:44:27.0109 1192 ComputerName: AUDIO
08:44:27.0109 1192 UserName: johnh
08:44:27.0109 1192 Windows directory: C:\WINDOWS
08:44:27.0109 1192 System windows directory: C:\WINDOWS
08:44:27.0109 1192 Processor architecture: Intel x86
08:44:27.0109 1192 Number of processors: 2
08:44:27.0109 1192 Page size: 0x1000
08:44:27.0109 1192 Boot type: Normal boot
08:44:27.0109 1192 ============================================================
08:44:28.0796 1192 Initialize success
08:44:39.0328 0212 ============================================================
08:44:39.0328 0212 Scan started
08:44:39.0328 0212 Mode: Manual;
08:44:39.0328 0212 ============================================================
08:44:40.0171 0212 61883 (914a9709fc3bf419ad2f85547f2a4832) C:\WINDOWS\system32\DRIVERS\61883.sys
08:44:40.0171 0212 61883 - ok
08:44:40.0218 0212 Abiosdsk - ok
08:44:40.0234 0212 abp480n5 - ok
08:44:40.0265 0212 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
08:44:40.0265 0212 ACPI - ok
08:44:40.0296 0212 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
08:44:40.0296 0212 ACPIEC - ok
08:44:40.0312 0212 adpu160m - ok
08:44:40.0359 0212 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
08:44:40.0359 0212 aec - ok
08:44:40.0406 0212 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
08:44:40.0406 0212 AFD - ok
08:44:40.0421 0212 Aha154x - ok
08:44:40.0437 0212 aic78u2 - ok
08:44:40.0437 0212 aic78xx - ok
08:44:40.0468 0212 AliIde - ok
08:44:40.0515 0212 AmdK8 (59301936898ae62245a6f09c0aba9475) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
08:44:40.0515 0212 AmdK8 - ok
08:44:40.0515 0212 amsint - ok
08:44:40.0546 0212 aracpi (00523019e3579c8f8a94457fe25f0f24) C:\WINDOWS\system32\DRIVERS\aracpi.sys
08:44:40.0546 0212 aracpi - ok
08:44:40.0562 0212 arhidfltr (9fedaa46eb1a572ac4d9ee6b5f123cf2) C:\WINDOWS\system32\DRIVERS\arhidfltr.sys
08:44:40.0562 0212 arhidfltr - ok
08:44:40.0578 0212 arkbcfltr (82969576093cd983dd559f5a86f382b4) C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys
08:44:40.0593 0212 arkbcfltr - ok
08:44:40.0593 0212 armoucfltr (9b21791d8a78faece999fadbebda6c22) C:\WINDOWS\system32\DRIVERS\armoucfltr.sys
08:44:40.0609 0212 armoucfltr - ok
08:44:40.0609 0212 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
08:44:40.0609 0212 Arp1394 - ok
08:44:40.0625 0212 ARPolicy (7a2da7c7b0c524ef26a79f17a5c69fde) C:\WINDOWS\system32\DRIVERS\arpolicy.sys
08:44:40.0625 0212 ARPolicy - ok
08:44:40.0640 0212 asc - ok
08:44:40.0656 0212 asc3350p - ok
08:44:40.0671 0212 asc3550 - ok
08:44:40.0718 0212 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
08:44:40.0718 0212 AsyncMac - ok
08:44:40.0734 0212 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
08:44:40.0734 0212 atapi - ok
08:44:40.0750 0212 Atdisk - ok
08:44:40.0765 0212 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
08:44:40.0765 0212 Atmarpc - ok
08:44:40.0781 0212 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
08:44:40.0781 0212 audstub - ok
08:44:40.0828 0212 Avc (f8e6956a614f15a0860474c5e2a7de6b) C:\WINDOWS\system32\DRIVERS\avc.sys
08:44:40.0828 0212 Avc - ok
08:44:40.0843 0212 bb-run (7270d070173b20ac9487ea16bb08b45f) C:\WINDOWS\system32\DRIVERS\bb-run.sys
08:44:40.0843 0212 bb-run - ok
08:44:40.0875 0212 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
08:44:40.0875 0212 Beep - ok
08:44:40.0984 0212 catchme - ok
08:44:41.0000 0212 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
08:44:41.0000 0212 cbidf2k - ok
08:44:41.0015 0212 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
08:44:41.0015 0212 CCDECODE - ok
08:44:41.0031 0212 cd20xrnt - ok
08:44:41.0062 0212 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
08:44:41.0062 0212 Cdaudio - ok
08:44:41.0062 0212 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
08:44:41.0062 0212 Cdfs - ok
08:44:41.0109 0212 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
08:44:41.0125 0212 Cdrom - ok
08:44:41.0125 0212 Changer - ok
08:44:41.0171 0212 cmdGuard (be1e51b694cadc4043e428a914ee544e) C:\WINDOWS\system32\DRIVERS\cmdguard.sys
08:44:41.0171 0212 cmdGuard - ok
08:44:41.0203 0212 cmdHlp (f0a78783a95b788856eec1c36d0a1e59) C:\WINDOWS\system32\DRIVERS\cmdhlp.sys
08:44:41.0203 0212 cmdHlp - ok
08:44:41.0218 0212 CmdIde - ok
08:44:41.0250 0212 Cpqarray - ok
08:44:41.0312 0212 ctac32k (fb06bb39860340c6fa84867f0288d1dd) C:\WINDOWS\system32\drivers\ctac32k.sys
08:44:41.0328 0212 ctac32k - ok
08:44:41.0343 0212 ctaud2k (b810fa12cf726b200e057834eaebb1ac) C:\WINDOWS\system32\drivers\ctaud2k.sys
08:44:41.0359 0212 ctaud2k - ok
08:44:41.0390 0212 ctdvda2k (c4333325d325efa668888d0d3177c6ff) C:\WINDOWS\system32\drivers\ctdvda2k.sys
08:44:41.0406 0212 ctdvda2k - ok
08:44:41.0406 0212 ctprxy2k (1fa95c8cf34b9911e352a07ea7a200fc) C:\WINDOWS\system32\drivers\ctprxy2k.sys
08:44:41.0406 0212 ctprxy2k - ok
08:44:41.0437 0212 ctsfm2k (400cb754b91f73bee2655686a57269d2) C:\WINDOWS\system32\drivers\ctsfm2k.sys
08:44:41.0453 0212 ctsfm2k - ok
08:44:41.0453 0212 dac2w2k - ok
08:44:41.0468 0212 dac960nt - ok
08:44:41.0515 0212 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
08:44:41.0515 0212 Disk - ok
08:44:41.0562 0212 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
08:44:41.0593 0212 dmboot - ok
08:44:41.0609 0212 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
08:44:41.0609 0212 dmio - ok
08:44:41.0625 0212 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
08:44:41.0625 0212 dmload - ok
08:44:41.0656 0212 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
08:44:41.0656 0212 DMusic - ok
08:44:41.0671 0212 dpti2o - ok
08:44:41.0687 0212 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
08:44:41.0687 0212 drmkaud - ok
08:44:41.0718 0212 emupia (7bb488ec082d40645936d9e583f560dc) C:\WINDOWS\system32\drivers\emupia2k.sys
08:44:41.0734 0212 emupia - ok
08:44:41.0750 0212 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
08:44:41.0750 0212 Fastfat - ok
08:44:41.0781 0212 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
08:44:41.0781 0212 Fdc - ok
08:44:41.0796 0212 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
08:44:41.0796 0212 Fips - ok
08:44:41.0812 0212 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
08:44:41.0812 0212 Flpydisk - ok
08:44:41.0859 0212 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
08:44:41.0859 0212 FltMgr - ok
08:44:41.0875 0212 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
08:44:41.0875 0212 Fs_Rec - ok
08:44:41.0890 0212 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
08:44:41.0906 0212 Ftdisk - ok
08:44:41.0906 0212 ftsata2 (22399d3ce5840c6082844679cca5d2fc) C:\WINDOWS\system32\DRIVERS\ftsata2.sys
08:44:41.0921 0212 ftsata2 - ok
08:44:41.0921 0212 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
08:44:41.0937 0212 gameenum - ok
08:44:41.0937 0212 GEARAspiWDM - ok
08:44:41.0968 0212 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
08:44:41.0968 0212 Gpc - ok
08:44:42.0015 0212 ha10kx2k (9bb84b1dff8bce7fdddea746f6819fcf) C:\WINDOWS\system32\drivers\ha10kx2k.sys
08:44:42.0015 0212 ha10kx2k - ok
08:44:42.0046 0212 hap16v2k (1418833169b29780fbdab127623b8767) C:\WINDOWS\system32\drivers\hap16v2k.sys
08:44:42.0046 0212 hap16v2k - ok
08:44:42.0078 0212 hap17v2k (8b3148391dc121d96d513785d588e75b) C:\WINDOWS\system32\drivers\hap17v2k.sys
08:44:42.0093 0212 hap17v2k - ok
08:44:42.0125 0212 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
08:44:42.0125 0212 HDAudBus - ok
08:44:42.0156 0212 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
08:44:42.0156 0212 HidUsb - ok
08:44:42.0171 0212 hpn - ok
08:44:42.0218 0212 HSXHWBS2 (1f5c64b0c6b2e2f48735a77ae714ccb8) C:\WINDOWS\system32\DRIVERS\HSXHWBS2.sys
08:44:42.0234 0212 HSXHWBS2 - ok
08:44:42.0296 0212 HSX_DP (a7f8c9228898a1e871d2ae7082f50ac3) C:\WINDOWS\system32\DRIVERS\HSX_DP.sys
08:44:42.0328 0212 HSX_DP - ok
08:44:42.0375 0212 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
08:44:42.0375 0212 HTTP - ok
08:44:42.0390 0212 i2omgmt - ok
08:44:42.0406 0212 i2omp - ok
08:44:42.0437 0212 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
08:44:42.0437 0212 i8042prt - ok
08:44:42.0453 0212 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
08:44:42.0453 0212 Imapi - ok
08:44:42.0468 0212 ini910u - ok
08:44:42.0500 0212 Inspect (d22ac37cbe6cf295416ef84245b804a8) C:\WINDOWS\system32\DRIVERS\inspect.sys
08:44:42.0500 0212 Inspect - ok
08:44:42.0625 0212 IntcAzAudAddService (ab2fe0faa519880bd16e4a0792d633d2) C:\WINDOWS\system32\drivers\RtkHDAud.sys
08:44:42.0718 0212 IntcAzAudAddService - ok
08:44:42.0734 0212 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
08:44:42.0734 0212 IntelIde - ok
08:44:42.0765 0212 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
08:44:42.0781 0212 intelppm - ok
08:44:42.0796 0212 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
08:44:42.0796 0212 Ip6Fw - ok
08:44:42.0812 0212 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
08:44:42.0812 0212 IpFilterDriver - ok
08:44:42.0828 0212 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
08:44:42.0828 0212 IpInIp - ok
08:44:42.0859 0212 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
08:44:42.0875 0212 IpNat - ok
08:44:42.0890 0212 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
08:44:42.0890 0212 IPSec - ok
08:44:42.0921 0212 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
08:44:42.0921 0212 IRENUM - ok
08:44:42.0937 0212 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
08:44:42.0937 0212 isapnp - ok
08:44:42.0953 0212 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
08:44:42.0953 0212 Kbdclass - ok
08:44:42.0984 0212 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
08:44:42.0984 0212 kmixer - ok
08:44:43.0031 0212 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
08:44:43.0031 0212 KSecDD - ok
08:44:43.0046 0212 lbrtfdc - ok
08:44:43.0093 0212 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
08:44:43.0093 0212 mdmxsdk - ok
08:44:43.0125 0212 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
08:44:43.0125 0212 MHNDRV - ok
08:44:43.0140 0212 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
08:44:43.0140 0212 mnmdd - ok
08:44:43.0156 0212 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
08:44:43.0156 0212 Modem - ok
08:44:43.0171 0212 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
08:44:43.0171 0212 Mouclass - ok
08:44:43.0218 0212 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
08:44:43.0218 0212 mouhid - ok
08:44:43.0296 0212 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
08:44:43.0296 0212 MountMgr - ok
08:44:43.0343 0212 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
08:44:43.0343 0212 MpFilter - ok
08:44:43.0359 0212 mraid35x - ok
08:44:43.0406 0212 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
08:44:43.0406 0212 MRxDAV - ok
08:44:43.0468 0212 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
08:44:43.0484 0212 MRxSmb - ok
08:44:43.0515 0212 MSDV (1477849772712bac69c144dcf2c9ce81) C:\WINDOWS\system32\DRIVERS\msdv.sys
08:44:43.0515 0212 MSDV - ok
08:44:43.0531 0212 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
08:44:43.0531 0212 Msfs - ok
08:44:43.0562 0212 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
08:44:43.0562 0212 MSKSSRV - ok
08:44:43.0578 0212 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
08:44:43.0578 0212 MSPCLOCK - ok
08:44:43.0593 0212 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
08:44:43.0593 0212 MSPQM - ok
08:44:43.0640 0212 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
08:44:43.0640 0212 mssmbios - ok
08:44:43.0656 0212 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
08:44:43.0656 0212 MSTEE - ok
08:44:43.0687 0212 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
08:44:43.0687 0212 Mup - ok
08:44:43.0718 0212 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
08:44:43.0718 0212 NABTSFEC - ok
08:44:43.0750 0212 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
08:44:43.0765 0212 NDIS - ok
08:44:43.0781 0212 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
08:44:43.0781 0212 NdisIP - ok
08:44:43.0812 0212 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
08:44:43.0812 0212 NdisTapi - ok
08:44:43.0843 0212 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
08:44:43.0843 0212 Ndisuio - ok
08:44:43.0859 0212 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
08:44:43.0859 0212 NdisWan - ok
08:44:43.0890 0212 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
08:44:43.0890 0212 NDProxy - ok
08:44:43.0906 0212 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
08:44:43.0906 0212 NetBIOS - ok
08:44:43.0937 0212 NetBT (732fb4b0b4f492ab7a1d2227ca2b2d43) C:\WINDOWS\system32\DRIVERS\netbt.sys
08:44:43.0937 0212 NetBT - ok
08:44:43.0968 0212 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
08:44:43.0968 0212 NIC1394 - ok
08:44:43.0984 0212 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
08:44:43.0984 0212 Npfs - ok
08:44:44.0031 0212 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
08:44:44.0046 0212 Ntfs - ok
08:44:44.0062 0212 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
08:44:44.0078 0212 Null - ok
08:44:44.0390 0212 nv (18c9b152da7bea76b2f9e4b6412e0aaf) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
08:44:44.0640 0212 nv - ok
08:44:44.0687 0212 NVENETFD (22eedb34c4d7613a25b10c347c6c4c21) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
08:44:44.0687 0212 NVENETFD - ok
08:44:44.0718 0212 nvnetbus (5e3f6ad5cad0f12d3cccd06fd964087a) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
08:44:44.0718 0212 nvnetbus - ok
08:44:44.0765 0212 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
08:44:44.0765 0212 NwlnkFlt - ok
08:44:44.0796 0212 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
08:44:44.0796 0212 NwlnkFwd - ok
08:44:44.0812 0212 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
08:44:44.0812 0212 ohci1394 - ok
08:44:44.0859 0212 ossrv (01e1ab8249f9dde5978c6b4af18eda7c) C:\WINDOWS\system32\drivers\ctoss2k.sys
08:44:44.0859 0212 ossrv - ok
08:44:44.0890 0212 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
08:44:44.0906 0212 Parport - ok
08:44:44.0906 0212 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
08:44:44.0906 0212 PartMgr - ok
08:44:44.0937 0212 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
08:44:44.0937 0212 ParVdm - ok
08:44:44.0953 0212 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
08:44:44.0953 0212 PCI - ok
08:44:44.0968 0212 PCIDump - ok
08:44:44.0984 0212 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
08:44:45.0000 0212 PCIIde - ok
08:44:45.0015 0212 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
08:44:45.0015 0212 Pcmcia - ok
08:44:45.0031 0212 PDCOMP - ok
08:44:45.0046 0212 PDFRAME - ok
08:44:45.0046 0212 PDRELI - ok
08:44:45.0062 0212 PDRFRAME - ok
08:44:45.0078 0212 perc2 - ok
08:44:45.0093 0212 perc2hib - ok
08:44:45.0140 0212 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
08:44:45.0140 0212 PptpMiniport - ok
08:44:45.0156 0212 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
08:44:45.0171 0212 Processor - ok
08:44:45.0218 0212 Ps2 (390c204ced3785609ab24e9c52054a84) C:\WINDOWS\system32\DRIVERS\PS2.sys
08:44:45.0218 0212 Ps2 - ok
08:44:45.0234 0212 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
08:44:45.0234 0212 PSched - ok
08:44:45.0265 0212 PSI (14e6fb92f1788982e2bbc81d915b1f02) C:\WINDOWS\system32\DRIVERS\psi_mf.sys
08:44:45.0265 0212 PSI - ok
08:44:45.0281 0212 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
08:44:45.0281 0212 Ptilink - ok
08:44:45.0312 0212 PxHelp20 (97b735de4e3cd44c71c8cb09bdbf07b7) C:\WINDOWS\system32\Drivers\PxHelp20.sys
08:44:45.0312 0212 PxHelp20 - ok
08:44:45.0328 0212 ql1080 - ok
08:44:45.0343 0212 Ql10wnt - ok
08:44:45.0359 0212 ql12160 - ok
08:44:45.0359 0212 ql1240 - ok
08:44:45.0375 0212 ql1280 - ok
08:44:45.0406 0212 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
08:44:45.0406 0212 RasAcd - ok
08:44:45.0421 0212 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
08:44:45.0421 0212 Rasl2tp - ok
08:44:45.0437 0212 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
08:44:45.0453 0212 RasPppoe - ok
08:44:45.0453 0212 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
08:44:45.0453 0212 Raspti - ok
08:44:45.0484 0212 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
08:44:45.0484 0212 Rdbss - ok
08:44:45.0500 0212 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
08:44:45.0500 0212 RDPCDD - ok
08:44:45.0515 0212 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
08:44:45.0531 0212 rdpdr - ok
08:44:45.0562 0212 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
08:44:45.0578 0212 RDPWD - ok
08:44:45.0609 0212 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
08:44:45.0609 0212 redbook - ok
08:44:45.0671 0212 rspndr (a3b23fb3f295694091f51865f98588b2) C:\WINDOWS\system32\DRIVERS\rspndr.sys
08:44:45.0671 0212 rspndr - ok
08:44:45.0687 0212 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
08:44:45.0703 0212 rtl8139 - ok
08:44:45.0734 0212 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
08:44:45.0734 0212 Secdrv - ok
08:44:45.0765 0212 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
08:44:45.0765 0212 Serial - ok
08:44:45.0796 0212 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
08:44:45.0796 0212 Sfloppy - ok
08:44:45.0812 0212 Simbad - ok
08:44:45.0843 0212 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
08:44:45.0843 0212 SLIP - ok
08:44:45.0859 0212 snapman (624f51c7c12b9aeec433a2dd9b43f90f) C:\WINDOWS\system32\DRIVERS\snapman.sys
08:44:45.0875 0212 snapman - ok
08:44:45.0906 0212 sonypvs1 (dfadfc2c86662f40759bf02add27d569) C:\WINDOWS\system32\DRIVERS\sonypvs1.sys
08:44:45.0906 0212 sonypvs1 - ok
08:44:45.0937 0212 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
08:44:45.0953 0212 SONYPVU1 - ok
08:44:45.0953 0212 Sparrow - ok
08:44:45.0984 0212 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
08:44:45.0984 0212 splitter - ok
08:44:46.0000 0212 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
08:44:46.0000 0212 sr - ok
08:44:46.0046 0212 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
08:44:46.0062 0212 Srv - ok
08:44:46.0093 0212 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
08:44:46.0093 0212 streamip - ok
08:44:46.0093 0212 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
08:44:46.0109 0212 swenum - ok
08:44:46.0125 0212 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
08:44:46.0125 0212 swmidi - ok
08:44:46.0140 0212 symc810 - ok
08:44:46.0156 0212 symc8xx - ok
08:44:46.0171 0212 sym_hi - ok
08:44:46.0187 0212 sym_u3 - ok
08:44:46.0218 0212 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
08:44:46.0218 0212 sysaudio - ok
08:44:46.0281 0212 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
08:44:46.0296 0212 Tcpip - ok
08:44:46.0328 0212 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
08:44:46.0328 0212 TDPIPE - ok
08:44:46.0328 0212 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
08:44:46.0343 0212 TDTCP - ok
08:44:46.0343 0212 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
08:44:46.0343 0212 TermDD - ok
08:44:46.0375 0212 tifsfilter (b84b82c0cbeb1b0d7eb7a946bade5830) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
08:44:46.0375 0212 tifsfilter - ok
08:44:46.0421 0212 timounter (1dcf219ec8de87c99b5ad6216000f6d3) C:\WINDOWS\system32\DRIVERS\timntr.sys
08:44:46.0437 0212 timounter - ok
08:44:46.0453 0212 TosIde - ok
08:44:46.0484 0212 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
08:44:46.0500 0212 Udfs - ok
08:44:46.0500 0212 ultra - ok
08:44:46.0546 0212 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
08:44:46.0562 0212 Update - ok
08:44:46.0593 0212 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
08:44:46.0593 0212 usbaudio - ok
08:44:46.0609 0212 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
08:44:46.0609 0212 usbccgp - ok
08:44:46.0656 0212 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
08:44:46.0656 0212 usbehci - ok
08:44:46.0671 0212 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
08:44:46.0671 0212 usbhub - ok
08:44:46.0687 0212 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
08:44:46.0687 0212 usbohci - ok
08:44:46.0734 0212 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
08:44:46.0734 0212 usbstor - ok
08:44:46.0750 0212 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
08:44:46.0765 0212 usbuhci - ok
08:44:46.0796 0212 V0230Vfx (a0c643d5f8c60f12faa6e3454dfe9c32) C:\WINDOWS\system32\DRIVERS\V0230Vfx.sys
08:44:46.0812 0212 V0230Vfx - ok
08:44:46.0859 0212 V0230VID (5a2d30399a114fc4863539f02c484b11) C:\WINDOWS\system32\DRIVERS\V0230VID.sys
08:44:46.0875 0212 V0230VID - ok
08:44:46.0890 0212 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
08:44:46.0890 0212 VgaSave - ok
08:44:46.0906 0212 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
08:44:46.0906 0212 ViaIde - ok
08:44:46.0921 0212 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
08:44:46.0921 0212 VolSnap - ok
08:44:46.0937 0212 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
08:44:46.0937 0212 Wanarp - ok
08:44:46.0984 0212 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\WINDOWS\system32\DRIVERS\wdcsam.sys
08:44:46.0984 0212 WDC_SAM - ok
08:44:46.0984 0212 WDICA - ok
08:44:47.0015 0212 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
08:44:47.0031 0212 wdmaud - ok
08:44:47.0093 0212 winachsx (11ec1afceb5c917ce73d3c301ff4291e) C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
08:44:47.0109 0212 winachsx - ok
08:44:47.0171 0212 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
08:44:47.0171 0212 WSTCODEC - ok
08:44:47.0218 0212 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
08:44:47.0218 0212 WudfPf - ok
08:44:47.0265 0212 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
08:44:47.0265 0212 WudfRd - ok
08:44:47.0312 0212 MBR (0x1B8) (ed18b096bc416bfb306882a7c2eba877) \Device\Harddisk0\DR0
08:44:47.0343 0212 \Device\Harddisk0\DR0 - ok
08:44:47.0343 0212 Boot (0x1200) (fb322c2625107979e5276fd267e7464c) \Device\Harddisk0\DR0\Partition0
08:44:47.0343 0212 \Device\Harddisk0\DR0\Partition0 - ok
08:44:47.0359 0212 Boot (0x1200) (ca2d52092633af49646eeacbfae62bc0) \Device\Harddisk0\DR0\Partition1
08:44:47.0359 0212 \Device\Harddisk0\DR0\Partition1 - ok
08:44:47.0359 0212 ============================================================
08:44:47.0359 0212 Scan finished
08:44:47.0359 0212 ============================================================
08:44:47.0375 1612 Detected object count: 0
08:44:47.0375 1612 Actual detected object count: 0

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:28 AM

Posted 02 January 2012 - 02:03 PM

Note that it found ZERO problems (so fixed nothing), even though aswMBR reported two or three infected files.


TDSS moves so fast that it's not always possible to update the database in time. Even large companies can't do this.

Please run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#11 cto

cto
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California, USA
  • Local time:10:28 PM

Posted 02 January 2012 - 09:27 PM

ComboFix has been running for about seven hours, is up to "Complete Stage_5". It's been running unattended, so I don't know when it reached Stage 5. At this point I can't tell if anything is happening, the drive light doesn't seem to flicker.

I'll let it keep running overnight (my time, California), but if it hasn't finished by morning (approx 18 hours after start), what should I do?

#12 cto

cto
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California, USA
  • Local time:10:28 PM

Posted 03 January 2012 - 10:19 AM

Is ComboFix hung? It's been running for 20 hours, but for at least the past 13 hours it's been at "Completed Stage_5". I don't see hard drive light action.

It's still "running" (?), but what should I do? Reboot and start Combofix again? Or what?

#13 cto

cto
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California, USA
  • Local time:10:28 PM

Posted 03 January 2012 - 02:48 PM

ComboFix just passed 24 hours of running, but it's been at "Completed Stage_5" for at least the past 17 hours. Is it doing anything?

My urge is to reboot and run it again, possibly from Safe Mode, but I'm awaiting instructions.

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:28 AM

Posted 03 January 2012 - 06:28 PM

Don't try and run Combofix again. It is being stopped by the rootkit.

Try this please. You will also need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download dumpit to your USB
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • Click on sdb1 (sdb1 represents the USB drive).
  • Double click on the dumpit file.
  • A black window will pop-up and it will dump and zip the MBR to your USB drive.
  • Press Enter to exit the black window.
  • Click on HOME tab and choose Power Off to turn off xPUD.
  • Remove the USB drive and insert it back on your working computer.
  • Locate the mbr.zip file in your USB drive and attach it when you reply.

Posted Image
m0le is a proud member of UNITE

#15 cto

cto
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California, USA
  • Local time:10:28 PM

Posted 03 January 2012 - 07:42 PM

Here's mbr.zip generated by xPUD on the sick computer.

Attached Files

  • Attached File  mbr.zip   2.14KB   2 downloads





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users