Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System infected: Tidserv Activity 2


  • Please log in to reply
3 replies to this topic

#1 moyer-a

moyer-a

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 24 January 2012 - 10:41 AM

Down loaded aswMBR updated and read it this is the report

07:48:17.750 OS Version: Windows 5.1.2600 Service Pack 3
07:48:17.750 Number of processors: 2 586 0x403
07:48:17.765 ComputerName: WAR UserName:
07:48:50.156 Initialize success
07:59:32.312 AVAST engine defs: 12012400
08:23:13.515 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-19
08:23:13.718 Disk 0 Vendor: ST31500541AS CC34 Size: 1430799MB BusType: 3
08:23:13.750 Disk 0 MBR read successfully
08:23:13.765 Disk 0 MBR scan
08:23:16.125 Disk 0 Windows XP default MBR code
08:23:16.156 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 742127 MB offset 63
08:23:17.281 Disk 0 Partition - 00 05 Extended 688669 MB offset 1519877520
08:23:17.312 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 687217 MB offset 1519877583
08:23:17.531 Disk 0 Partition - 00 05 Extended 1451 MB offset 2927300040
08:23:17.578 Disk 0 scanning sectors +2930272065
08:23:18.421 Disk 0 scanning C:\WINDOWS\system32\drivers
08:23:25.562 File: C:\WINDOWS\system32\drivers\afd.sys **INFECTED** Win32:Smadow [Rtk]
08:23:52.015 Disk 0 trace - called modules:
08:23:52.187 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xf7980ff0]<<
08:23:52.312 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82d68ab8]
08:23:52.453 3 CLASSPNP.SYS[f865dfd7] -> nt!IofCallDriver -> [0x82880dc0]
08:23:52.593 \Driver\00001299[0x82ad03d0] -> IRP_MJ_CREATE -> 0xf7980ff0
08:23:54.640 AVAST engine scan C:\WINDOWS
08:24:19.359 AVAST engine scan C:\WINDOWS\system32
08:27:57.484 AVAST engine scan C:\WINDOWS\system32\drivers
08:27:58.390 File: C:\WINDOWS\system32\drivers\afd.sys **INFECTED** Win32:Smadow [Rtk]
08:28:30.546 AVAST engine scan C:\Documents and Settings\AL MOYER
08:32:01.578 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\AL MOYER\Desktop\MBR.dat"
08:32:01.781 The log file has been saved successfully to "C:\Documents and Settings\AL MOYER\Desktop\aswMBR.txt"


What would be the next step?

Thanks Al

Edited by hamluis, 24 January 2012 - 11:20 AM.
Moved from XP to Am I Infected.


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:53 PM

Posted 24 January 2012 - 11:57 AM

Download

TDSSkiller

Launch it Click on "Scan".Please post the LOG report



Please download GMER from here

http://www2.gmer.net/download.php

Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)

If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.

Good luck

#3 moyer-a

moyer-a
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 24 January 2012 - 09:54 PM

THANKS

TDSSKILLER done it killed it dead

AL

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:09:53 PM

Posted 24 January 2012 - 09:56 PM

You may still be infected

We need to make sure that PC is clean.It would be better if you post the GMER log

Run aswmbr once and post the log

Good luck

Edited by narenxp, 24 January 2012 - 09:57 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users